继续php代码审计~
21.
|
1
2
3
4
5
6
7
|
<?php
$filename = $_GET[‘f’];
if(stripos($filename, ‘file_list’) != false) die();
header(“Content-Type: application/octet-stream”);
header(“Content-Disposition: attachment; filename=’$filename'”);
readfile(“uploads/$filename”);
?>
|
这里涉及到文件操作,估计是文件包含!不过这里有一个stripos()函数,这个函数功能是比较一个字符串在另一字符串的位置,这里返回的是比较成功的初识位置,就比如说stripos(“hello”,”lo”),返回的就是”lo”的起始位置,那么应该是3,这里我们GET参数传入时有涉及到php的弱类型,0==flase,因此这里我们首先构造?f=file_list,这样的话首先不会die掉,最后根据flag的位置来构造如何进行目录穿越
exp:?f=file_list/../../file_list.php
22.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
<?php
error_reporting(0);
function RotEncrypt($str, $pass){
$pass = str_split(str_pad(”, strlen($str), $pass, STR_PAD_RIGHT));
$stra = str_split($str);
foreach($stra as $k=>$v){
$tmp = ord($v)+ord($pass[$k]);
$stra[$k] = chr( $tmp > 255 ?($tmp–256):$tmp);
}
return join(”, $stra);
}
function post($url, $post_data = ”, $timeout = 5){
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_POST, 1);
if($post_data != ”){
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
}
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_HEADER, false);
$file_contents = curl_exec($ch);
curl_close($ch);
return $file_contents;
}
$name = addslashes($_POST[‘name’]);
$cat = addslashes($_POST[‘cat’]);
$content = <<< EOF
<div style=“text-align:center;margin-top:150px;”>
<h3>Book search system</h3>
<form action=“admin.php” method=“post”>
Name: <input type=“text” name=“name” value=“king”></input><br>
Category: <select name=“cat”>
<option value =“Classic Literature & Fiction”>Classic Literature & Fiction</option>
<option value =“Literary”>Literary</option>
<option value =“Literature & Fiction”>Literature & Fiction</option>
<option value =“Military History”>Military History</option>
<option value =“Thrillers & Suspense”>Thrillers & Suspense</option>
<option value =“Historical”>Historical</option>
</select>
<input type=“submit” name=“submit” value=“Query”></input><br>
</form>
</div>
EOF;
echo $content;
if($name && $cat){
echo post(“http://10.18.25.154:10002/isc/query.php”,array(“data”=>RotEncrypt(“name=$name&cat=$cat”,“ISC2015”)));
}
if($_POST[‘key’] == “{$key}”){
system($_GET[‘cmd’]);
}
?>
/*
query.php:
include “config.php”;
function RotDecrypt($str, $pass){
$pass = str_split(str_pad(”, strlen($str), $pass, STR_PAD_RIGHT));
$stra = str_split($str);
foreach($stra as $k=>$v){
$tmp = ord($v)-ord($pass[$k]);
$stra[$k] = chr( $tmp < 0 ?($tmp+256):$tmp);
}
return join(”, $stra);
}
function Fsql($sql){
if(preg_match(‘/(and|ascii|concat|from|group by|group_concat|hex|limit|lpad|or|select|substr|union|where|s)/i’, $sql)){
return “”;
}else{
return $sql;
}
}
parse_str(RotDecrypt($_POST[‘data’],”ISC2015″), $str);
$connection = mysql_connect($db_host,$db_username,$db_password) or die(“could not connect to Mysql”);
mysql_query(“set names ‘utf8′”);
$db_selecct=mysql_select_db($db_database) or die(“could not to the database”);
$query=”select * from test where name = ‘”.Fsql($str[name]).”‘”;
$result = @mysql_query($query);
if($result){
$res=mysql_fetch_array($result);
if($res[‘name’]){
echo $str[name].” exist.”;
}else{
echo $str[name].” not exist.”;
}
}
*/
|
代码好长。。慢慢来看吧,,这么多sql操作,估计是注入题了。。
其实上面的主函数就是规定了数据传输是通过curl,将$name和$cat变量传输给query.php,下面query.php有一个函数过滤功能,基本考点就是如何绕过这个过滤函数了。。看看有没有什么可以利用的~
在入库前是通过parsestr()这个函数进行了一次转义,百度了一下这个函数主要就是对字符串进行解析,同时具有urldecode()功能,因此这里可以使用%2527来绕过上述的addslashes()函数,最后就是如何绕过上述过滤语句,具体可参考这里:传送门
exp:’||if(rpad(key,1,1)=’a’,sleep(3),1)#
23.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
<?php
chdir(‘../../../../’);
define(‘GWF_PAGE_TITLE’, ‘Training: Register Globals’);
require_once(‘challenge/html_head.php’);
if (false === ($chall = WC_Challenge::getByTitle(GWF_PAGE_TITLE))) {
$chall = WC_Challenge::dummyChallenge(GWF_PAGE_TITLE, 2, ‘challenge/training/php/globals/index.php’);
}
$chall->showHeader();
GWF_Debug::setDieOnError(false);
GWF_Debug::setMailOnError(false);
# EMULATE REGISTER GLOBALS = ON
foreach ($_GET as $k => $v) {
$$k = $v;
