[ahu2021 school competition] EZ injection

• The title first gives a index.rar file , Directly decompress
  
• the second hint.txt file , Prompt after opening
  
• Open the file and there is a source.zip file , With a password, you can't decompress , Click in and have a look. There is also a hint.txt, Try plaintext attack
  
• Use... First WinRAR Add to hint.zip Of , Find out ARCHPR Report errors **“ There are no matching files in the selected file ”**
  
• Later, I found that right click directly , Send to zipped Folder You can execute plaintext attack
  
• Start plaintext attack
  
• Password succeeded
  
• Open the unzipped folder , There's a index.php Is the source code we want

<?php

  $re = array('and','or','count','select','from','union','group','by','limit','insert','where','order','alter','delete','having','max','min','avg','sum','sqrt','rand','concat','sleep');

setcookie('injection','c3FsaSBpcyBub3QgdGhlIG9ubHkgd2F5IGZvciBpbmplY3Rpb24=',time()+100000);

 

if(file_exists('slain.xml')) {
    

     $xml = simplexml_load_file('slain.xml');

     $user=$_GET['user'];

     $user=str_replace($re, ' ', $user);

//$user=str_replace("'", "&apos", $user);

     $query="user/username[@name='".$user."']";

     $ans = $xml->xpath($query);

     foreach($ans as $x => $x_value)

     {
    

        echo $x.": " . $x_value;

         echo "<br />";

      }

 }

• In the code setcookie There is a passage in it c3FsaSBpcyBub3QgdGhlIG9ubHkgd2F5IGZvciBpbmplY3Rpb24= use burp The decoder inside solves **“sqli is not the only way for injection”** say SQL Is not the only way to inject
  
• Then combined with these two pieces of code, it is found that many are filtered out SQL keyword

$user=str_replace($re, ' ', $user);

$re = array('and','or','count','select','from','union','group','by','limit','insert','where','order','alter','delete','having','max','min','avg','sum','sqrt','rand','concat','sleep');

• SQL Injection is definitely useless , Then there is a paragraph in the middle

$xml = simplexml_load_file('slain.xml');

• Access to information , It can be used xpath Inject
  
  
  
• Submit a single quotation mark , The returned response proves that xpath Inject holes
  
• Use this line of code

$query="user/username[@name='".$user."']";

structure payload：?user=']|//*|//*['
You can use this payload Visit this xml All nodes in the document

• flag To get
• Write WP In fact, I found a simpler way

$xml = simplexml_load_file('slain.xml');

This line of code indicates that there is a slain.xml file , Maybe you can visit directly

• Have a try , That's good