WooYun.org

YTU Online Judge，意外拿到的root权限，服务器IP **.**.**.**，22端口对外开放
看**.**.**.**/status.php是正在使用的系统，查了下mysql数据库jol.users注册用户数5457
扫描目录得到**.**.**.**/setlang.php~带了个小尾巴，访问得
<?php require_once("./include/db_info.inc.php");
require_once("./include/my_func.inc.php");
$newlang=strval($_GET['lang']);
if(is_valid_user_name($newlang)&&strlen($newlang)<3){
$_SESSION['OJ_LANG']=$newlang;
}
echo "<script language='javascript'>\n";
echo "history.go(-1);\n";
echo "</script>";

?>
然后访问上面代码中出现的**.**.**.**/include/db_info.inc.php~，得
<?php @session_start();
ini_set("display_errors","Off");
static $DB_HOST="localhost";
static $DB_NAME="jol";
static $DB_USER="root";
static $DB_PASS="!@#$112358lalala";
// connect db
static $OJ_NAME="HUSTOJ";
static $OJ_HOME="./";
static $OJ_ADMIN="root@localhost";
static $OJ_DATA="/home/judge/data";
static $OJ_BBS="discuss";//"bbs" for phpBB3 bridge or "discuss" for mini-forum
static $OJ_ONLINE=false;
static $OJ_LANG="en";
static $OJ_SIM=true;
static $OJ_DICT=true;
static $OJ_LANGMASK=4080; //1mC 2mCPP 4mPascal 8mJava 16mRuby 32mBash 1008 for security reason to mask all other language
static $OJ_EDITE_AREA=true;//true: syntax highlighting is active
static $OJ_AUTO_SHARE=false;//true: One can view all AC submit if he/she has ACed it onece.
static $OJ_CSS="hoj.css";
static $OJ_SAE=false; //using sina application engine
static $OJ_VCODE=true;
static $OJ_APPENDCODE=true;//是否启用自动添加代码，启用的话，提交时会参考$OJ_DATA对应目录里是否有append.c一类的文件，有的话会把其中代码附加到对应语言的答案之后，巧妙使用可以指定main函数而要求学生编写main部分调用的函数
static $OJ_MEMCACHE=false;
static $OJ_MEMSERVER="**.**.**.**";
static $OJ_MEMPORT=11211;
static $SAE_STORAGE_ROOT="http://**.**.**.**/";
static $OJ_TEMPLATE="bs";
if(isset($_GET['tp'])) $OJ_TEMPLATE=$_GET['tp'];
static $OJ_LOGIN_MOD="hustoj";
static $OJ_RANK_LOCK_PERCENT=1;
static $OJ_SHOW_DIFF=false; //显示错误信息
static $OJ_TEST_RUN=true;
static $OJ_OPENID_PWD = '8a367fe87b1e406ea8e94d7d508dcf01';
//Add by njt and sys on 2015.7.3
static $OJ_VIP_CONTEST=true;//true:only can see the source code of contest's problem;
static $OJ_LOCKIP=true; //锁定IP ,需配合$OJ_VIP_CONTEST同时使用
static $OJ_LOCKMAIL=true; //锁定mail ,需配合$OJ_VIP_CONTEST同时使用
static $OJ_CLOSE_WRONGMESSAGE= true; //关闭题目错误时的出错提示信息
static $OJ_TEST_RESET=false; //是否显示代码提交时的testrun 和 reset 按钮 ,false 显示
static $OJ_SIM_SHOW_VALUE=80; //BY LYH 2013.12.1 相似度显示阈值
static $OJ_SHOW_CONTEST_TIME =-12; //by lyh 2014.1.6 ,-12 表示显示一年以内的竟赛 -1 表示显示本年度的竞赛
/* weibo config here */
static $OJ_WEIBO_AUTH=false;
static $OJ_WEIBO_AKEY='1124518951';
static $OJ_WEIBO_ASEC='df709a1253ef8878548920718085e84b';
static $OJ_WEIBO_CBURL='**.**.**.**/JudgeOnline/login_weibo.php';
/* renren config here */
static $OJ_RR_AUTH=false;
static $OJ_RR_AKEY='d066ad780742404d85d0955ac05654df';
static $OJ_RR_ASEC='c4d2988cf5c149fabf8098f32f9b49ed';
static $OJ_RR_CBURL='**.**.**.**/JudgeOnline/login_renren.php';
/* qq config here */
static $OJ_QQ_AUTH=false;
static $OJ_QQ_AKEY='1124518951';
static $OJ_QQ_ASEC='df709a1253ef8878548920718085e84b';
static $OJ_QQ_CBURL='**.**.**.**';
//if(date('H')<5||date('H')>21||isset($_GET['dark'])) $OJ_CSS="dark.css";
if (isset($_SESSION['OJ_LANG'])) $OJ_LANG=$_SESSION['OJ_LANG'];
if($OJ_SAE) {
$OJ_DATA="saestor://data/";
// for **.**.**.**
mysql_connect(SAE_MYSQL_HOST_M.':'.SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
$DB_NAME=SAE_MYSQL_DB;
}else{
//for normal install
if(!mysql_pconnect($DB_HOST,$DB_USER,$DB_PASS))
die('Could not connect: ' . mysql_error());
}
// use db
mysql_query("set names utf8");
//if(!$OJ_SAE)mysql_set_charset("utf8");

if(!mysql_select_db($DB_NAME))
die('Can\'t use foo : ' . mysql_error());
//sychronize php and mysql server
date_default_timezone_set("PRC");
mysql_query("SET time_zone ='+8:00'");

?>
用上面代码出现的mysql账户信息root/!@#$112358lalala登陆ssh，成功进入！