}
# Send request?
if (isset($_POST[‘password’]) && isset($_POST[‘username’]) && is_string($_POST[‘password’]) && is_string($_POST[‘username’]) )
{
$uname = mysql_real_escape_string($_POST[‘username’]);
$pass = md5($_POST[‘password’]);
$query = “SELECT level FROM “.GWF_TABLE_PREFIX.“wc_chall_reg_glob WHERE username=’$uname’ AND password=’$pass'”;
$db = gdo_db();
if (false === ($row = $db->queryFirst($query))) {
echo GWF_HTML::error(‘Register Globals’, $chall->lang(‘err_failed’));
} else {
# Login success
$login = array($_POST[‘username’], (int)$row[‘level’]);
}
}
if (isset($login))
{
echo GWF_HTML::message(‘Register Globals’, $chall->lang(‘msg_welcome_back’,array(htmlspecialchars($login[0]), htmlspecialchars($login[1]))));
if (strtolower($login[0]) === ‘admin’) {
$chall->onChallengeSolved(GWF_Session::getUserID());
}
} else {?>
<form action=“globals.php” method=“post”>
<table>
<tr>
<td><?php echo $chall->lang(‘th_username’); ?>:</td> <td><input type=“text” name=“username” value=“” /></td>
</tr>
<tr>
<td><?php echo $chall->lang(‘th_password’); ?>:</td>
<td><input type=“password” name=“password” value=“” /></td></tr>
<tr>
<td></td>
<td><input type=“submit” name=“send” value=“<?php echo $chall->lang(‘btn_send’); ?>“ /></td>
</tr></table>
</form>
<?php
}
# EMULATE REGISTER GLOBALS = OFF
foreach ($_GET as $k => $v) { unset($$k); }
require_once ‘challenge/html_foot.php’;
?>
|
代码怎么越来越长了。。
中间的foreach()是一个明显的变量覆盖漏洞!
而中间的判断语句login[0]==admin,因此在这里我们可以利用变量覆盖,来达到这个条件!
exp:?login[0]=admin
24.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
<?php
//
// Trigger Moved to index.php
//if (false !== ($who = Common::getGet(‘vote_for’))) {
// noesc_voteup($who);//}
//
/**
* Get the database link
* @return GDO_Database */
function noesc_db()
{
static $noescdb = true;
if ($noescdb === true) {
$noescdb = gdo_db_instance(‘localhost’, NO_ESCAPE_USER, NO_ESCAPE_PW, NO_ESCAPE_DB);
$noescdb->setLogging(false);
$noescdb->setEMailOnError(false);
} return $noescdb;
}
/**
* Create table (called by install-script) * The table layout is crappy, there is only 1 row in the table Oo.
* @return boolean
*/
function noesc_createTable()
{
$db = noesc_db();
$query =
“CREATE TABLE IF NOT EXISTS noescvotes ( “.
“id INT(11) UNSIGNED PRIMARY KEY, “. # I could have one row per candidate, but currently there is only one global row(id:1). I know it`s a bit unrealistic, but at least it is safe, isn`t it?
