之前文件上传只知道可以上传.shtml文件,但是不知道怎么利用.
现在才知道这个叫 服务器端包含注入 https://www.secpulse.com/archives/66934.html
Server Side Includes 服务器端包含
命令执行poc
本题存在文件泄.index.php.swp
代码分析:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| <?php
ob_start();
function get_hash(){
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];
$content = uniqid().$random;
return sha1($content);
}
header("Content-Type: text/html;charset=utf-8");
***
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')</script>";
$file_shtml = "public/".get_hash().".shtml";
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
***
echo "[!] Header error ...";
} else {
echo "<script>alert('[!] Failed')</script>";
}else
{
***
}
***
?>
|
比较关键的一个点
1
2
3
| $admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6))
xxx
|
可以尝试爆破一下
1
2
3
4
5
6
7
8
| $admin = '6d0bc1';
for ($i=0; $i < 100000000000; $i++) {
if ( $admin == substr(md5($i),0,6)){
echo $i;
break;
}
}
|
然后可以在返回头里面找到生成的文件
payload: