访问靶场首页
发现是一个留言板
访问/.git/
http://dd3bb0b5-41a5-46eb-bdb3-f5f2011e8b67.node3.buuoj.cn/.git/
访问.git发现,服务器返回403错误代码,代表服务区存在git目录
使用GitHacker
python GitHacker.py http://dd3bb0b5-41a5-46eb-bdb3-f5f2011e8b67.node3.buuoj.cn/.git/
进入网站的文件夹
查看write_do.php文件,发现write_do.php不全
(python2.7) root@DESKTOP-454TK54:~/tools/GitHacker/dd3bb0b5-41a5-46eb-bdb3-f5f2011e8b67_node3_buuoj_cn_# cat write_do.php
<?php include "mysql.php"; session_start(); if($_SESSION['login'] != 'yes'){ header("Location: ./login.php"); die(); } if(isset($_GET['do'])){ switch ($_GET['do']) { case 'write': break; case 'comment': break; default: header("Location: ./index.php"); } } else{ header("Location: ./index.php"); } ?>
恢复write_do.php文件
查看git历史
git log --reflog # 查看git的历史记录
还原历史
git reset --hard e5b2a2443c2b6d395d06960123142bc91123148c
查看还原后的write_do.php文件
root@DESKTOP-454TK54:~/dd3bb0b5-41a5-46eb-bdb3-f5f2011e8b67_node3_buuoj_cn_# cat write_do.php <?php include "mysql.php"; session_start(); if($_SESSION['login'] != 'yes'){ header("Location: ./login.php"); die(); } if(isset($_GET['do'])){ switch ($_GET['do']) { case 'write': $category = addslashes($_POST['category']); $title = addslashes($_POST['title']); $content = addslashes($_POST['content']); $sql = "insert into board set category = '$category', title = '$title', content = '$content'"; $result = mysql_query($sql); header("Location: ./index.php"); break; case 'comment': $bo_id = addslashes($_POST['bo_id']); $sql = "select category from board where id='$bo_id'"; $result = mysql_query($sql); $num = mysql_num_rows($result); if($num>0){ $category = mysql_fetch_array($result)['category']; $content = addslashes($_POST['content']); $sql = "insert into comment set category = '$category', content = '$content', bo_id = '$bo_id'"; $result = mysql_query($sql); } header("Location: ./comment.php?id=$bo_id"); break; default: header("Location: ./index.php"); } } else{ header("Location: ./index.php"); } ?>