“bill INT(11) UNSIGNED NOT NULL DEFAULT 0, “. # bill column “barack INT(11) UNSIGNED NOT NULL DEFAULT 0, “. # barack column
“george INT(11) UNSIGNED NOT NULL DEFAULT 0 )”; # george columb
if (false === $db->queryWrite($query)) {
return false;
}
return noesc_resetVotes();
}
/** * Reset the votes.
* @return void
*/
function noesc_resetVotes()
{ noesc_db()->queryWrite(“REPLACE INTO noescvotes VALUES (1, 0, 0, 0)”);
echo GWF_HTML::message(‘No Escape’, ‘All votes have been reset’, false);
}
/** * Count a vote.
* Reset votes when we hit 100 or 111.
* TODO: Implement multi language
* @param string $who
* @return void */
function noesc_voteup($who)
{
if ( (stripos($who, ‘id’) !== false) || (strpos($who, ‘/’) !== false) ) {
echo GWF_HTML::error(‘No Escape’, ‘Please do not mess with the id. It would break the challenge for others’, false); return;
}
$db = noesc_db();
$who = mysql_real_escape_string($who);
$query = “UPDATE noescvotes SET `$who`=`$who`+1 WHERE id=1”;
if (false !== $db->queryWrite($query)) {
echo GWF_HTML::message(‘No Escape’, ‘Vote counted for ‘.GWF_HTML::display($who), false);
}
noesc_stop100();
}
/** * Get all votes.
* @return array
*/
function noesc_getVotes()
{ return noesc_db()->queryFirst(“SELECT * FROM noescvotes WHERE id=1”);
}
/**
* Reset when we hit 100. Or call challenge solved on 111. * @return void
*/
function noesc_stop100()
{
$votes = noesc_getVotes();
foreach ($votes as $who => $count)
{
if ($count == 111) {
noesc_solved();
noesc_resetVotes();
break;
}
if ($count >= 100) {
noesc_resetVotes();
break;
}
}
}
/**
* Display fancy votes table.
* New: it is multi language now.
* @return unknown_type
*/
function noesc_displayVotes(WC_Challenge $chall)
{
$votes = noesc_getVotes();
echo ‘<table>’;
echo sprintf(‘<tr><th>%s</th><th>%s</th><th>%s!</th></tr>’, $chall->lang(‘th_name’), $chall->lang(‘th_count’), $chall->lang(‘th_vote’)); $maxwho = ”;
$max = 0;
$maxcount = 0;
// Print Candidate rows
foreach ($votes as $who => $count) {
if ($who !== ‘id’) // Skip ID
{
$count = (int) $count;
if ($count > $max) {
$max = $count;
$maxwho = $who;
$maxcount = 1;
}
elseif ($count === $max) {
$maxcount++;
}
$button = GWF_Button::generic($chall->lang(‘btn_vote’, array($who)), “index.php?vote_for=$who”);
echo sprintf(‘<tr><td>%s</td><td class=”gwf_num”>%s</td><td>%s</td></tr>’, $who, $count, $button);
}
}
echo ‘</table>’;
// Print best candidate.
if ($maxcount === 1) {
echo GWF_Box::box($chall->lang(‘info_best’, array(htmlspecialchars($maxwho))));
}
}
/** * Try to get here 🙂
*/
function noesc_solved()
{
if (false === ($chall = WC_Challenge::getByTitle(‘No Escape’))) {
$chall = WC_Challenge::dummyChallenge(‘No Escape’, 2, ‘/challenge/no_escape/index.php’, false);
}
$chall->onChallengeSolved(GWF_Session::getUserID());
}
?>
|
真的是越来越长了!又有好多sql操作啊。。
首先最终条件要满足$vote==111,但是当$vote>100时,就会产生清空操作,因此通过vote累加到111一定不是不行的,这里只能直接赋值,来找找有没有什么输入点~
GET传入的参数为vote_for,再将这个参数赋值给$who,最后进行UPDATE操作,能出问题的也就这里了。。
exp:?vote_for=bill`=111 —
这里进行赋值后,语句会拼接成这样
|
1
|
UPDATE noescvotes SET `bill`=111 — `=`bill`=111 — `+1 WHERE id=1
|
这里注意是反引号闭合,又因为–的操作,后面的语句会被注释掉,因此可以直接令count为111
25.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
<?php
// closure, because of namespace!
