In the previous post with Low difficulty, I mainly used tools directly to get the job done. Starting from the Medium difficulty, I plan to analyze the vulnerability principles from the code level. For methods and steps that are repeated from the Low level, I will not elaborate again; you can refer to the previous article. 
Comparing the code of Low and Medium, we found that some filtering was done on the parameters. However, there is still no protection against brute force attacks, so we can directly use BP to brute force.
By examining the code in Low, we can also use SQL injection, i.e., a universal password to bypass the login.
The SQL statement at this point is âSELECT * FROM `users` WHERE user = âadminâ # AND password = â$passâ;â
The password part is commented out. The Medium code has more filtering, but brute force is still effective, nothing much to say.
Command Execution
We can bypass it with just an &, not much difficulty.
CSRF
At this point, using the CSRF page generated by Burp to capture the request will not succeed.
The stripos() function finds the first occurrence of a string inside another string (case-insensitive), and returns FALSE if the string is not found.
Here, we need to add a note about the difference between $_SERVER[âHTTP_HOSTâ] and $_SERVER[âSERVER_NAMEâ] in PHP
1. Both HTTP_HOST and SERVER_NAME variables get the current domain name
2. When the following 3 conditions are met, both will output the same information
A. The server port number is 80
B. The ServerName in Apacheâs conf is set correctly
C. HTTP/1.1 protocol specification
3. Differences
A. $_SERVER[âHTTP_HOSTâ]: Under the HTTP/1.1 protocol, it will output information based on the clientâs HTTP request;
$_SERVER[âSERVER_NAMEâ]: By default, it will directly output the value of ServerName in Apacheâs httpd.conf configuration file
B. When the server port number is not 80
$_SERVER[âHTTP_HOSTâ] will output the port number, such as âzgao.top:8080â
$_SERVER[âSERVER_NAMEâ] will directly output the value of ServerName, such as âzgao.topâ
In this case, it can be understood as HTTP_HOST = SERVER_NAME:SERVER_PORT
So in the above code, $_SERVER[âSERVER_NAMEâ] gets cdtu.fun.
This means that the referer header needs to contain cdtu.fun, but we know that the HTTP header cannot be controlled during form submission. However, the Referer includes the current file name, so we can modify the file name.
File Inclusion
It can be seen that remote file inclusion is filtered, so we can include local files instead /vulnerabilities/fi/?page=/etc/passwd
File Upload
Here we still directly upload a one-liner web shell, but we need to modify the request using BP.
Change to Content-Type: image/jpeg to bypass
Insecure Captcha
The Medium level code checks the parameter passed_captcha during the second step of verification. If the parameter value is true, it considers the user to have passed the captcha check. However, users can still bypass the verification by forging the parameter. Essentially, this is no different from the Low level verification.
SQL Injection
The front-end page uses a dropdown selection form to control user input.
It can be seen that the Medium level code uses the mysql_real_escape_string function to escape special characters \x00, \n, \r, \â, \â, \x1a.
Although the front-end uses a dropdown menu, we can still modify the parameters using Hackbar and submit maliciously constructed query parameters.
This indicates the presence of numeric injection. Since it is numeric injection, the mysql_real_escape_string function on the server side is ineffective because numeric injection does not require quotes.
Therefore, the subsequent injection is no different from the Low level.
SQL Blind Injection
Similar to the above, the Medium code uses mysql_real_escape_string for filtering. Since it is numeric injection, it is unaffected. The method is the same as Low level, use SQLMap to automate the process.
XSS (Reflected)
Only the
XSS (Stored)
It is evident that the code imposes very strict restrictions on the message, but the only restriction on the name is the filtering of the