打了一次国赛,题目质量很高,感觉到处都是知识盲区,而且我们队伍没有pwn选手2333.
Easyweb
拿到源码,发现可以伪造cookie,登录.
<?php
function encode($str,$key)
{
$tmp="";
for ($i=0;$i<strlen($str);$i++)
{
$tmp .= chr(ord($str[$i])^ord($key[$i%strlen($key)]));
}
return base64_encode($tmp);
}
function decode($str,$key)
{
$str=base64_decode($str);
$tmp="";
for ($i=0;$i<strlen($str);$i++)
{
$tmp .= chr(ord($str[$i])^ord($key[$i%strlen($key)]));
}
return $tmp;
}
function is_login()
{
global $username,$secret;
if (!isset($_COOKIE["username"]))
return false;
$username=decode($_COOKIE["username"],$secret);
return true;
}
登录后发现是一个上传文件的地方.
update源码
<?php
include "config.php";
include "function.php";
is_login();
if ($username!=="admin")
{
echo "You have not permission.<script>setTimeout('location.href=\"index.php\"',3000);</script>";
die;
}
if (!$_FILES["file"]["name"])
{
echo "Please chose a file to upload.<script>setTimeout('location.href=\"user.php\"',3000);</script>";
die;
}
$file_name=$_FILES["file"]["name"];
if (preg_match("/php/i",$file_name))
{
echo "You cant upload php file.<script>setTimeout('location.href=\"user.php\"',3000);</script>";
die;
}
file_put_contents("logs/upload.log.php","User {$username} uploaded file {$file_name}.\n",FILE_APPEND);
echo "I logged the file name you uploaded. LOL<script>setTimeout('location.href=\"user.php\"',3000);</script>";
过滤了php,所以用 ****绕过.文件名称会被记录到log里面,所以里可以构成一句话木马.