zoukankan      html  css  js  c++  java
  • CG-CTF | 综合题2

    查源码发现一个文件读取:http://cms.nuptzj.cn/about.php?file=sm.txt,用它把能找到的php都读取下来

    <?php 
        if (!isset($_COOKIE['username'])) 
        {
            setcookie('username', '');
            setcookie('userpass', '');
        }
    ?>
      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
      <html xmlns="http://www.w3.org/1999/xhtml">
        
        <head>
          <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
          <title>皇家邮电渗透测试平台</title>
          <style type="text/css">
            <!-- .STYLE1 {font-size: 18px} --></style>
        </head>
        
        <body>
          <center>
            <h1>Xlcteam客户留言板</h1>
            <p>
              <hr />&nbsp;</p>
            <div align="left" style="1024px">
              <h3>&nbsp;&nbsp;欢迎来到Xlcteam客户留言板,各位朋友可以在这里留下对本公司的意见或建议。
                <br />
                <br />&nbsp;&nbsp;本组织主要为企业提供网络安全服务。正如公司名所说,本公司是混迹在“娱乐圈”中的公司,喜欢装B,一直摸黑竞争对手,从未被黑。
                <br />&nbsp;&nbsp;本公司的经营理念为“技术好,算个吊,摸黑对手有一套,坑到学生才叫吊~”。
                <br />&nbsp;&nbsp;你别说不爽我们,有本事来爆我们(科哥)菊花~ come on!!</h3>&nbsp;</div>
            <hr />
            <div id="msg" name="msg" align="left" style="1024px">
              <h2>客户留言:</h2>
              <hr />
              <br />
              <?php //这里输出用户留言 
               include 'antixss.php'; 
              include 'config.php'; 
              $con=m ysql_connect($db_address,$db_user,$db_pass) or die( "不能连接到数据库!!".mysql_error()); 
              mysql_select_db($db_name,$con); 
              $page=$_GET[ 'page']; 
              if($page=="" || $page==0)
              { 
                $page='1' ; } 
                $page=intval($page); $start=($page-1)*7; 
                $last=$page*7; 
                $result=mysql_query( "SELECT * FROM `message` WHERE display=1 ORDER BY id LIMIT $start,$last"); 
                if(mysql_num_rows($result)>0)
                { 
                    while($rs=mysql_fetch_array($result))
                    { 
                        echo htmlspecialchars($rs['nice'],ENT_QUOTES).":<br />"; echo '&nbsp;&nbsp;&nbsp;&nbsp;'.antixss($rs['say']).'<br /><hr />'; 
                    } 
                }
                mysql_free_result($result);
              ?>
                <center>
                  <p>
                    <a href="index.php">首页</a>
                    <?php 
                        $contents = mysql_query("SELECT * FROM `message` WHERE display=1");
                        if (mysql_num_rows($contents) > 0) 
                        {
                            $num = mysql_num_rows($contents);
                            if ($num % 8 != 0) 
                            {
                                $pagenum = intval($num / 8) + 1;
                            } 
                            else 
                            {
                                $pagenum = intval($num / 8);
                            }
                            for ($i = 1;$i <= $pagenum;$i++) 
                            {
                                echo '<a href="index.php?page=' . htmlspecialchars($i) . '">' . htmlspecialchars($i) . '</a>&nbsp;';
                            }
                        }
                        mysql_free_result($contents);
                        mysql_close($con); 
                    ?>
                        <a href="index.php?page=<?php echo htmlspecialchars($pagenum);?>">尾页</a></p>
                  <form method="post" action="./so.php">留言搜索(输入ID):
                    <input name="soid" type="text" id="soid" />
                    <input type="submit" value="搜索" /></form></center>
            </div>
            <hr />
            <div id="say" name="say" align="left" style="1024px">
              <h2>留言:</h2>
              <form method="post" action="./preview.php">
                <span class="STYLE1">昵称:</span>
                <input name="nice" type="text" id="nice" 
                <?php //这里是获取昵称的cookie再显示
                value = ""$username = $_COOKIE['username'];
                $username = htmlspecialchars($username, ENT_QUOTES);
                echo ' value="' . $username . '" '; 
                ?>/></label>
                <p class="STYLE1">内容:
                  <br />&nbsp;&nbsp;&nbsp;
                  <textarea style="800px;height:100px" name="usersay" id="usersay"></textarea>
                  <label>
                    <br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
                    <input onclick="return checkform()" type="submit" name="Submit" style="600px;height:50px" value="预览" /></label>
                  <br />&nbsp;&nbsp;&nbsp;&nbsp;(可用[a]网址[/a]代替&lt;a href=&quot;网址&quot; &gt;网址&lt;/a&gt;)</p></form>
            </div>
            <div>
              <h4>
                <a href="./about.php?file=sm.txt">本CMS说明</a></h4>
            </div>
            <div align="center">鸣谢·红客联盟(HUC)官网
              <br /></div></center>
          <script>function checkform() {
              if (say.nice.value == "" || say.usersay.value == "") {
                alert("昵称或留言内容不能为空");
                return false;
              } else {
                return true;
              }</script>
        </body>
      