$challenge = function()
{
$f = Common::getGetString(‘eval’); $f = str_replace(array(‘`’, ‘$’, ‘*’, ‘#’, ‘:’, ‘\’, ‘”‘, “‘”, ‘(‘, ‘)’, ‘.’, ‘>’), ”, $f);
if((strlen($f) > 13) || (false !== stripos($f, ‘return’)))
{
die(‘sorry, not allowed!’); }
try
{
eval(“$spaceone = $f”); }
catch (Exception $e)
{
return false;
}
return ($spaceone === ‘1337’);
};
?>
|
wechall上的一道题目,首先是一串过滤函数,后面肯定用的到~
eval变量不能超过13长度,另外不能包含return,最后需要严格等于1337字符串,如果这里使用?eval=’1337’,那么会经过一次str_replace函数,最后也就便沉了?eval=1337,变成了数字而不是字符串,也就变成了不相等
这里使用的是php的一种特殊的字符串定义手法。。
|
1
2
3
|
$f = <<<q
1337
q;
|
<<<后面要提供一个标识符,这里为q,然后换行。接下来是字符串本身,这里为1337。结束时所引用的标识符必须在该行的第一列,即标识符q要在开头。标识符的命名只能包含字母、数字和下划线,并且必须以字母和下划线作为开头。在结束标识符这行除了可能有一个分号(;)外,绝对不能包含其它字符。
因此这里换行符可以用%0a来表示,因此最后我们可以构造exp
exp:?eval=<<<q%0a1337%0aq;%0a
26.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
<span class=“pl-pse”><?php</span>
<span class=“pl-s1”><span class=“pl-smi”>$flag</span> <span class=“pl-k”>=</span> <span class=“pl-s”><span class=“pl-pds”>“</span>xxx<span class=”pl–pds“>”</span></span>;</span>
<span class=“pl-s1”><span class=“pl-k”>if</span> (<span class=“pl-c1”>isset</span>(<span class=“pl-smi”>$_POST</span>[<span class=“pl-s”><span class=“pl-pds”>‘</span>answer<span class=”pl-pds”>’</span></span>])){</span>
<span class=“pl-s1”> <span class=“pl-smi”>$number</span> <span class=“pl-k”>=</span> <span class=“pl-smi”>$_POST</span>[<span class=“pl-s”><span class=“pl-pds”>‘</span>answer<span class=”pl-pds”>’</span></span>];</span>
<span class=“pl-s1”> <span class=“pl-k”>if</span> (noother_says_correct(<span class=“pl-smi”>$number</span>)){</span>
<span class=“pl-s1”> <span class=“pl-c1”>echo</span> <span class=“pl-smi”>$flag</span>;</span>
<span class=“pl-s1”> } <span class=“pl-k”>else</span> {</span>
<span class=“pl-s1”> <span class=“pl-c1”>echo</span> <span class=“pl-s”><span class=“pl-pds”>“</span>Sorry<span class=”pl–pds“>”</span></span>;</span>
<span class=“pl-s1”> }</span>
<span class=“pl-s1”>}</span>
<span class=“pl-s1”><span class=“pl-k”>function</span> <span class=“pl-en”>noother_says_correct</span>(<span class=“pl-smi”>$number</span>)</span>
<span class=“pl-s1”>{</span>
<span class=“pl-s1”> <span class=“pl-smi”>$one</span> <span class=“pl-k”>=</span> <span class=“pl-c1”>ord</span>(<span class=“pl-s”><span class=“pl-pds”>‘</span>1<span class=”pl-pds”>’</span></span>);</span>
<span class=“pl-s1”> <span class=“pl-smi”>$nine</span> <span class=“pl-k”>=</span> <span class=“pl-c1”>ord</span>(<span class=“pl-s”><span class=“pl-pds”>‘</span>9<span class=”pl-pds”>’</span></span>);</span>
