AV999,.久久黄色

http://115.28.90.49:23080/index.php?action=front&mode=register
查看url , 感覺可以任意文件包含
嘗試使用 php 協(xié)議
利用 filter 可以讀取到任意文件源碼

image.png

<?php
define("DIR_PERMITION",time());
// phpinfo();

function d_addslashes($array){

    foreach($array as $key=>$value){
        if(!is_array($value)){
              !get_magic_quotes_gpc()&&$value=addslashes($value);
              $array[$key]=$value;
        }else{

          $array[$key] = d_addslashes($array[$key]);
        }
    }
    return $array;

}

$_POST=d_addslashes($_POST);
$_GET=d_addslashes($_GET);


include_once('common.php');

if(!isset($_GET['action'])||!isset($_GET['mode'])){

    header("Location: ./index.php?action=front&mode=login");

}elseif(!preg_match('/\.{2}/is',$_GET['action'])&&preg_match('/^[0-9A-Za-z]+$/is',$_GET['mode'])){
    $action=$_GET['action'];
    $mode=$_GET['mode'];
    $file=$action.'/'.$mode.'.php';
    
    // echo $file;

}else{

    die("Invalid Request!");
}
include($file);

先把所有文件都讀取下來再說

<?php

include_once("config.inc.php");

function rand_str($lenth=16){
   $rand=[];
   $_str="qwertyuiopasdfghjklzxcvbnm0123456789QWERTYUIOPASDFGHJKLZXCVBNM";
   while($lenth){
   $rand[]=$_str[rand(0,strlen($_str)-1)];
   $lenth--;
   }

   return implode($rand);
}

// echo rand_str();

if(!isset($_SESSION['SECURITY_KEY'])){

    $_SESSION['SECURITY_KEY']=rand_str(6);

}
if(!isset($_SESSION['CSRF_TOKEN'])){
    $_SESSION['CSRF_TOKEN']=rand_str(16);

}

if(!isset($_SESSION['level'])){

   $_SESSION['level']=null;
}


if(!isset($_SESSION['userid'])){
   $_SESSION['userid']=null;
}



function mysql_my_query($sql){
        global $conn;
        $res=$conn->query($sql) or die("查詢數(shù)據(jù)庫出錯(cuò)!");
        
        return $res;
        
}

function encode($str){
    return md5($_SESSION['SECURITY_KEY'].$str);

}

function set_login($uname,$id,$level){
     $_SESSION['userid']=$id;
     $_SESSION['level']=$level;
     
     $endata=encode($uname);
     setcookie("uid","$uname|$endata");
     
}

function check_login(){

    $uid=$_COOKIE['uid'];
    $userinfo=explode("|",$uid);

    if($userinfo[0]&&$userinfo[1]&&$userinfo[1]==encode($userinfo[0])){
        return $_SESSION['userid'];

    }else{

        return FALSE;

    }

}

function get_level(){

    $uid=$_COOKIE['uid'];
    $userinfo=explode("|",$uid);

    if($userinfo[0]&&$userinfo[1]&&$userinfo[1]==encode($userinfo[0])){
        
        if($_SESSION['level']!=="0"){

            return $_SESSION['level'];
        }else{
            return FALSE;

        }
    }else{

        return FALSE;
    }

}


function get_page_size(){

      $sql="select num from page";
      $res=mysql_my_query($sql);
      $row=$res->fetch_assoc();
      return $row['num'];
}

function set_page_size(){
    
    $sql="update page set num=20";
    $res=mysql_my_query($sql);
    
}

function get_uname($userid){
       
       $sql="select uname from user where id='$userid'";
       $res=mysql_my_query($sql);
       $row=$res->fetch_assoc();
      return  htmlspecialchars($row['uname']);

}

結(jié)合之前掃描到存在 admin 目錄
可以再來讀取一下 admin 的文件

image.png

index.php

<?php


defined("DIR_PERMITION") or die("Permision denied!");

$userid=check_login();
$level=get_level();

if($userid!==false&&$level!==false){
  
    $page_size=get_page_size();
    //默認(rèn)僅僅顯示 前$page_size條數(shù)據(jù) 
    $sql="select * from note  limit 0,".$page_size;
    $result=mysql_my_query($sql);

    set_page_size(); #設(shè)置default page size 

}else{
    
    echo "<script>alert('not login!');</script>";
    echo("<script>location.href='./index.php?action=admin&mode=login'</script>");
    die();

