题目
文件泄露,得到两个文件:
index.php
<!DOCTYPE html>
<html>
<head>
<title>Just Upload!</title>
<meta charset="UTF-8">
<style>
.container {
display: flex;
flex-direction: row;
text-align: center;
height: 100vh;
}
.left {
flex: 1;
background-color: #f2f2f2;
padding: 20px;
}
.right {
flex: 1;
background-color: #e6e6e6;
padding: 20px;
}
</style>
</head>
<body>
<div class="container">
<div class="left">
<h1>文件探测</h1>
<hr><br>
<form action="index.php" method="get">
<label for="name">Filename:</label>
<input type="text" name="filename"><br><br>
<input type="submit" value="查询文件">
</form><br>
<?php
error_reporting(1);
include("classes.php");
if(isset($_GET['filename']))
{
file_exists($_GET['filename']);
throw new Exception("Unfinished Function!");
}
?>
</div>
<div class="right">
<h1>文件上传</h1>
<hr><br>
<form action="index.php" method="post" enctype="multipart/form-data">
<input type="file" name="file"><br><br>
<input type="submit" value="上传文件">
</form><br>
<?php
$allowedExts = array("jpg", "png", "gif");
if(isset($_FILES["file"])){
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
if (($_FILES["file"]["size"] < 20000) && in_array($extension, $allowedExts)) {
if ($_FILES["file"]["error"] > 0) {
echo "Error:" . $_FILES["file"]["error"] . "<br>";
} else {
if (file_exists("tmp/" . $_FILES["file"]["name"])) {
echo $_FILES["file"]["name"] . " already exists. ";
} else {
$filename = "/tmp/" . md5(random_int(100000,999999).$_FILES["file"]["name"]).".".$extension;
move_uploaded_file($_FILES["file"]["tmp_name"], $filename);
echo "文件已上传至:" . $filename;
}
}
} else {
echo "非法文件!";
}
}
?>
</div>
</div>
</body>
</html>
以及classes.php
<?php
class Base{
public $dataReader;
private $each;
private $value;
private $key;
private $query;
public $batch;
public function rewind()
{
$this->reset();
$this->next();
}
public function next()
{
if ($this->batch === null || !$this->each || $this->each && next($this->batch) === false) {
$this->batch = $this->fetchData();
reset($this->batch);
}
if ($this->each) {
$this->value = current($this->batch);
if ($this->query->indexBy !== null) {
$this->key = key($this->batch);
} elseif (key($this->batch) !== null) {
$this->key = $this->key === null ? 0 : $this->key + 1;
} else {
$this->key = null;
}
} else {
$this->value = $this->batch;
$this->key = $this->key === null ? 0 : $this->key + 1;
}
}
public function reset()
{
if($this->dataReader !== null) {
$this->dataReader->close();
}
}
public function __destruct()
{
$this->reset();
}
}
class Stream{
public $closes;
private $getMetadata;
private $getContents;
private $read;
private $isReadable;
public function isReadable()
{
return call_user_func($this->isReadable);
}
public function read($length)
{
return call_user_func($this->read, $length);
}
public function getContents()
{
return call_user_func($this->getContents);
}
public function getMetadata($key = null)
{
return call_user_func($this->getMetadata, $key);
}
public function close()
{
return call_user_func($this->closes);
}
}
class Mock{
public $mockName;
public $classCode;
public function generate(){
if(!class_exists($this->mockName, false)){
eval($this->classCode);
}
return $this->mockName;
}
public function getClassCode()
{
return $this->classCode;
}
}
我们的目标是通过文件上传入口,得到靶机的控制权限