<span class=“pl-s1”> <span class=“pl-c”># Check all the input characters! </span></span>
<span class=“pl-s1”> <span class=“pl-k”>for</span> (<span class=“pl-smi”>$i</span> <span class=“pl-k”>=</span> <span class=“pl-c1”>0</span>; <span class=“pl-smi”>$i</span> <span class=“pl-k”><</span> <span class=“pl-c1”>strlen</span>(<span class=“pl-smi”>$number</span>); <span class=“pl-smi”>$i</span><span class=“pl-k”>++</span>)</span>
<span class=“pl-s1”> { </span>
<span class=“pl-s1”> <span class=“pl-c”># Disallow all the digits!</span></span>
<span class=“pl-s1”> <span class=“pl-smi”>$digit</span> <span class=“pl-k”>=</span> <span class=“pl-c1”>ord</span>(<span class=“pl-smi”>$number</span>{<span class=“pl-smi”>$i</span>});</span>
<span class=“pl-s1”> <span class=“pl-k”>if</span> ( (<span class=“pl-smi”>$digit</span> <span class=“pl-k”>>=</span> <span class=“pl-smi”>$one</span>) <span class=“pl-k”>&&</span> (<span class=“pl-smi”>$digit</span> <span class=“pl-k”><=</span> <span class=“pl-smi”>$nine</span>) ) </span>
<span class=“pl-s1”> {</span>
<span class=“pl-s1”> <span class=“pl-c”># Aha, digit not allowed!</span></span>
<span class=“pl-s1”> <span class=“pl-k”>return</span> <span class=“pl-c1”>false</span>;</span>
<span class=“pl-s1”> }</span>
<span class=“pl-s1”> } </span>
<span class=“pl-s1”> <span class=“pl-c”># Allow the magic number …</span></span>
<span class=“pl-s1”> <span class=“pl-k”>return</span> <span class=“pl-smi”>$number</span> <span class=“pl-k”>==</span> <span class=“pl-s”><span class=“pl-pds”>“</span>3735929054<span class=”pl–pds“>”</span></span>;</span>
<span class=“pl-s1”>}</span>
<span class=“pl-pse”><span class=“pl-s1”>?</span>></span>
|
题目大意就是要求我们输入一个数,但是这个数字不能出现1-9,注意这里可以出现0
第一个想到的就是要么十六进制,要么科学计数法,这里很明显是十六进制
hex(3735929054)=0xdeadc0de
里面出现了0,但是不影响,因此可利用这种方法绕过验证函数~
exp:POST:answer=0xdeadc0de
27.
|
1
2
3
4
5
6
7
8
9
|
<span class=“pl-pse”><?php</span>
<span class=“pl-s1”><span class=“pl-k”>include</span> <span class=“pl-s”><span class=“pl-pds”>“</span>flag.php<span class=”pl–pds“>”</span></span>;</span>
<span class=“pl-s1”><span class=“pl-smi”>$a</span> <span class=“pl-k”>=</span> <span class=“pl-k”>@</span><span class=“pl-smi”>$_REQUEST</span>[<span class=“pl-s”><span class=“pl-pds”>‘</span>hello<span class=”pl-pds”>’</span></span>];</span>
<span class=“pl-s1”><span class=“pl-k”>if</span>(<span class=“pl-k”>!</span><span class=“pl-c1”>preg_match</span>(<span class=“pl-sr”><span class=“pl-pds”>‘/</span><span class=”pl-k”>^</span><span class=”pl-cce”>w</span><span class=”pl-k”>*$</span><span class=”pl-pds”>/’</span></span>,<span class=“pl-smi”>$a</span> )){</span>
<span class=“pl-s1”> <span class=“pl-k”>die</span>(<span class=“pl-s”><span class=“pl-pds”>‘</span>ERROR<span class=”pl-pds”>’</span></span>);</span>
<span class=“pl-s1”>}</span>
<span class=“pl-s1”><span class=“pl-c1”>eval</span>(<span class=“pl-s”><span class=“pl-pds”>“</span>var_dump($<span class=”pl–smi“>$a</span>);<span class=”pl–pds“>”</span></span>);</span>
<span class=“pl-s1”><span class=“pl-c1”>show_source</span>(<span class=“pl-c1”>__FILE__</span>);</span>
<span class=“pl-pse”><span class=“pl-s1”>?</span>></span>
|
这里有过滤函数(只允许出现数字和字母),因此不能直接覆盖变量~
但是php中有一个特殊的变量:GLOBALS,这个变量可以引用全局变量中的可用变量
exp:$a=GLOBALS
28.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
<?php
error_reporting(0);
session_start();
require (‘./flag.php’);
if (!isset($_SESSION[‘nums’])) {
$_SESSION[‘nums’] = 0;
$_SESSION[‘time’] = time();
$_SESSION[‘whoami’] = ‘ea’;
}
if ($_SESSION[‘time’] + 120 < time()) {
session_destroy();
}
$value = $_REQUEST[‘value’];
$str_rand = range(‘a’, ‘z’);
$str_rands = $str_rand[mt_rand(0, 25) ] . $str_rand[mt_rand(0, 25) ];
if ($_SESSION[‘whoami’] == ($value[0] . $value[1]) && substr(md5($value) , 5, 4) == 0) {
$_SESSION[‘nums’]++;
$_SESSION[‘whoami’] = $str_rands;
echo $str_rands;
}
if ($_SESSION[‘nums’] >= 10) {
echo $flag;
}
show_source(__FILE__);
?>
|
我们要让num>=10,就必须通过那个nums++,这里就必须满足那个if语句~
下面来重点演技if语句里的条件!
$value是我们传入的参数,这里$whoami必须等于$value的前两位,另外$value参数加密后的md5值的5-9位必须为0,,这条件也太苛刻了吧。。
直接爆破~爆破脚本就不给了。。理解意思即可~
29.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
<?php
include(‘config.php’);
session_start();
if($_SESSION[‘time’] && time() – $_SESSION[‘time’] > 60){
session_destroy();
die(‘timeout’);
} else {
$_SESSION[‘time’] = time();
}
echo rand();
if(isset($_GET[‘go’])){
$_SESSION[‘rand’] = array();
$i = 5;
$d = ”;
while($i—){
$r = (string)rand();
$_SESSION[‘rand’][] = $r;
$d .= $r;
}
echo md5($d);
}else if(isset($_GET[‘check’])){
if($_GET[‘ckeck’] === $_SESSION[‘rand’]){
echo $flag;
} else {
echo ‘die’;
session_destroy();
}
} else {
show_source(__FILE__);
}
?>
|
这里想要echo $flag就必须满足if语句,但是这个语句不是很复杂,只要让我们的输入等于这个产生rand值,下面来看看这个rand值是怎么生成的~
有五次循环,每次循环都在原有字符串后添加上一个随机值,最后返回总共的md5值
因为其随机性,因此就算是爆破也会十分复杂,但是好在这个是伪随机性
|
1
2
3
|
#!php
state[i] = state[i–3] + state[i–31]
return state[i] >> 1
|
这是php对于生成随机数的定义,因此如果我们能得到连续的超过32个生成的随机数,就可以预测后面生成的数字~脚本省略,重在思路!
