文章目录
- 备份文件
- 代码审计
备份文件
首先题目hint里面说了是源码泄露,我自己随便输入也发现了www.zip,但是还是走流程吧,用dirsearch工具,从这里我们也能发现突破口
![[代码审计][备份泄露][时间盲注]CTFSHOW----WEB15(不会做以后补充)_fish](https://file.cfanz.cn/uploads/png/2022/10/26/22/88P97B0T4H.png "在这里插入图片描述")
代码审计
首先这是它给的压缩包,从里面我看了一下发现关键文件2020.php
![[代码审计][备份泄露][时间盲注]CTFSHOW----WEB15(不会做以后补充)_php_02](https://file.cfanz.cn/uploads/png/2022/10/26/22/G876a667V0.png "在这里插入图片描述")
发现是基于X-Forwarded-For,也就是XFF头的注入
<?php
require_once './include/common.php';
$realip = real_ip();
$ipcount = $DB->count("SELECT count(*) from fish_user where ip='$realip'");
if ($ipcount < 3) {
$username = addslashes($_POST['user']);
$password = addslashes($_POST['pass']);
$address = getCity($realip);
$time = date("Y-m-d H:i:s");
$ua = $_SERVER['HTTP_USER_AGENT'];
$device = get_device($ua);
$sql = "INSERT INTO `fish_user`(`username`, `password`, `ip`, `address`, `time`, `device`) VALUES ('{$username}','{$password}','{$realip}','{$address}','{$time}','{$device}')";
$DB->query($sql);
header("Location: https://i.qq.com/?rd=" . $username);
} else {
header("Location: https://i.qq.com/?rd=" . $username);
}
?>
首先用Burp Suite来简单试一下,简直有毒还是用Python了
![[代码审计][备份泄露][时间盲注]CTFSHOW----WEB15(不会做以后补充)_php_03](https://file.cfanz.cn/uploads/png/2022/10/26/22/M8610Be878.png "在这里插入图片描述")
