CG-CTF
https://cgctf.nuptsast.com/challenges#Web
Continued ~
Thirty questions: comprehensive title 2
View this CMS instructions;
analysis:
① database table called admin; field called username and userpass (here, just tell us the name of the table and field names, guess the SQL injection vulnerability high probability);
② listed below some of the file names, such as say.php, passencode.php, etc., with a burp climbed out of the so.php etc;
③ can be found in the url of the file can be directly read the file;
Ideas: first read the files using the file parameters, for more information;
analysis:
①passencode.php established a file encryption function, the code analysis found after each character input parameter converted into ASCII code output;
②about.php document revealed backstage directory: http: //cms.nuptzj.cn/loginxlcteam;
③so.php was exposed a lot of useful information:
- Check the User-Agent HTTP header parameters, must Xlcteam Browser can pass inspection, to modify the HTTP head with a simple burp bypass;
- POST parameters 'soid'; SQL injection vulnerability that may exist here;
- Contains two files antiinject.php and antixss.php, briefly analysis of code known to be some of the characters SQL injection and cross-site scripting XSS filter made;
- You can see the command to query the database:
SELECT * FROM 'message' WHERE display=1 AND id=$id
④分析查询命令我们可以发现如果存在SQL注入漏洞,即为数字型注入漏洞,那么来仔细分析antiinject.php里的过滤规则,通过分析代码我们可以发现它对“select”、“union”、“and”、“from”等单词进行了黑名单过滤,对“+”、“=”、“空格”等字符也进行了黑名单过滤,而采用的过滤方法是用str_repalece()函数将黑名单替换掉,那么我们可以采用双写、大小写来绕过单词过滤,采用“/**/”注释绕过空格过滤,采用“like”或“>”、“<”来绕过“=”过滤,可以判断这里存在SQL注入漏洞;
思路:已知数据库表名为admin,字段名为username和userpass,并已知过滤规则,这里我们采用exists()函数来直接爆破字段的内容,工具使用burp自带的intruder模块,payload为:
soid=1/**/anandd/**/exists(selselectect/**/*/**/frfromom/**/admadminin/**/where/**/oorrd(substr(usernanameme,§1§,1))>§1§)
和
soid=1/**/anandd/**/exists(selselectect/**/*/**/frfromom/**/admadminin/**/where/**/oorrd(substr(userppassass,§1§,1))>§1§)
得到username的字段内容为admin,userpass的字段内容为102 117 99 107 114 117 110 116 117,根据之前分析的passencode.php,可知解密后应为fuckruntu;
用获得的账号密码登录后台;
得知了木马文件的文件名,再用之前的file参数读取木马文件的内容;
分析代码可知,这段代码的含义为用wtf参数里的内容替换到www里去执行,直接用Cknife连接;
打开“恭喜你获得flag2.txt”文件;
取得flag(干杯~);
未完待续~