Information overview
The topic itself roughly has two entrances: registration and login.
After registering and logging in, the situation is as follows:
Very easy to find robots.txt with scanning tools
(You can use any one)
find backup
Source code:
<?php
class UserInfo
{
public $name = "";
public $age = 0;
public $blog = "";
public function __construct($name, $age, $blog)
{
$this->name = $name;
$this->age = (int)$age;
$this->blog = $blog;
}
function get($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if($httpCode == 404) {
return 404;
}
curl_close($ch);
return $output;
}
public function getBlogContents ()
{
return $this->get($this->blog);
}
public function isValidBlog ()
{
$blog = $this->blog;
return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
}
}
For this kind of link to be directly linked, it is easy to think of remote file inclusion, but there is a shielded waf for the time being, let's take a look at other
In addition to these, the url after login also looks very suspicious.
try with other parameters
Reported an error, it seems that the problem is likely to be here
According to the error content, get the server file location
Check it out regularly:
Certainly not so simple
sqlmap try this point
Can confirm some models, but it seems that it is not feasible to go directly from here.
Don't forget to have post data when registering, store it with vim, and use sqlmap to see it through the file.
View the library and serialized account (just registered)
This is the information we have roughly at present, and several solutions are given next.
SQL bypass
This is because the response to sqlmap for the first time has such a sentence
Already tested available is cloumn is 4, just keeps failing from here. It means that there is likely to be a waf, so try to get around it.
Already know that the basic payload is 2 union select 1,2,3,4#
Basically around waf, that is, space replacement, mixed case, double-write and try slowly.
It's very simple here, just a space replacement. I have written articles before, you can take a look:
Replace Link Learning
After input, the exploit location is exposed. 2 appears above. Use load_file() and the previously reported file path to guess the flag location
View the source code
(Of course, you can also use this to obtain database-related information, but we have succeeded in the stage of information acquisition, so I won't go into details)
deserialize+ssrf
When we echoed here in the previous method, there is one more point worth paying attention to:
That is unserialize(), here it is obvious to perform a deserialization, and then combine the data of the previous sqlmap
The result of deserialization is the data that will be displayed (name,blog, etc.), and the location of deserialization is the data column, and everything is right. When we select 1, 2, 3, and 4, it represents no,username,passwd,data, the displayed value is deserialized from data. If the value we entered is wrong, then the deserialization fails, and such an error will naturally be reported, so what if the deserialization succeeds?
Naturally the most we can think of is the 4th position, let's try it:
payload:
?no=2 union/**/select 1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:5:"sdmin";s:3:"age";i:123;s:4:"blog";s:11:"www.acc.com";}'#
The page is back as you expected (renamed and URL changed to www.acc.com)
Here you can use ssrf, the server request forgery vulnerability, the flag.php file on the server, the physical path of the website configuration file (also the path of flag.php), and PHP deserialization.
Sort out the idea: use the data parameter for injection, construct the file file protocol in deserialization, and use the server-side request forgery vulnerability to access the flag.php file on the server.
So payload:
2 union/**/select 1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:5:"sdmin";s:3:"age";i:123;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'#
In this way, you can make a request to the target, and finally view the source code:
The iframe has appeared, decode it:
