我正在构建一个故意容易受到LFI攻击的网站用于教学目的(类似于EventTarget)。这是我的代码:
通过CLI运行文件(/ etc / flags / challenge):
<?php
//This file must be located at /etc/flags/challenge
require_once('/var/www/html/class.sqlite.php');
require_once('/var/www/html/inc.func.php');
$dbuser = base64_decode($_COOKIE['loggedin']);
$sqlite = new sqlite("/var/www/html/db/$dbuser/challenge.db");
$flag = $sqlite->getflag($dbuser);
echo "The flag is $flag";
?>
主档案:
<html>
<head>
<title>Challenge</title>
</head>
<body>
<a href="index.php?file=home">Home</a> <a href="index.php?file=about">About</a>
<br>
<?php
if (array_key_exists('file', $_GET)) {
$shell = shell_exec('php ' . $_GET['file']);
echo $shell;
}
?>
<!--The flag is located at /etc/flags/challenge-->
</body>
</html>
目前,/etc/flags/challenge无法访问loggedin Cookie。允许/etc/flags/challenge访问该Cookie的最佳方式是什么?
答案 0 :(得分:0)
您可以在主脚本中读取cookie,然后将其作为命令行参数传递:
在主文件中:
添加$cookie = $_COOKIE['loggedin'];,然后将$shell = ...更改为$shell = shell_exec('php ' . $_GET['file'] . ' ' . $cookie);
在CLI文件中:
添加$cookie = $argv[1];
阅读this以获取有关PHP中命令行参数的更多信息