30.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
<span class=“pl-pse”><?php</span>
<span class=“pl-s1”> <span class=“pl-c”>#made by adm1nkyj</span></span>
<span class=“pl-s1”> <span class=“pl-c1”>error_reporting</span>(<span class=“pl-c1”>0</span>);</span>
<span class=“pl-s1”> <span class=“pl-k”>include</span>(<span class=“pl-s”><span class=“pl-pds”>‘</span>./flag.php<span class=”pl-pds”>’</span></span>);</span>
<span class=“pl-s1”> <span class=“pl-c1”>echo</span> <span class=“pl-s”><span class=“pl-pds”>‘</span>login as admin kkk<br/><span class=”pl-pds”>’</span></span>;</span>
<span class=“pl-s1”> <span class=“pl-smi”>$filter</span> <span class=“pl-k”>=</span> [<span class=“pl-s”><span class=“pl-pds”>‘</span>conv<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>code<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>hex<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>ha<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>b<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>x<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>_<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>`<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span><span class=”pl-cce”>'</span><span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>”<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>@<span class=”pl-pds”>’</span></span>,<span class=“pl-s”><span class=“pl-pds”>‘</span>into<span class=”pl-pds”>’</span></span>,<span class=“pl-s”><span class=“pl-pds”>‘</span>outfile<span class=”pl-pds”>’</span></span>,<span class=“pl-s”><span class=“pl-pds”>‘</span>load<span class=”pl-pds”>’</span></span>,<span class=“pl-s”><span class=“pl-pds”>‘</span>file<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>date<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>co<span class=”pl-pds”>’</span></span>,<span class=“pl-s”><span class=“pl-pds”>‘</span>ca<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>b<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>g<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>h<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>j<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>k<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>q<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>v<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>x<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>z<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>date<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>make<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>day<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>name<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>replace<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>insert<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>pad<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>ascii<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>user<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>version<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>db<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>data<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>base<span class=”pl-pds”>’</span></span>];</span>
<span class=“pl-s1”> <span class=“pl-smi”>$id</span> <span class=“pl-k”>=</span> <span class=“pl-c1”>addslashes</span>(<span class=“pl-smi”>$_GET</span>[<span class=“pl-s”><span class=“pl-pds”>‘</span>id<span class=”pl-pds”>’</span></span>]);</span>
<span class=“pl-s1”> <span class=“pl-smi”>$pw</span> <span class=“pl-k”>=</span> <span class=“pl-c1”>addslashes</span>(<span class=“pl-smi”>$_GET</span>[<span class=“pl-s”><span class=“pl-pds”>‘</span>pw<span class=”pl-pds”>’</span></span>]);</span>
<span class=“pl-s1”> <span class=“pl-smi”>$id</span> <span class=“pl-k”>=</span> <span class=“pl-c1”>mb_convert_encoding</span>(<span class=“pl-smi”>$id</span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>utf-8<span class=”pl-pds”>’</span></span>, <span class=“pl-s”><span class=“pl-pds”>‘</span>euc-kr<span class=”pl-pds”>’</span></span>);</span>
<span class=“pl-s1”> <span class=“pl-k”>if</span>(<span class=“pl-c1”>strlen</span>(<span class=“pl-smi”>$pw</span>)<span class=“pl-k”>>=</span><span class=“pl-c1”>370</span>) <span class=“pl-k”>die</span>(<span class=“pl-s”><span class=“pl-pds”>‘</span>no hack<span class=”pl-pds”>’</span></span>);</span>
