当前位置:网站首页>[GYCTF2020]EasyThinking
[GYCTF2020]EasyThinking
2022-08-05 03:25:00 【New Reading of the Classic of Tea.】
[GYCTF2020]EasyThinking
Feel free to test to discover web frameworksthinkphp v6.0.0,Arbitrary file manipulation vulnerabilities may exist
Other than that, nothing was found,f12也没有发现什么异常,dirsearch扫描一下发现了www.zip
Access the download file
在web/home/controller有一个Member.php,得到网页源码:
<?php
namespace app\home\controller;
use think\exception\ValidateException;
use think\facade\Db;
use think\facade\View;
use app\common\model\User;
use think\facade\Request;
use app\common\controller\Auth;
class Member extends Base
{
public function index()
{
if (session("?UID"))
{
$data = ["uid" => session("UID")];
$record = session("Record");
$recordArr = explode(",", $record);
$username = Db::name("user")->where($data)->value("username");
return View::fetch('member/index',["username" => $username,"record_list" => $recordArr]);
}
return view('member/index',["username" => "Are you Login?","record_list" => ""]);
}
public function login()
{
if (Request::isPost()){
$username = input("username");
$password = md5(input("password"));
$data["username"] = $username;
$data["password"] = $password;
$userId = Db::name("user")->where($data)->value("uid");
$userStatus = Db::name("user")->where($data)->value("status");
if ($userStatus == 1){
return "<script>alert(\"该用户已被禁用,无法登陆\");history.go(-1)</script>";
}
if ($userId){
session("UID",$userId);
return redirect("/home/member/index");
}
return "<script>alert(\"用户名或密码错误\");history.go(-1)</script>";
}else{
return view('login');
}
}
public function register()
{
if (Request::isPost()){
$data = input("post.");
if (!(new Auth)->validRegister($data)){
return "<script>alert(\"The current username is already registered\");history.go(-1)</script>";
}
$data["password"] = md5($data["password"]);
$data["status"] = 0;
$res = User::create($data);
if ($res){
return redirect('/home/member/login');
}
return "<script>alert(\"注册失败\");history.go(-1)</script>";
}else{
return View("register");
}
}
public function logout()
{
session("UID",NULL);
return "<script>location.href='/home/member/login'</script>";
}
public function updateUser()
{
$data = input("post.");
$update = Db::name("user")->where("uid",session("UID"))->update($data);
if($update){
return json(["code" => 1, "msg" => "修改成功"]);
}
return json(["code" => 0, "msg" => "修改失败"]);
}
public function rePassword()
{
$oldPassword = input("oldPassword");
$password = input("password");
$where["uid"] = session("UID");
$where["password"] = md5($oldPassword);
$res = Db::name("user")->where($where)->find();
if ($res){
$rePassword = User::update(["password" => md5($password)],["uid"=> session("UID")]);
if ($rePassword){
return json(["code" => 1, "msg" => "修改成功"]);
}
return json(["code" => 0, "msg" => "修改失败"]);
}
return json(["code" => 0, "msg" => "原密码错误"]);
}
public function search()
{
if (Request::isPost()){
if (!session('?UID'))
{
return redirect('/home/member/login');
}
$data = input("post.");
$record = session("Record");
if (!session("Record"))
{
session("Record",$data["key"]);
}
else
{
$recordArr = explode(",",$record);
$recordLen = sizeof($recordArr);
if ($recordLen >= 3){
array_shift($recordArr);
session("Record",implode(",",$recordArr) . "," . $data["key"]);
return View::fetch("result",["res" => "There's nothing here"]);
}
}
session("Record",$record . "," . $data["key"]);
return View::fetch("result",["res" => "There's nothing here"]);
}else{
return View("search");
}
}
}Audit code foundsession:ThinkPhP6 会默认在 /runtime/session 创建一个sess_xxxx格式的session文件,这里的xxxx就是PHPSESSID(32位),And the content of the file issession的内容,也就是key的内容.并且发现了:
if ($userId){
session("UID",$userId);
return redirect("/home/member/index");
}这里把uid写入当前的session中,That is what we originally constructedPHPSESSID=1111111111111111111111111111.php的session是没有uid的,没办法实现search功能,这里可以把uid赋给session,That is, you can write horses in the search page(Put the package there to modify and put the package,This will upload the horse)
蚁剑连接:http://xxxxxx.node4.buuoj.cn:81/runtime/session/sess_1111111111111111111111111111.php
use on connectiondisabled_functions插件获取flag
至此结束,撒花
边栏推荐
- The Tanabata copywriting you want has been sorted out for you!
- dmp (dump) dump file
- In 2022, you still can't "low code"?Data science can also play with Low-Code!
- Dive into how it works together by simulating Vite
- A small tool to transfer files using QR code - QFileTrans 1.2.0.1
- Dameng 8 database export and import
- 2022-08-04 第六小组 瞒春 学习笔记
- The second council meeting of the Dragon Lizard Community was successfully held!Director general election, 4 special consultants joined
- 毕设-基于SSM房屋租赁管理系统
- (11) Metaclass
猜你喜欢
【软件测试】自动化测试之unittest框架
21 Days Learning Challenge (2) Use of Graphical Device Trees
Ice Scorpion V4.0 attack, security dog products can be fully detected
Bubble Sort and Quick Sort
Why is the pca component not associated
leetcode-每日一题1403. 非递增顺序的最小子序列(贪心)
基于生长的棋盘格角点检测方法
龙蜥社区第二届理事大会圆满召开!理事换届选举、4 位特约顾问加入
token、jwt、oauth2、session解析
The second council meeting of the Dragon Lizard Community was successfully held!Director general election, 4 special consultants joined
随机推荐
burp安装及代理设置
Is your data safe in this hyperconnected world?
rpc-remote procedure call demo
Cybersecurity and the Metaverse: Identifying Weak Links
[Filter tracking] based on matlab unscented Kalman filter inertial navigation + DVL combined navigation [including Matlab source code 2019]
21 Days Learning Challenge (2) Use of Graphical Device Trees
QT: The Magical QVarient
ffmpeg enumeration decoders, encoders analysis
2022高处安装、维护、拆除考试题模拟考试题库及在线模拟考试
2022-08-04 第六小组 瞒春 学习笔记
调用阿里云oss和sms服务
private package
High Item 02 Information System Project Management Fundamentals
【滤波跟踪】基于matlab无迹卡尔曼滤波惯性导航+DVL组合导航【含Matlab源码 2019期】
21天学习挑战赛(2)图解设备树的使用
Increasing leetcode - a daily topic 1403. The order of the boy sequence (greed)
静态方法获取配置文件数据
IJCAI2022 | DictBert: Pre-trained Language Models with Contrastive Learning for Dictionary Description Knowledge Augmentation
Ice Scorpion V4.0 attack, security dog products can be fully detected
sql怎么找字段里所有数据为空的字段