BJDCTF2020]EasySearch

  • dirsearch扫描发现index.php.swp文件 给了源码
<?php
	ob_start();
	function get_hash(){
    
    
		$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
		$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times mt_rand()在一定范围内随机生成一个数
		$content = uniqid().$random; # uniqid() 函数基于以微秒计的当前时间,生成一个唯一的ID。
		return sha1($content); 
	}
    header("Content-Type: text/html;charset=utf-8");
	***
    if(isset($_POST['username']) and $_POST['username'] != '' )
    {
    
    
        $admin = '6d0bc1';
        if ( $admin == substr(md5($_POST['password']),0,6)) {
    
    
            echo "<script>alert('[+] Welcome to manage system')</script>";
            $file_shtml = "public/".get_hash().".shtml";
            $shtml = fopen($file_shtml, "w") or die("Unable to open file!");
            $text = '
            ***
            ***
            <h1>Hello,'.$_POST['username'].'</h1>
            ***
			***';
            fwrite($shtml,$text);
            fclose($shtml);
            ***
			echo "[!] Header  error ...";
        } else {
    
    
            echo "<script>alert('[!] Failed')</script>";
            
    }else
    {
    
    
	***
    }
	***
?>
  • 简单的看了下代码 开头的已经在代码中解释过了
  • 接下来就是
 if(isset($_POST['username']) and $_POST['username'] != '' )
    {
    
    
        $admin = '6d0bc1';
        if ( $admin == substr(md5($_POST['password']),0,6)) {
    
    
            echo "<script>alert('[+] Welcome to manage system')</script>";
            $file_shtml = "public/".get_hash().".shtml";
            $shtml = fopen($file_shtml, "w") or die("Unable to open file!");
            $text = '
            ***
            ***
            <h1>Hello,'.$_POST['username'].'</h1>
            ***
			***';
            fwrite($shtml,$text);
            fclose($shtml);
            ***
			echo "[!] Header  error ...";
  • 要求密码的前6为经过md5加密后为6d0bc1
  • 拿python跑一下
import hashlib

for i in range(10000000000):
    a = hashlib.md5(str(i).encode('utf-8')).hexdigest()
    if a[0:6] == '6d0bc1':
        print(i)
        break
  • 运行结果是2020666
  • 成功登录后 它会打开public/".get_hash().".shtml文件 接着在文件里面写username的内容
  • 这里我没学过 就当补充一下知识了Apache SSI 远程命令执行漏洞
  • 实操
    在这里插入图片描述
  • 访问url_is_here的文件
  • 得到flag文件的位置 访问就能得到flag了!!!

猜你喜欢

转载自blog.csdn.net/CyhDl666/article/details/114671031