BJDCTF2020]EasySearch

• The dirsearch scan found that the index.php.swp file was given to the source code

<?php
	ob_start();
	function get_hash(){
    
    
		$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
		$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times mt_rand()在一定范围内随机生成一个数
		$content = uniqid().$random; # uniqid() 函数基于以微秒计的当前时间，生成一个唯一的ID。
		return sha1($content); 
	}
    header("Content-Type: text/html;charset=utf-8");
	***
    if(isset($_POST['username']) and $_POST['username'] != '' )
    {
    
    
        $admin = '6d0bc1';
        if ( $admin == substr(md5($_POST['password']),0,6)) {
    
    
            echo "<script>alert('[+] Welcome to manage system')</script>";
            $file_shtml = "public/".get_hash().".shtml";
            $shtml = fopen($file_shtml, "w") or die("Unable to open file!");
            $text = '
            ***
            ***
            <h1>Hello,'.$_POST['username'].'</h1>
            ***
			***';
            fwrite($shtml,$text);
            fclose($shtml);
            ***
			echo "[!] Header  error ...";
        } else {
    
    
            echo "<script>alert('[!] Failed')</script>";
            
    }else
    {
    
    
	***
    }
	***
?>

• A brief look at the beginning of the code has been explained in the code
• The next step is

 if(isset($_POST['username']) and $_POST['username'] != '' )
    {
    
    
        $admin = '6d0bc1';
        if ( $admin == substr(md5($_POST['password']),0,6)) {
    
    
            echo "<script>alert('[+] Welcome to manage system')</script>";
            $file_shtml = "public/".get_hash().".shtml";
            $shtml = fopen($file_shtml, "w") or die("Unable to open file!");
            $text = '
            ***
            ***
            <h1>Hello,'.$_POST['username'].'</h1>
            ***
			***';
            fwrite($shtml,$text);
            fclose($shtml);
            ***
			echo "[!] Header  error ...";

• The first 6 of the password is 6d0bc1 after md5 encryption
• Run python

import hashlib

for i in range(10000000000):
    a = hashlib.md5(str(i).encode('utf-8')).hexdigest()
    if a[0:6] == '6d0bc1':
        print(i)
        break

• The result of the operation is 2020666
• After successful login, it will open public/".get_hash().".shtmlthe file and write the content of username in the file
• Here I have not studied it, so I should add my knowledge to the Apache SSI remote command execution vulnerability
• Practice
  
• Visit url_is_here's file
• You can get the flag by accessing the location of the flag file! ! !