不想复现的可以访谒榆林学院信息安适协会CTF训练平台找到此题直接练手

原题

index.php

1 <?php 2 3 include "config.php"; 4 5 class HITCON{ 6 private $method; 7 private $args; 8 private $conn; 9 10 public function __construct($method, $args) { 11 $this->method = $method; 12 $this->args = $args; 13 14 $this->__conn(); 15 } 16 17 function show() { 18 list($username) = func_get_args(); 19 $sql = sprintf("SELECT * FROM users WHERE username=‘%s‘", $username); 20 21 $obj = $this->__query($sql); 22 if ( $obj != false ) { 23 $this->__die( sprintf("%s is %s", $obj->username, $obj->role) ); 24 } else { 25 $this->__die("Nobody Nobody But You!"); 26 } 27 28 } 29 30 function login() { 31 global $FLAG; 32 33 list($username, $password) = func_get_args(); 34 $username = strtolower(trim(mysql_escape_string($username))); 35 $password = strtolower(trim(mysql_escape_string($password))); 36 37 $sql = sprintf("SELECT * FROM users WHERE username=‘%s‘ AND password=‘%s‘", $username, $password); 38 39 if ( $username == ‘orange‘ || stripos($sql, ‘orange‘) != false ) { 40 $this->__die("Orange is so shy. He do not want to see you."); 41 } 42 43 $obj = $this->__query($sql); 44 if ( $obj != false && $obj->role == ‘admin‘ ) { 45 $this->__die("Hi, Orange! Here is your flag: " . $FLAG); 46 } else { 47 $this->__die("Admin only!"); 48 } 49 } 50 51 function source() { 52 highlight_file(__FILE__); 53 } 54 55 function __conn() { 56 global $db_host, $db_name, $db_user, $db_pass, $DEBUG; 57 58 if (!$this->conn) 59 $this->conn = mysql_connect($db_host, $db_user, $db_pass); 60 mysql_select_db($db_name, $this->conn); 61 62 if ($DEBUG) { 63 $sql = "CREATE TABLE IF NOT EXISTS users ( 64 username VARCHAR(64), 65 password VARCHAR(64), 66 role VARCHAR(64) 67 ) CHARACTER SET utf8"; 68 $this->__query($sql, $back=false); 69 70 $sql = "INSERT INTO users VALUES (‘orange‘, ‘$db_pass‘, ‘admin‘), (‘phddaa‘, ‘ddaa‘, ‘user‘)"; 71 $this->__query($sql, $back=false); 72 } 73 74 mysql_query("SET names utf8"); 75 mysql_query("SET sql_mode = ‘strict_all_tables‘"); 76 } 77 78 function __query($sql, $back=true) { 79 $result = @mysql_query($sql); 80 if ($back) { 81 return @mysql_fetch_object($result); 82 } 83 } 84 85 function __die($msg) { 86 $this->__close(); 87 88 header("Content-Type: application/json"); 89 die( json_encode( array("msg"=> $msg) ) ); 90 } 91 92 function __close() { 93 mysql_close($this->conn); 94 } 95 96 function __destruct() { 97 $this->__conn(); 98 99 if (in_array($this->method, array("show", "login", "source"))) { 100 @call_user_func_array(array($this, $this->method), $this->args); 101 } else { 102 $this->__die("What do you do?"); 103 } 104 105 $this->__close(); 106 } 107 108 function __wakeup() { 109 foreach($this->args as $k => $v) { 110 $this->args[$k] = strtolower(trim(mysql_escape_string($v))); 111 } 112 } 113 } 114 115 if(isset($_GET["data"])) { 116 @unserialize($_GET["data"]); 117 } else { 118 new HITCON("source", array()); 119 }

config.php

<?php $db_host = ‘localhost‘; $db_name = ‘babytrick‘; $db_user = ‘babytrick‘; $db_pass = ‘babytrick1234‘; $DEBUG = @$_GET[‘noggnogg‘]; $FLAG = "HITCON{php 4nd mysq1 are s0 mag1c, isn‘t it?}"; ?>

审计代码逻辑

这个里的代码将传进来的值赋给本地的私有变量(private)中

//当东西创建时会自动挪用(但在unserialize()时是不会自动挪用的)。