Record an unusual website penetration test process. Upload Based on time ()

Injection points discovered:
Http://www.xxx.com/xx.php? Id = xxxx
Directly remove sqlmap from the database and find the admin table. The admin password admin is displayed. I am so happy that it is not encrypted. However, twists and turns are behind it! It is easy to find the management background and directly go to admin. However, it shows that the password is incorrect. Why ??
Look at the database, repeat the database, and the account and password will be the admin (in fact, this is also the case), look at the source code of its login page, the injection point can leak the path, you can read the file content, read login directly. php
The content is as follows:
<?
$ Filename = "password.txt ";
$ Fd = fopen ($ filename, "r ");
$ Contents = fread ($ fd, filesize ($ filename ));
Fclose ($ fd );
If ($ T1 = "admin "){
If ($ T2 = $ contents ){
Setcookie ("ad", "$ T1 ");
Header ("location: editor/edit_index.php ");
} Else {
?>
<Script language = "javascript">
Alert ("Incorrect password ");
Window. history. back ();
</Script>
<?
}
} Else {
?>
<Script language = "javascript">
Alert ("User Name error ");
Window. history. back ();
</Script>
<?
}
?>
See it !!! At that time, I got stuck ........ No wonder you cannot find the password.
After the domain name, add password.txt and the password.
Log onto the background page and find three upload points. The first one is eweb3.8 (directly give up), and the second one is under control.
Is very dead, not all kinds of transformations. The third injection point is useful. Upload d and php directly, prompting that the upload is successful,
The upload is successful, but the path cannot be found .. Dizzy .........
Find the path of the uploaded image. The php code is as follows:
<?
If ($ _ FILES ['sytp '] ['name']! = "None" & $ _ FILES ['sytp '] ['name']! = "") {// Determines whether the uploaded file is empty.
$ Thistype = $ _ FILES ['sytp '] ['type']; // pass the upload type to $ thistype
// Echo time (). $ _ FILES ['sytp '] ['name'];
// Exit;
If ("image/pjpeg" = $ thistype or "application/x-shockwave-flash" = $ thistype or "image/gif" = $ thistype) {// determine whether it is the type I want
$ File_name = "shouyetupian /". time (). $ _ FILES ['sytp '] ['name']; // time () is used to distinguish between two FILES at a time.
Include ("../connect. php"); // call the content in connect. php.
$ SQL = "select count (*) from shangchuantu ";
$ Result = mysql_query ($ SQL, $ db );
$ Jie = mysql_fetch_row ($ result );
$ Zhong = $ jie [0];
If ($ zhong <5 ){
$ Sql1 = "select max (paixu) from shangchuantu ";
$ Result1 = mysql_query ($ sql1, $ db );
$ Jie1 = mysql_fetch_row ($ result1 );
$ Zhong1 = $ jie1 [0];
$ Zhong1 = $ zhong1 + 1;
$ Query = "insert into shangchuantu values ('', '$ file_name ','". $ _ POST ['url']. "','',' $ zhong1 ')";
Mysql_query ($ query, $ db );
 
If (! Move_uploaded_file ($ _ FILES ['sytp '] ['tmp _ name'], $ file_name) {// upload a file, $ _ FILES ['sctb'] ['tmp _ name'] upload the temporary directory to the actual directory of $ file_name
?>
<Script language = "javascript">
Alert ("File Upload Failed. Please try again later ");
Window. history. back ();
</Script>
<?
} Else {// upload successful
?>
<Script language = "javascript">
Alert ("File Uploaded successfully! ");
Location. href = "shanchuantu. php ";
 
</Script>
<?
 
}
} Else {
?>
<Script language = "javascript">
Alert ("no more than five images ");
Window. history. back ();
</Script>
<?
}
} Else {// if the type is incorrect
?>
<Script language = "javascript">
Alert ("File Upload Failed. Please try again later ");
Window. history. back ();
</Script>
<?
 
}
} Else {
?>
<Script language = "javascript">
Alert ("Select Upload image ");
Window. history. back ();
</Script>
<?
}
?>
The key is how file_name is formed,
$ File_name = "shouyetupian/". time (). $ _ FILES ['sytp '] ['name'];
Time ()
Returns the number of seconds from the Unix epoch (Greenwich Mean Time 00:00:00, January 1, January 1, 1970) to the current time.
For example, if you upload a file named d. php, the file name after the upload is: current time d. php
The code page shows that the uploaded file name is not returned.
Build a php server locally and echo time ()
Access the local device before uploading
Http://www.bkjia.com/time. php
Return time: 1345279425
At this time, you can quickly upload images to the target website and upload more images. You know the truth.
After the upload is complete, access http: // 127.0.0.1/time. php
Write down time 1345279475
The difference is 50 seconds. That is to say, the uploaded file name is in 134527920.d. php -- 1345279475d. php.
... Okay, touch it .........................
Touch and touch ..... Met ......
Kitchen Knife connection, success !!!!!!!!!