[网鼎杯 2018]Comment-Git泄露部分

访问靶场首页

发现是一个留言板

访问/.git/

http://dd3bb0b5-41a5-46eb-bdb3-f5f2011e8b67.node3.buuoj.cn/.git/

访问.git发现，服务器返回403错误代码，代表服务区存在git目录

使用GitHacker

python GitHacker.py http://dd3bb0b5-41a5-46eb-bdb3-f5f2011e8b67.node3.buuoj.cn/.git/

进入网站的文件夹

 查看write_do.php文件，发现write_do.php不全

(python2.7) root@DESKTOP-454TK54:~/tools/GitHacker/dd3bb0b5-41a5-46eb-bdb3-f5f2011e8b67_node3_buuoj_cn_# cat write_do.php

<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
    header("Location: ./login.php");
    die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
    break;
case 'comment':
    break;
default:
    header("Location: ./index.php");
}
}
else{
    header("Location: ./index.php");
}
?>

恢复write_do.php文件

查看git历史

git log --reflog # 查看git的历史记录

还原历史

git reset --hard e5b2a2443c2b6d395d06960123142bc91123148c

查看还原后的write_do.php文件

root@DESKTOP-454TK54:~/dd3bb0b5-41a5-46eb-bdb3-f5f2011e8b67_node3_buuoj_cn_# cat write_do.php
<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
    header("Location: ./login.php");
    die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
    $category = addslashes($_POST['category']);
    $title = addslashes($_POST['title']);
    $content = addslashes($_POST['content']);
    $sql = "insert into board
            set category = '$category',
                title = '$title',
                content = '$content'";
    $result = mysql_query($sql);
    header("Location: ./index.php");
    break;
case 'comment':
    $bo_id = addslashes($_POST['bo_id']);
    $sql = "select category from board where id='$bo_id'";
    $result = mysql_query($sql);
    $num = mysql_num_rows($result);
    if($num>0){
    $category = mysql_fetch_array($result)['category'];
    $content = addslashes($_POST['content']);
    $sql = "insert into comment
            set category = '$category',
                content = '$content',
                bo_id = '$bo_id'";
    $result = mysql_query($sql);
    }
    header("Location: ./comment.php?id=$bo_id");
    break;
default:
    header("Location: ./index.php");
}
}
else{
    header("Location: ./index.php");
}
?>