[CISCN2019 总决赛 Day2 Web1]Easyweb
主要考点:robots.txt+sql注入+文件上传漏洞
详细可以参考:https://blog.csdn.net/weixin_43940853/article/details/104912692
打开以后是一个登陆界面:
然后发现robots.txt提示存在.php.bak备份,发现image.php.bak备份并且存在sql注入。
<?php
include "config.php";
$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";
$id=addslashes($id);
$path=addslashes($path);
$id=str_replace(array("\0","%00","\'","'"),"",$id);
$path=str_replace(array("\0","%00","\'","'"),"",$path);
$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);
通过这个注入点拿到admin的密码然后登录后台上传木马就可以拿flag。
over.