Entering is a login interface. Just enter an account password and take a look
If you find a database statement, try the universal password
1'or'1'='1'#
It is found that it has been filtered. Generally, this kind of question has a register PHP and a place where you can read the source code, we need to find and try
If you find a registration interface, register and log in
Found a user PHP page, there is no echo related to our input. We are concerned about a page parameter. I don't know if it can help us read the source code and try the pseudo protocol directly
?page=php://filter/read=convert.base64-encode/resource=user.php
It is found that 200 is returned, but there is no content, indicating that there may be a problem with the read file format. Let's try deleting the suffix
Read the source code and download it all
No upload PHP, this source code is to be used later. It's not clear here (I'm too lazy to delete it)
In user PHP source code interface to find where we can read the source code
Sure enough, it was spliced by itself php suffix, but the focus is not here
Read the source code and sort it out
function Filter($string) { global $mysqli; $blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password"; $whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><"; for ($i = 0; $i < strlen($string); $i++) { if (strpos("$whitelist", $string[$i]) === false) {//The $string character must be a visible character. The strpos function finds the position of the $string string string in the whitelist Hacker(); } } if (preg_match("/$blacklist/is", $string)) {//After passing the white list, you should also pass the blacklist Hacker(); } if (is_string($string)) {//character string return $mysqli->real_escape_string($string);//Prevent SQL attacks and escape } else { return ""; } }
A very powerful filter is called in the login and registration interfaces, so you don't need to consider sql injection for the time being. Suspicious points
function filter_directory()//filter { $keywords = ["flag","manage","ffffllllaaaaggg"]; $uri = parse_url($_SERVER["REQUEST_URI"]);//Parse the url and parse the components parse_str($uri['query'], $query);//Parse the query string into a variable. Query is the array name and $uri['query '] represents the incoming parameters // var_dump($query); // die(); foreach($keywords as $token) { foreach($query as $k => $v) { if (stristr($k, $token))//Find out if $k appears in $token hacker(); if (stristr($v, $token)) hacker(); } } }
parse_url function
Parse the url and use parse_ The str function passes in the key value pair as an associative array into the $query array for filtering. Without $kewords, it will not come out. hacker(); We need to use the following two tips to bypass the source code of flag, but I think we can use them before we read the source code of flag; Fortunately, query parse_ When the url function works, a vulnerability pops up. Let's take a look at the details
parse_ Explanation and bypass of URL function_ q1352483315 blog - CSDN blog_ urlparse function
Structure into
//user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg
You can make parse_ The URL function reports an error (the lower version is)
Continue reading
When we find out what file it contains, we go directly to the url and find that it is an uploaded file
Use the previous read source code to see
<?php $allowtype = array("gif","png","jpg"); $size = 10000000; $path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/"; $filename = $_FILES['file']['name']; if(is_uploaded_file($_FILES['file']['tmp_name'])){ if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){ die("error:can not move"); } }else{ die("error:not an upload fileï¼"); } $newfile = $path.$filename; echo "file upload success<br />"; echo $filename; $picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0"); echo "<img src='data:image/png;base64,".$picdata."'></img>"; if($_FILES['file']['error']>0){ unlink($newfile); die("Upload file error: "); } $ext = array_pop(explode(".",$_FILES['file']['name'])); if(!in_array($ext,$allowtype)){ unlink($newfile); } ?>
It is found that it is different from what we usually do: instead of talking about the directory where the image content is saved, we use the system command to cat, open the $filename file name we passed in and the base64 file content, and then output a string. After filtering, we must use GIF, png and JPG as suffixes. We can just grab the package and modify it. Just send a picture to see the effect
Obviously, we can see the operation channel characters of linux commands
We use semicolons to close the previous commands, enter the commands we need, and then comment the following commands
Perform ls / view parent directory
It's useless. Maybe the space or slash has been filtered. It's still the case to use / * * / instead of the space. It seems that the slash has been filtered
How to return to the previous level, because there are; We can execute cd first, Then ls, return to the upper level
Then the cat flag file can be used
Don't understand parse_ How can I bypass the URL? If I can't get around, I read someone else's wp. It's a little late today. I'll test it tomorrow morning