Weekly learning summary

article

1. Open the web link , According to the content ：
   

   Checked the source code , I didn't see anything wrong , Guess it might be SQL Inject 、 Source code leakage 、XSS Inject 、GIT Let the cat out of the

3. It doesn't matter , Go up directly and arrange to scan the directory first , This takes the longest time , Then proceed SQL Inject , You'll find that you can't bet at all , He will only prompt a pop-up window , I was thinking about looking at the code to see if there were any loopholes , The result is nothing big . Basically SQL Inject 、XSS The injection is gone . We can only hope to scan the directory
2. The scanning time is super slow , If you want to use my tools, you can see mine Weekly learning summary , There's no paste here , Finally, there is one index.php.swp file , After web page input ：

http://a68d250f-cd20-45b5-a176-a32260c35fd7.node4.buuoj.cn:81/index.php.swp
You can get the source code

3. Code audit ：

   <?php
   	ob_start();
   	function get_hash(){
         
   		$chars = '[email protected]#$%^&*()+-';
   		$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
   		$content = uniqid().$random;
   		return sha1($content); 
   	}
       header("Content-Type: text/html;charset=utf-8");
   	
       if(isset($_POST['username']) and $_POST['username'] != '' ){
           #  Exist with mutual names and are not empty 
           $admin = '6d0bc1';
           if ( $admin == substr(md5($_POST['password']),0,6)) {
           #  lookup  md5  The first six digits of the value are  6d0bc1 2020666
               echo "<script>alert('[+] Welcome to manage system')</script>";
               $file_shtml = "public/".get_hash().".shtml";
               $shtml = fopen($file_shtml, "w") or die("Unable to open file!");  #  Open and write a file 
               $text = ' *** *** <h1>Hello,'.$_POST['username'].'</h1> *** ***';
               fwrite($shtml,$text);
               fclose($shtml);
               
   			echo "[!] Header error ...";
           } else {
         
               echo "<script>alert('[!] Failed')</script>";
               
       	}
   	}else{
         
   
       }
   	
   ?>
   

   At first glance, we need to do something about documents

4. We need to make a MD5 The value starts with 6d0bc1 , Find relevant codes on the Internet ：

   #-*- coding:utf-8 -*-
   # Script function ： Generate md5 value （6 Digit number ）
   
   import hashlib
   import random
   
   def encryption(chars):
       return hashlib.md5(chars).hexdigest()
   def generate():
       return str(random.randint(99999,1000000))
   def main():
       start = "6d0bc1"
       while True:
           strs = generate()
           print "Test %s " % strs
           if encryption(strs).startswith(start):
               print "yes!"
               print "[+] %s " % strs + "%s " % encryption(strs)
               break
           else:
               print "no!"
   if __name__ == '__main__':
       main()
       print ' complete ！'
   
   

   I can't get out at all , Look directly at others wp , Use 2020666

5. Start landing ：
   

   Landing successful , And here tell us a file storage address , No way out , Looking at wp

6. The file here uses shtml , And this village has a loophole ： Apache SSI Remote command execution vulnerability

7. shtml And ssi Instructions
   Baidu Encyclopedia ：shtml and asp There are some similarities , With shtml Named file , Used ssi Some of the instructions for , It's like asp The instructions in , You can SHTML Write in file SSI Instructions , When the client accesses these shtml When you file , The server will send these SHTML File to read and interpret , hold SHTML The file contains SSI Explain the instructions .
   SSI Instructions

8. Start payload:
   Tips ： Use SSI The order of , Just look up the upper level directory

summary

1. MD5 Collision
2. SSI Middleware vulnerability
   Reference article