题目说明:VLD
1.打开链接,页面如图所示,问我懂不懂VLD
2.查看页面源码,提示index.php.txt文件
3.访问index.php.txt文件,返回的是index.php的操作码
Finding entry points
Branch analysis from position: 0
Jump found. Position 1 = 23, Position 2 = 38
Branch analysis from position: 23
Jump found. Position 1 = 26, Position 2 = 35
Branch analysis from position: 26
Jump found. Position 1 = 29, Position 2 = 32
Branch analysis from position: 29
Jump found. Position 1 = 34
Branch analysis from position: 34
Jump found. Position 1 = 37
Branch analysis from position: 37
Jump found. Position 1 = 40
Branch analysis from position: 40
Return found
Branch analysis from position: 32
Jump found. Position 1 = 37
Branch analysis from position: 37
Branch analysis from position: 35
Jump found. Position 1 = 40
Branch analysis from position: 40
Branch analysis from position: 38
Return found
filename: C:\ctf\index.php
function name: (null)
number of ops: 44
compiled vars: !0 = $a, !1 = $b, !2 = $c
line # * op fetch ext return operands
---------------------------------------------------------------------------------
2 0 > EXT_STMT
1 ECHO 'do+you+know+Vulcan+Logic+Dumper%3F%3Cbr%3E'
3 2 EXT_STMT
3 BEGIN_SILENCE ~0
4 FETCH_R global $1 '_GET'
5 FETCH_DIM_R $2 $1, 'flag1'
6 END_SILENCE ~0
7 ASSIGN !0, $2
4 8 EXT_STMT
9 BEGIN_SILENCE ~4
10 FETCH_R global $5 '_GET'
11 FETCH_DIM_R $6 $5, 'flag2'
12 END_SILENCE ~4
13 ASSIGN !1, $6
5 14 EXT_STMT
15 BEGIN_SILENCE ~8
16 FETCH_R global $9 '_GET'
17 FETCH_DIM_R $10 $9, 'flag3'
18 END_SILENCE ~8
19 ASSIGN !2, $10
6 20 EXT_STMT
21 IS_EQUAL ~12 !0, 'fvhjjihfcv'
22 > JMPZ ~12, ->38
7 23 > EXT_STMT
24 IS_EQUAL ~13 !1, 'gfuyiyhioyf'
25 > JMPZ ~13, ->35
8 26 > EXT_STMT
27 IS_EQUAL ~14 !2, 'yugoiiyhi'
28 > JMPZ ~14, ->32
9 29 > EXT_STMT
30 ECHO 'the+next+step+is+xxx.zip'
10 31 > JMP ->34
11 32 > EXT_STMT
33 ECHO 'false%3Cbr%3E'
13 34 > > JMP ->37
14 35 > EXT_STMT
36 ECHO 'false%3Cbr%3E'
16 37 > > JMP ->40
17 38 > EXT_STMT
39 ECHO 'false%3Cbr%3E'
19 40 > NOP
22 41 EXT_STMT
42 ECHO '%3C%21--+index.php.txt+%3F%3E%0D%0A%0D%0A'
43 > RETURN 1
branch: # 0; line: 2- 6; sop: 0; eop: 22; out1: 23; out2: 38
branch: # 23; line: 7- 7; sop: 23; eop: 25; out1: 26; out2: 35
branch: # 26; line: 8- 8; sop: 26; eop: 28; out1: 29; out2: 32
branch: # 29; line: 9- 10; sop: 29; eop: 31; out1: 34
branch: # 32; line: 11- 13; sop: 32; eop: 33; out1: 34
branch: # 34; line: 13- 13; sop: 34; eop: 34; out1: 37
branch: # 35; line: 14- 16; sop: 35; eop: 36; out1: 37
branch: # 37; line: 16- 16; sop: 37; eop: 37; out1: 40
branch: # 38; line: 17- 19; sop: 38; eop: 39; out1: 40
branch: # 40; line: 19- 22; sop: 40; eop: 43
path #1: 0, 23, 26, 29, 34, 37, 40,
path #2: 0, 23, 26, 32, 34, 37, 40,
path #3: 0, 23, 35, 37, 40,
path #4: 0, 38, 40,
do you know Vulcan Logic Dumper?<br>false<br><!-- index.php.txt ?>
4.通过阅读操作码,对index.php进行传参,传入参数
?flag1=fvhjjihfcv&flag2=gfuyiyhioyf&flag3=yugoiiyhi
页面返回结果告诉我有一个1chunqiu.zip的文件,下载之
5.得到的文件为当前题目的源码,通过代码审计,发现存在SQL注入,关键代码如下
自定义函数文件
<?php
class mysql_db{
public static $link = null;
public function __construct(){
if(self::$link == null){
self::$link = self::connect();
}
}
/*
数据库连接
*/
public static function connect(){
self::$link = @mysql_connect(DB_HOST, DB_USER, DB_PASS);
if(self::$link == false) exit("数据库链接失败!");
$db = mysql_select_db(DB_NAME, self::$link);
if($db == false) exit("数据库选择失败!");
mysql_query('SET names utf8');
return self::$link;
}
/*
数据库执行语句
*/
public function query($sql){
$res = mysql_query($sql) or die("数据库执行错误!".mysql_error());
return $res;
}
public function select($sql){
if(!mysql_query($sql)){
return false;
}
return true;
}
/*
自定义数据库密码存储时候的加密函数
*/
public function my_md5($string){
return md5(substr(md5($string),5,24));
}
/*
一个数据库查询的返回值,返回值是一个维数组
*/
public function fetch_array($query) {
return mysql_fetch_array($query, MYSQL_ASSOC);
}
/*
入库前的安全处理函数
*/
public function safe_data($value){
if( MAGIC_QUOTES_GPC ){
stripcslashes($value);
}
return addslashes($value);
}
}
?>
登陆文件
<?php
require_once 'dbmysql.class.php';
require_once 'config.inc.php';
if(isset($_POST['username']) && isset($_POST['password']) && isset($_POST['number'])){
$db = new mysql_db();
$username = $db->safe_data($_POST['username']);
$password = $db->my_md5($_POST['password']);
$number = is_numeric($_POST['number']) ? $_POST['number'] : 1;
$username = trim(str_replace($number, '', $username));
$sql = "select * from"."`".table_name."`"."where username="."'"."$username"."'";
$row = $db->query($sql);
$result = $db->fetch_array($row);
if($row){
if($result["number"] === $number && $result["password"] === $password){
echo "<script>alert('nothing here!')</script>";
}else{
echo "<script>
alert('密码错误,老司机翻车了!');
function jumpurl(){
location='login.html';
}
setTimeout('jumpurl()',1000);
</script>";
}
}else{
exit(mysql_error());
}
}else{
echo "<script>
alert('用户名密码不能为空!');
function jumpurl(){
location='login.html';
}
setTimeout('jumpurl()',1000);
</script>";
}
?>
注入点分析:
这登陆处接收三个参数:车牌号,用户名,密码
$username = trim(str_replace($number, '', $username));
这段代码将用户名中和车牌号相同的地方替换成空
后台代码对用户输入的用户名使用了addslashes()
函数过滤单引号
如果传入用户名参数username=%00'
,用户名经过滤后结果为\0\'
如果把车牌号设为0,再通过替换函数将0给过滤掉,那么最后传入的用户名为\\'
,反斜杠被转义,单引号逃逸
6.开始注入
测试注入
通过报错注入,爆出数据库
爆表
爆数据
由于xpath语法错误爆出的数据有长度限制,使用substr()
函数将flag分段获取获取