      </html>
    index.php
    <?php function passencode($content) { 
        //$pass = urlencode($content);
        $array = str_split($content);
        $pass = "";
        for ($i = 0;$i < count($array);$i++) {
            if ($pass != "") {
                $pass = $pass . " " . (string)ord($array[$i]);
            } else {
                $pass = (string)ord($array[$i]);
            }
        }
        return $pass;
    } ?>
    passencode.php
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <?php
        include 'config.php';
        $nice = $_POST['nice'];
        $say = $_POST['usersay'];
        if (!isset($_COOKIE['username'])) 
        {
            setcookie('username', $nice);
            setcookie('userpass', '');
        }
        $username = $_COOKIE['username'];
        $userpass = $_COOKIE['userpass'];
        if ($nice == "" || $say == "") 
        {
            echo "<script>alert('昵称或留言内容不能为空!(如果有内容也弹出此框,不是网站问题喔~ 好吧,给个提示:查看页面源码有惊喜!)');</script>";
            exit();
        }
        $con = mysql_connect($db_address, $db_user, $db_pass) or die("不能连接到数据库!!" . mysql_error());
        mysql_select_db($db_name, $con);
        $nice = mysql_real_escape_string($nice);
        $username = mysql_real_escape_string($username);
        $userpass = mysql_real_escape_string($userpass);
        $result = mysql_query("SELECT username FROM admin where username='$nice'", $con);
        $login = mysql_query("SELECT * FROM admin where username='$username' AND userpass='$userpass'", $con);
        if (mysql_num_rows($result) > 0 && mysql_num_rows($login) <= 0) {
            echo "<script>alert('昵称已被使用,请更换!');</script>";
            mysql_free_result($login);
            mysql_free_result($result);
            mysql_close($con);
            exit();
        }
        mysql_free_result($login);
        mysql_free_result($result);
        $say = mysql_real_escape_string($say);
        mysql_query("insert into message (nice,say,display) values('$nice','$say',0)", $con);
        mysql_close($con);
        echo '<script>alert("构建和谐社会,留言需要经过管理员审核才可以显示!");window.location = "./index.php"</script>';
    ?>gt;
    say.php
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
      
      <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>搜索留言</title></head>
      
      <body>
        <center>
          <div id="say" name="say" align="left" style="1024px">
            <?php 
                if ($_SERVER['HTTP_USER_AGENT'] != "Xlcteam Browser") 
                {
                    echo '万恶滴黑阔,本功能只有用本公司开发的浏览器才可以用喔~';
                    exit();
                }
                $id = $_POST['soid'];
                include 'config.php';
                include 'antiinject.php';
                include 'antixss.php';
                $id = antiinject($id);
                $con = mysql_connect($db_address, $db_user, $db_pass) or die("不能连接到数据库!!" . mysql_error());
                mysql_select_db($db_name, $con);
                $id = mysql_real_escape_string($id);
                $result = mysql_query("SELECT * FROM `message` WHERE display=1 AND id=$id");
                $rs = mysql_fetch_array($result);
                echo htmlspecialchars($rs['nice']) . ':<br />&nbsp;&nbsp;&nbsp;&nbsp;' . antixss($rs['say']) . '<br />';
                mysql_free_result($result);
                mysql_free_result($file);
                mysql_close($con);
            ?></div>
        </center>
      </body>
    
    </html>
    so.php
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
      <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>预览留言</title></head>
      