<span class=“pl-s1”> <span class=“pl-k”>foreach</span> (<span class=“pl-smi”>$filter</span> <span class=“pl-k”>as</span> <span class=“pl-smi”>$_str</span>) </span>
<span class=“pl-s1”> { </span>
<span class=“pl-s1”> <span class=“pl-k”>if</span>(<span class=“pl-c1”>strpos</span>(<span class=“pl-c1”>strtolower</span>(<span class=“pl-smi”>$_GET</span>[<span class=“pl-s”><span class=“pl-pds”>‘</span>id<span class=”pl-pds”>’</span></span>]), <span class=“pl-smi”>$_str</span>) <span class=“pl-k”>!</span><span class=“pl-k”>==</span> <span class=“pl-c1”>false</span> <span class=“pl-k”>||</span> <span class=“pl-c1”>strpos</span>(<span class=“pl-c1”>strtolower</span>(<span class=“pl-smi”>$_GET</span>[<span class=“pl-s”><span class=“pl-pds”>‘</span>pw<span class=”pl-pds”>’</span></span>]), <span class=“pl-smi”>$_str</span>) <span class=“pl-k”>!</span><span class=“pl-k”>==</span> <span class=“pl-c1”>false</span>)</span>
<span class=“pl-s1”> {</span>
<span class=“pl-s1”> <span class=“pl-c1”>echo</span> <span class=“pl-smi”>$_str</span>;</span>
<span class=“pl-s1”> <span class=“pl-k”>exit</span>(<span class=“pl-s”><span class=“pl-pds”>‘</span>no hack<span class=”pl-pds”>’</span></span>);</span>
<span class=“pl-s1”> }</span>
<span class=“pl-s1”> }</span>
<span class=“pl-s1”> <span class=“pl-k”>if</span>(<span class=“pl-c1”>preg_match</span>(<span class=“pl-sr”><span class=“pl-pds”>‘/</span><span class=”pl-pds”>[0-9]</span><span class=”pl-pds”>/’</span></span>, <span class=“pl-smi”>$_GET</span>[<span class=“pl-s”><span class=“pl-pds”>‘</span>id<span class=”pl-pds”>’</span></span>]) <span class=“pl-k”>||</span> <span class=“pl-c1”>preg_match</span>(<span class=“pl-sr”><span class=“pl-pds”>‘/</span><span class=”pl-pds”>[0-9]</span><span class=”pl-pds”>/’</span></span>, <span class=“pl-smi”>$_GET</span>[<span class=“pl-s”><span class=“pl-pds”>‘</span>pw<span class=”pl-pds”>’</span></span>]))</span>
<span class=“pl-s1”> {</span>
<span class=“pl-s1”> <span class=“pl-k”>exit</span>(<span class=“pl-s”><span class=“pl-pds”>‘</span>no hack<span class=”pl-pds”>’</span></span>);</span>
<span class=“pl-s1”> }</span>
<span class=“pl-s1”> <span class=“pl-smi”>$query</span> <span class=“pl-k”>=</span> <span class=“pl-c1”>mysql_fetch_array</span>(<span class=“pl-c1”>mysql_query</span>(<span class=“pl-s”><span class=“pl-pds”>“</span><span class=”pl–k“>SELECT</span> <span class=”pl–k“>*</span> <span class=”pl–k“>FROM</span> user <span class=”pl–k“>WHERE</span> id<span class=”pl–k“>=</span>'{<span class=”pl–smi“>$id</span>}’ <span class=”pl–k“>AND</span> pw<span class=”pl–k“>=</span>'{<span class=”pl–smi“>$pw</span>}’;<span class=”pl–pds“>”</span></span>));</span>
<span class=“pl-s1”> <span class=“pl-k”>if</span>(<span class=“pl-smi”>$query</span>[<span class=“pl-s”><span class=“pl-pds”>‘</span>id<span class=”pl-pds”>’</span></span>])</span>
<span class=“pl-s1”> {</span>
<span class=“pl-s1”> <span class=“pl-k”>if</span>(<span class=“pl-c1”>strtolower</span>(<span class=“pl-smi”>$query</span>[<span class=“pl-s”><span class=“pl-pds”>‘</span>id<span class=”pl-pds”>’</span></span>]) <span class=“pl-k”>===</span> <span class=“pl-s”><span class=“pl-pds”>‘</span>admin<span class=”pl-pds”>’</span></span>)</span>
<span class=“pl-s1”> {</span>
<span class=“pl-s1”> <span class=“pl-k”>exit</span>(<span class=“pl-smi”>$flag</span>);</span>
<span class=“pl-s1”> }</span>
<span class=“pl-s1”> <span class=“pl-k”>else</span></span>
<span class=“pl-s1”> {</span>
<span class=“pl-s1”> <span class=“pl-c1”>echo</span> <span class=“pl-s”><span class=“pl-pds”>“</span>your id : <span class=”pl–pds“>”</span></span><span class=“pl-k”>.</span><span class=“pl-smi”>$query</span>[<span class=“pl-s”><span class=“pl-pds”>‘</span>id<span class=”pl-pds”>’</span></span>];</span>
<span class=“pl-s1”> }</span>
<span class=“pl-s1”> }</span>
<span class=“pl-s1”> <span class=“pl-c1”>echo</span> <span class=“pl-s”><span class=“pl-pds”>“</span><hr><span class=”pl–pds“>”</span></span>;</span>
<span class=“pl-s1”> <span class=“pl-c1”>show_source</span>(<span class=“pl-c1”>__FILE__</span>);</span>
<span class=“pl-pse”><span class=“pl-s1”>?</span>></span>
|
实在好复杂。。有点超出我的能力范围了。。直接给出wp吧。。wp地址
1 前言 这里对Apache Kylin出现的两次漏洞进行下分析,本身漏洞也不难,而且前置条件需要用户登录,不过由于docker下的环境会存在一个默认账户(admin/KYLIN),所以这个登录条件的限制也不是那么的严格。在实际场景中如果能够遇到Kylin,配…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
请登录后发表评论
注册