[BJDCTF2020] EasySearch

发布于 2021-08-06  69 次阅读


知识点

ssi注入:https://blog.csdn.net/qq_40657585/article/details/84260844

解题

image-20210103145021073

打开题目,又是一个普普通通的登录框,尝试sql注入,没有效果,选择扫目录

image-20210103145120855

扫到一个源码泄露

image-20210103145140709
<?php
ob_start();
function get_hash(){
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
$content = uniqid().$random;
return sha1($content);
}
header("Content-Type: text/html;charset=utf-8");
***
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')</script>";
$file_shtml = "public/".get_hash().".shtml";
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
***
echo "[!] Header error ...";
} else {
echo "<script>alert('[!] Failed')</script>";

}else
{
***
}
***
?>

用户名密码判断处发现一个MD5截断比较,反手掏出自己珍藏多年的脚本跑一下

image-20210103145610599

跑到一个,尝试一下.

image-20210103145650050

登陆成功,下一步,这里我就卡住了,没有思路,看了别人的wp:

image-20210103150230403

查看数据包,我们发现一个url,直接访问试试

image-20210103150420345

输出了 用户名 时间戳和IP,观察文件后缀名发现,可能存在ssi注入,抓包尝试

image-20210103151205755
image-20210103151158785

没有flag文件返回上级目录看看

image-20210103151416054

得到flag文件名,读取flag

<!--#exec cmd="cat ../flag_990c66bf85a09c664f0b6741840499b2"-->
image-20210103151605943