      <body>
        <?php $prenice=$_POST['nice']; $presay=$_POST[ 'usersay']; include 'antixss.php'; ?>
          <center>
            <div id="say" name="say" align="left" style="1024px">
              <form method="get" action="./say.php">
                <p>
                  <input name="nice" type="hidden" id="nice" value=<?php echo '"'.htmlspecialchars($prenice). '"'; ?>/>
                  <input name="usersay" type="hidden" id="usersay" value=<?php echo '"'.antixss($presay). '"'; ?>/>
                  <?php echo htmlspecialchars($prenice); ?>:
                    <br />    
                    <?php echo antixss($presay);?>
                      <br />
                      <br />        
                      <input onclick="return checkform()" type="submit" name="Submit" style="600px;height:50px" value="确认提交" /></p></form>
            </div>(提示:再次提醒,xss不保证可以成功,允许留言是为了增加娱乐性,换条思路吧!,因为我也不会xss- -~)</center>
          <script>function checkform() {
              if (say.nice.value == "" || say.usersay.value == "") {
                alert("昵称或留言内容不能为空");
                return false;
              } else {
                return true;
              }</script>
      </body>
    
    </html>
    preview.php
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
    <?php $file = $_GET['file'];
        if ($file == "" || strstr($file, 'config.php')) {
            echo "file参数不能为空!";
            exit();
        } else {
            $cut = strchr($file, "loginxlcteam");
            if ($cut == false) 
            {
                $data = file_get_contents($file);
                $date = htmlspecialchars($data);
                echo $date;
            } else {
                echo "<script>alert('敏感目录,禁止查看!但是。。。')</script>";
            }
    }
    about.php
    <?php function antixss($content) {
        preg_match("/(.*)[a](.*)[/a](.*)/", $content, $url);
        $key = array("(", ")", "&", "\", "<", ">", "'", "%28", "%29", " on", "data", "src", "eval", "unescape", "innerHTML", "document", "appendChild", "createElement", "write", "String", "setTimeout", "cookie"); 
        //因为太菜,很懒,所以。。。(过滤规则来自Mramydnei)
        $re = $url[2];
        if (count($url) == 0) {
            return htmlspecialchars($content);
        } else {
            for ($i = 0;$i <= count($key);$i++) {
                $re = str_replace($key[$i], '_', $re);
            }
            return htmlspecialchars($url[1], ENT_QUOTES) . '<a href="' . $re . '">' . $re . '</a>' . htmlspecialchars($url[3], ENT_QUOTES);
        }
    } ?>
    antixss.php
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <?php
    function antiinject($content) {
        $keyword = array("select", "union", "and", "from", ' ', "'", ";", '"', "char", "or", "count", "master", "name", "pass", "admin", "+", "-", "order", "=");
        $info = strtolower($content);
        for ($i = 0;$i <= count($keyword);$i++) {
            $info = str_replace($keyword[$i], '', $info);
        }
        return $info;
    }
    ?>gt;
    antiinject.php

    有点东西的:

     然后继续回到主界面,找到留言口:

     都疯狂暗示成这样了,当然是要搞点事情啊:

     找到后台,猜个用户名为admin,放回密码长度不对,说明用户名就是admin了,现在还差一个password:

     回到刚刚找的注意点,哪里看看可不可以进行注入,毕竟首页已经有大佬说是渗透了,那肯定离不开注入getshell的哇,后来发现so.php的id可以注入,返回的是一串数字:

    在sm.txt里又说userpass的类型是text,那就转化为ascii看看,于是得到密码:

     解码得到密码,进入后台:

     用file来读一下,emmm没看懂这个马的意思,后来看了一下大佬的解法:

     是这样用的:

    url : http://cms.nuptzj.cn/xlcteam.php?www=preg_replace
    pass : wtf
    

     然后上菜刀,失败了,大概是文件夹可视,文件不可视,哇地一声哭出来:

    冷静一下,观察一下目录,发现可以再次利用file去读取flag

     最后,可行!:

    后记:贴一些链接

    参考WP:https://blog.csdn.net/huanghelouzi/article/details/83421205

    直接看源码发现html是经过加密地,解密网站:https://tool.chinaz.com/tools/htmlencode.aspx

    php代码美化网站:http://tools.jb51.net/code/phpformat

    html代码美化网站:https://tool.chinaz.com/tools/jsformat.aspx

  • 相关阅读:
    UVA1349 Optimal Bus Route Design 最优巴士路线设计
    POJ3565 Ants 蚂蚁(NEERC 2008)
    UVA1663 Purifying Machine 净化器
    UVa11996 Jewel Magic 魔法珠宝
    NEERC2003 Jurassic Remains 侏罗纪
    UVA11895 Honorary Tickets
    gdb调试coredump(使用篇)
    使用 MegaCLI 检测磁盘状态并更换磁盘
    员工直接坦诚直来直去 真性情
    山东浪潮超越3B4000申泰RM5120-L
  • 原文地址:https://www.cnblogs.com/chrysanthemum/p/11974280.html
Copyright © 2011-2022 走看看