CISCN final
Open the page
Scanning directory
Robots.txt
Config.txt
Code audit
<?php class master { private $path; private $name; function __construct() { } function stream_open($path) { if(!preg_match('/(.*)\/(.*)$/s',$path,$array,0,9)) return 1; $a=$array[1]; parse_str($array[2],$array); if(isset($array['path'])) { $this->path=$array['path']; } else return 1; if(isset($array['name'])) { $this->name=$array['name']; } else return 1; if($a==='upload') { return $this->upload($this->path,$this->name); } elseif($a==='search') { return $this->search($this->path,$this->name); } else return 1; } function upload($path,$name) { if(!preg_match('/^uploads\/[a-z]{10}\/$/is',$path)||empty($_FILES[$name]['tmp_name'])) return 1; $filename=$_FILES[$name]['name']; echo $filename; $file=file_get_contents($_FILES[$name]['tmp_name']); $file=str_replace('<','!',$file); $file=str_replace(urldecode('%03'),'!',$file); $file=str_replace('"','!',$file); $file=str_replace("'",'!',$file); $file=str_replace('.','!',$file); if(preg_match('/file:|http|pre|etc/is',$file)) { echo 'illegalbbbbbb!'; return 1; } file_put_contents($path.$filename,$file); file_put_contents($path.'user.jpg',$file); echo 'upload success!'; return 1; } function search($path,$name) { if(!is_dir($path)) { echo 'illegal!'; return 1; } $files=scandir($path); echo '</br>'; foreach($files as $k=>$v) { if(str_ireplace($name,'',$v)!==$v) { echo $v.'</br>'; } } return 1; } function stream_eof() { return true; } function stream_read() { return ''; } function stream_stat() { return ''; } } stream_wrapper_unregister('php'); stream_wrapper_unregister('phar'); stream_wrapper_unregister('zip'); stream_wrapper_register('master','master'); ?>
Also found that sql.txt
It gives the database names, data tables, column names, field names
Access User.php
It found that file upload point
Found that low level access
Estimated to bring a high score Account
Later noted that there is a registration page references, tried it, register a new account to 10 points
Time to reach one hundred points can upload files
Upload a picture horse
Upload failed, look back at the code config.php
Here filtration angle brackets, even though the code uploaded successfully, but can not perform
Code is replaced
Unable to upload php horse, but found in the .htaccess can be uploaded attempt process, it means that we can include files
.htaccess related presentations here
link:
https://www.cnblogs.com/adforce/archive/2012/11/23/2784664.html
https://blog.csdn.net/cmzhuang/article/details/53537591
Really I do not see things behind, helpless WP Dafa
Said that in more detail, probably means that files can be searched by constructing the master agreement contains successful, this file will be mapped into test.php inside
structure
php_value auto_append_file master://search/path={}&name={}
wp put forward slash coding said incoming job, tried it, did not work for an unknown reason
Coding it
php_value auto_append_file master://search/path=%2fhome%2f&name=flag
Then put .htaccess inside, upload
Access 1.php
Include it directly
php_value auto_append_file /home/hiahiahia_flag
Flag got