    // $result=mysql_my_query($sql);
}

?>

<!DOCTYPE html>
<html>
<head lang="en">
  <meta charset="UTF-8">
  <title>記事本管理系統(tǒng)</title>
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta name="format-detection" content="telephone=no">
  <meta name="renderer" content="webkit">
  <meta http-equiv="Cache-Control" content="no-siteapp" />
  <link rel="alternate icon" type="image/png" href="./assets/i/favicon.png">
  <link rel="stylesheet" href="./assets/css/amazeui.min.css"/>
  <style>
    .header {
      text-align: center;
    }
    .header h1 {
      font-size: 200%;
      color: #333;
      margin-top: 30px;
    }
    .header p {
      font-size: 14px;
    }
    .content{
      width:90%;
      margin:auto auto;


    }
  </style>
</head>
<body>
<div class="header">
  <div class="am-g">
    <h1>記事本管理系統(tǒng)后臺(tái)</h1>
    <p>welcome:admin<br/>userid:1</p>
  </div>
  <hr />
</div>

<div class="content">

  <a class="am-btn am-btn-success" style="float:right;margin:0 0 20px 0" href="./index.php?action=admin&mode=setpagenum">前<?php echo $page_size;?>條筆記</a>
   <table class="am-table am-table-bordered am-table-radius am-table-striped am-table-hover" >
    <thead>
        <tr>
            <th>user</th>
            <th>title</th>
            <th>content</th>
        </tr>
    </thead>
    <tbody>

        <?php 

             while($row=$result->fetch_assoc()){
               echo "<tr>";
               echo "<td>".get_uname($row['userid'])."</td>";
               echo "<td>".$row['title']."</td>";
               echo "<td>".$row['content']."</td>";
               echo "</tr>";
             }

        ?>

    </tbody>
</table>

    <hr>
    <p>? 記事本管理系統(tǒng).</p>
</div>
</body>
</html>

login.php

<?php

defined("DIR_PERMITION") or die("Permision denied!");

if(isset($_POST['uname'])&&isset($_POST['password'])&&isset($_POST['TOKEN'])){

    $uname="admin";
    $password=md5($_POST['password']);
    $TOKEN=$_POST['TOKEN'];

    if($TOKEN!=$_SESSION['CSRF_TOKEN']){
        die("token error!");
    }
    $sql="select id,level  from  user where uname='$uname' and password='$password' and level='1'";
    
    $res=mysql_my_query($sql);
    $row=$res->fetch_assoc(); //獲取第一條記錄

    if($row['id']){
        
        set_login($uname,$row['id'],$row['level']);
        
        header("Location: ./index.php?action=admin&mode=index");
        exit();
    }else{
                
        echo("<script>alert('username or password error!')</script>");
    }

}

?>

<!DOCTYPE html>
<html>
<head lang="en">
  <meta charset="UTF-8">
  <title>記事本管理系統(tǒng)</title>
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta name="format-detection" content="telephone=no">
  <meta name="renderer" content="webkit">
  <meta http-equiv="Cache-Control" content="no-siteapp" />
  <link rel="alternate icon" type="image/png" href="assets/i/favicon.png">
  <link rel="stylesheet" href="assets/css/amazeui.min.css"/>
  <style>
    .header {
      text-align: center;
    }
    .header h1 {
      font-size: 200%;
      color: #333;
      margin-top: 30px;
    }
    .header p {
      font-size: 14px;
    }
  </style>
</head>
<body>
<div class="header">
  <div class="am-g">
    <h1>記事本管理系統(tǒng)后臺(tái)</h1>
  </div>
  <hr />
</div>
<div class="am-g">
  <div class="am-u-lg-6 am-u-md-8 am-u-sm-centered">
    <h3>管理員登錄</h3>
    <br>
    <br>

    <form method="post" class="am-form">
      <label for="uname">用戶名:</label>
      <input type="text" name="uname" id="uname" value="admin" readonly>

      <br>
      <label for="password">密碼:</label>
      <input type="password" name="password" id="password" value="">
      <br>
      <input type="hidden" name="TOKEN" id="password" value="<?php echo $_SESSION['CSRF_TOKEN'];?>">
      <br>
      <label for="remember-me">
        <input id="remember-me" type="checkbox">
        記住密碼
      </label>
      <br />
      <div class="am-cf">
        <input type="submit" name="" value="登 錄" class="am-btn am-btn-primary am-btn-sm am-fl">

      </div>
    </form>
    <hr>
    <p>? 記事本管理系統(tǒng).</p>
  </div>
</div>
</body>
</html>

<?php
defined("DIR_PERMITION") or die("Permision denied!");
$userid=check_login();
$level=get_level();

if($userid!==false&&$level!==false){
      if(isset($_POST['page'])&&isset($_POST['TOKEN'])){
          $page=$_POST['page'];
          $TOKEN=$_POST['TOKEN'];

          if($TOKEN!=$_SESSION['CSRF_TOKEN']){
            die("token error!");
          }

          if(!is_numeric($page)){
              die("page must be a number!");   
          }
          if($page<1) $page=1;

