# [GYCTF2020]EasyThinking
先是源码泄露 www,zip
# ![2]()
登录后,少写一个字,发现是 thinkphp(题目的名字也提醒了是这个考点)
在 web/home/controller 有一个 Member.php,得到网页源码:
<?php
namespace app\home\controller;
use think\exception\ValidateException;
use think\facade\Db;
use think\facade\View;
use app\common\model\User;
use think\facade\Request;
use app\common\controller\Auth;
class Member extends Base
{
public function index()
{
if (session("?UID"))
{
$data = ["uid" => session("UID")];
$record = session("Record");
$recordArr = explode(",", $record);
$username = Db::name("user")->where($data)->value("username");
return View::fetch('member/index',["username" => $username,"record_list" => $recordArr]);
}
return view('member/index',["username" => "Are you Login?","record_list" => ""]);
}
public function login()
{
if (Request::isPost()){
$username = input("username");
$password = md5(input("password"));
$data["username"] = $username;
$data["password"] = $password;
$userId = Db::name("user")->where($data)->value("uid");
$userStatus = Db::name("user")->where($data)->value("status");
if ($userStatus == 1){
return "<script>alert(\"该用户已被禁用,无法登陆\");history.go(-1)</script>";
}
if ($userId){
session("UID",$userId);
return redirect("/home/member/index");
}
return "<script>alert(\"用户名或密码错误\");history.go(-1)</script>";
}else{
return view('login');
}
}
public function register()
{
if (Request::isPost()){
$data = input("post.");
if (!(new Auth)->validRegister($data)){
return "<script>alert(\"当前用户名已注册\");history.go(-1)</script>";
}
$data["password"] = md5($data["password"]);
$data["status"] = 0;
$res = User::create($data);
if ($res){
return redirect('/home/member/login');
}
return "<script>alert(\"注册失败\");history.go(-1)</script>";
}else{
return View("register");
}
}
public function logout()
{
session("UID",NULL);
return "<script>location.href='/home/member/login'</script>";
}
public function updateUser()
{
$data = input("post.");
$update = Db::name("user")->where("uid",session("UID"))->update($data);
if($update){
return json(["code" => 1, "msg" => "修改成功"]);
}
return json(["code" => 0, "msg" => "修改失败"]);
}
public function rePassword()
{
$oldPassword = input("oldPassword");
$password = input("password");
$where["uid"] = session("UID");
$where["password"] = md5($oldPassword);
$res = Db::name("user")->where($where)->find();
if ($res){
$rePassword = User::update(["password" => md5($password)],["uid"=> session("UID")]);
if ($rePassword){
return json(["code" => 1, "msg" => "修改成功"]);
}
return json(["code" => 0, "msg" => "修改失败"]);
}
return json(["code" => 0, "msg" => "原密码错误"]);
}
public function search()
{
if (Request::isPost()){
if (!session('?UID'))
{
return redirect('/home/member/login');
}
$data = input("post.");
$record = session("Record");
if (!session("Record"))
{
session("Record",$data["key"]);
}
else
{
$recordArr = explode(",",$record);
$recordLen = sizeof($recordArr);
if ($recordLen >= 3){
array_shift($recordArr);
session("Record",implode(",",$recordArr) . "," . $data["key"]);
return View::fetch("result",["res" => "There's nothing here"]);
}
}
session("Record",$record . "," . $data["key"]);
return View::fetch("result",["res" => "There's nothing here"]);
}else{
return View("search");
}
}
}
审计代码发现了 session:ThinkPhP6 会默认在 /runtime/session 创建一个 sess_xxxx 格式的 session 文件,这里的 xxxx 就是 PHPSESSID(32 位),而文件的内容就是 session 的内容,也就是 key 的内容。并且发现了:
if ($userId){
session("UID",$userId);
return redirect("/home/member/index");
}
这里把 uid 写入当前的 session 中,即我们本来构造的 PHPSESSID=1111111111111111111111111111.php 的 session 是没有 uid 的,没办法实现 search 功能,这里可以把 uid 赋给 session,即可以在搜索页面写入马(都要放包那里修改并且放包,这样才会上传马)
先是穿上 sessionid 为 1111111111111111111111111111.php
再是传马上去,路径为
http://0e4b69f8-bf90-4398-bf2d-d7fda1d4bbfd.node5.buuoj.cn:81/runtime/session/sess_1111111111111111111111111111.php
连上之后就用蚁剑连接;但是还有个 disable_function 绕过
获得 flag
