举办于5.25的DragonKnight CTF落幕,下面是我的复现wp.
ezsign
使用dirsearch扫描如下
dirsearch -u http://challenge.qsnctf.com:31527/
_|. _ _ _ _ _ _|_ v0.4.3.post1
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: C:\Users\Administrator\reports\http_challenge.qsnctf.com_31527\__24-06-07_09-51-19.txt
Target: http://challenge.qsnctf.com:31527/
[09:51:19] Starting:
[09:51:21] 200 - 6KB - /.DS_Store
[09:51:22] 403 - 288B - /.ht_wsr.txt
[09:51:22] 403 - 288B - /.htaccess.bak1
[09:51:22] 403 - 288B - /.htaccess.save
[09:51:22] 403 - 288B - /.htaccess.sample
[09:51:22] 403 - 288B - /.htaccess.orig
[09:51:22] 403 - 288B - /.htaccess_extra
[09:51:22] 403 - 288B - /.htaccess_orig
[09:51:22] 403 - 288B - /.htaccess_sc
[09:51:22] 403 - 288B - /.htaccessBAK
[09:51:22] 403 - 288B - /.htaccessOLD2
[09:51:22] 403 - 288B - /.htaccessOLD
[09:51:22] 403 - 288B - /.html
[09:51:22] 403 - 288B - /.htm
[09:51:22] 403 - 288B - /.htpasswd_test
[09:51:22] 403 - 288B - /.htpasswds
[09:51:22] 403 - 288B - /.httr-oauth
[09:51:25] 301 - 339B - /.vscode -> http://challenge.qsnctf.com:31527/.vscode/
[09:51:25] 403 - 288B - /.vscode/
[09:51:25] 200 - 1KB - /.vscode/launch.json
[09:51:42] 200 - 2KB - /index.php.bak
[09:51:44] 200 - 23B - /login.php
[09:51:55] 403 - 288B - /server-status/
[09:51:55] 403 - 288B - /server-status
[09:52:00] 200 - 30B - /upload.php
[09:52:00] 301 - 338B - /upload -> http://challenge.qsnctf.com:31527/upload/
[09:52:00] 403 - 288B - /upload/
Task Completed
锁定两个文件:index.php.bak 和 /upload/,明显是改造版的文件上传。
转到index.php.bak,源码如下:
<?php
error_reporting(0);
// 检查 cookie 中是否有 token
$token = $_COOKIE['token'] ?? null;
if($token){
extract($_GET);
$token = base64_decode($token);
$token = json_decode($token, true);
$username = $token['username'];
$password = $token['password'];
$isLocal = false;
if($_SERVER['REMOTE_ADDR'] == "127.0.0.1"){
$isLocal = true;
}
if($isLocal){
echo 'Welcome Back,' . $username . '!';
//如果 upload 目录下存在$username.png文件,则显示图片
if(file_exists('upload/' . $username . '/' . $token['filename'])){
// 显示图片,缩小图片
echo '<br>';
echo '<img src="upload/' . $username . '/' . $token['filename'] .'" width="200">';
} else {
echo '请上传您高贵的头像。';
// 写一个上传头像的功能
$html = <<<EOD
<form method="post" action="upload.php" enctype="multipart/form-data">
<input type="file" name="file" id="file">
<input type="submit" value="Upload">
</form>
EOD;
echo $html;
}
} else {
// echo "留个言吧";
$html = <<<EOD
<h1>留言板</h1>
<label for="input-text">Enter some text:</label>
<input type="text" id="input-text" placeholder="Type here...">
<button onclick="displayInput()">Display</button>
EOD;
echo $html;
}
} else {
$html = <<<EOD
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<h2>Login</h2>
<form method="post" action="./login.php">
<div>
<label for="username">Username:</label>
<input type="text" name="username" id="username" required>
</div>
<div>
<label for="password">Password:</label>
<input type="password" name="password" id="password" required>
</div>
<div>
<input type="submit" value="Login">
</div>
</form>
</body>
</html>
EOD;
echo $html;
}
?>
<script>
function displayInput() {
var inputText = document.getElementById("input-text").value;
document.write(inputText)
}
</script>
有一个extract变量覆写漏洞,但传参 /?_SERVER[REMOTE_ADDR]=127.0.0.1 无效,在线等,有缘师傅来解铃~
参考:入口