          $sql="update page set num=$page";
          $res=mysql_my_query($sql);
          if($res){
                echo "<script>alert('update  success!');</script>";
                echo("<script>location.href='./index.php?action=admin&mode=index'</script>");

          }else{
               echo "<script>alert('update  fail!');</script>";
               die();
          }
      }
}else{

    echo "<script>alert('not login!');</script>";
    echo("<script>location.href='./index.php?action=admin&mode=login'</script>");
    die();
    // $result=mysql_my_query($sql);
}

?>

<!DOCTYPE html>
<html>
<head lang="en">
  <meta charset="UTF-8">
  <title>記事本管理系統(tǒng)</title>
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta name="format-detection" content="telephone=no">
  <meta name="renderer" content="webkit">
  <meta http-equiv="Cache-Control" content="no-siteapp" />
  <link rel="alternate icon" type="image/png" href="assets/i/favicon.png">
  <link rel="stylesheet" href="assets/css/amazeui.min.css"/>
  <style>
    .header {
      text-align: center;
    }
    .header h1 {
      font-size: 200%;
      color: #333;
      margin-top: 30px;
    }
    .header p {
      font-size: 14px;
    }
  </style>
</head>
<body>
<div class="header">
  <div class="am-g">
    <h1>記事本管理系統(tǒng)后臺(tái)</h1>
  </div>
  <hr />
</div>
<div class="am-g">
  <div class="am-u-lg-6 am-u-md-8 am-u-sm-centered">
    <h3>設(shè)置顯示條數(shù)</h3>
    <br>
    <br>
    <form method="post" class="am-form">
      <label for="page">設(shè)置條數(shù):</label>
      <input type="text" name="page" id="page">
      <br>
      <div class="am-cf">
        <input type="submit" name="" value="設(shè) 置" class="am-btn am-btn-primary am-btn-sm am-fl">
        <input type="hidden" name="TOKEN" id="TOKEN" value="<?php echo $_SESSION['CSRF_TOKEN'];?>">

      </div>
    </form>
    <hr>
    <p>? 記事本管理系統(tǒng).</p>
  </div>
</div>
</body>
</html>

這里存在二次注入

if($userid!==false&&$level!==false){
      if(isset($_POST['page'])&&isset($_POST['TOKEN'])){
          $page=$_POST['page'];
          $TOKEN=$_POST['TOKEN'];

          if($TOKEN!=$_SESSION['CSRF_TOKEN']){
            die("token error!");
          }

          if(!is_numeric($page)){
              die("page must be a number!");   
          }
          if($page<1) $page=1;

          $sql="update page set num=$page";
          $res=mysql_my_query($sql);
          if($res){
                echo "<script>alert('update  success!');</script>";
                echo("<script>location.href='./index.php?action=admin&mode=index'</script>");

          }else{
               echo "<script>alert('update  fail!');</script>";
               die();
          }
      }
}else{

    echo "<script>alert('not login!');</script>";
    echo("<script>location.href='./index.php?action=admin&mode=login'</script>");
    die();
    // $result=mysql_my_query($sql);
}

image.png

通過二次注入拿到 :

database :
information_schema,ctf,mysql,performance_schema

ctf : tables :
flags,note,page,user

flags : 
id,flag

page : 
num

note : 
id,content,title,userid

user : 
id,uname,password,level,Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,Repl_client_priv,Create_view_priv,Show

直接獲取flag的內(nèi)容為 :

image.png

<tr><td>admin</td><td>管理員的筆記</td><td>此內(nèi)容無法刪除</td></tr><tr><td>asla</td><td>/5ebe2294ecd0e0f08eab7690d2a6ee69/reverseit</td><td>1</td></tr>

好像是一個(gè)路徑 , 下載得到一個(gè) .net 的二進(jìn)制程序
逆向一下看看

image.png

只需要繞過這些正則匹配就可以了
最終flag為 :

EKO{ooOOoo_sup3r_r3g3x_challenge_OOooOO}

色偷偷精品伊人,欧洲久久精品,欧美综合婷婷骚逼,国产AV主播,国产最新探花在线,九色在线视频一区,伊人大交九欧美,1769亚洲,黄色成人av

[網(wǎng)安中國行](misc)

[網(wǎng)安中國行](misc)

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容

色偷偷精品伊人,欧洲久久精品,欧美综合婷婷骚逼,国产AV主播,国产最新探花在线,九色在线视频一区,伊人大交九 欧美,1769亚洲,黄色成人av

[網(wǎng)安中國行](misc)

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容

色偷偷精品伊人,欧洲久久精品,欧美综合婷婷骚逼,国产AV主播,国产最新探花在线,九色在线视频一区,伊人大交九欧美,1769亚洲,黄色成人av