From 737b91c9d6a79dc31be804699f1466967f5bd653 Mon Sep 17 00:00:00 2001
From: k4l0ng <bigder.ding@gmail.com>
Date: Sun, 30 Oct 2016 22:31:44 +0800
Subject: [PATCH] LFI boom CTFs Web

---
 LFI与CTF那点私密事儿.md |  84 ++++++
 data/index.php          |  10 +
 filter/index.php        |  16 ++
 filter/show.php         |   1 +
 input/index.html        |  38 +++
 input/index.php         |  14 +
 input/index.php.bak     |  14 +
 phar1/include.php       |  18 ++
 phar1/index.html        | 606 ++++++++++++++++++++++++++++++++++++++++
 phar1/upload.php        |  25 ++
 phar1/upload/1.jpg      | Bin 0 -> 188 bytes
 phar2/flag.txt          |   1 +
 phar2/index.php         |  52 ++++
 13 files changed, 879 insertions(+)
 create mode 100644 LFI与CTF那点私密事儿.md
 create mode 100644 data/index.php
 create mode 100644 filter/index.php
 create mode 100644 filter/show.php
 create mode 100644 input/index.html
 create mode 100644 input/index.php
 create mode 100644 input/index.php.bak
 create mode 100644 phar1/include.php
 create mode 100644 phar1/index.html
 create mode 100644 phar1/upload.php
 create mode 100644 phar1/upload/1.jpg
 create mode 100644 phar2/flag.txt
 create mode 100644 phar2/index.php

diff --git a/LFI与CTF那点私密事儿.md b/LFI与CTF那点私密事儿.md
new file mode 100644
index 0000000..bf4d8c0
--- /dev/null
+++ b/LFI与CTF那点私密事儿.md
@@ -0,0 +1,84 @@
+#LFI（Local File Include）漏洞
+###漏洞简介
+
+下面是纯bb，了解过的跳过这部分；
+
+解释：能够打开并包含`本地`文件的漏洞；
+
+这里区别一下RFI，远程文件包含漏洞；
+
+意义：文件包含漏洞是"代码注入"的一种，包含即执行，可干的坏事可想而知，看i春秋总结的危害有如下几种：
+
+1. PHP包含漏洞结合上传漏洞；
+2. PHP包含读文件；
+3. PHP包含写文件；
+4. PHP包含日志文件；
+5. PHP截断包含；
+6. PHP内置伪协议利用。
+
+PHP中文件包含函数有以下四种：
+
+1. require
+2. require_once
+3. include
+4. include_once
+
+include和require区别主要是，include在包含的过程中如果出现错误，会抛出一个警告，程序继续正常运行；而require函数出现错误的时候，会直接报错并退出程序的执行。而include\_once(),require_once()这两个函数，与前两个的不同之处在于
+这两个函数只包含一次，适用于在脚本执行期间同一个文件有可能被包括超过一次的情况下，你想确保它只被包括一次以避免函数重定义，变量重新赋值等问题。
+
+当使用这4个函数包含一个新的文件时，该文件将作为PHP代码执行，PHP的内核并不会在意被包含的文件是什么类型。即你可以上传一个含shell的txt或jpg文件，包含它会被当作PHP代码执行（图马）。
+
+###这个玩意儿与CTF的渊源
+1. php://伪协议 >> 访问各个输入/输出流；
+	- php://filter 
+		- 解释：php://filter是一种元封装器，设计用于"数据流打开"时的"筛选过滤"应用，对本地磁盘文件进行读写。简单来讲就是可以在执行代码前将代码换个方式读取出来，只是`读取`，`不需要`开启allow_url_include； 
+		- 用法：?file=php://filter/convert.base64-encode/resource=xxx.php
+		- ?file=php://filter/read=convert.base64-encode/resource=xxx.php 一样
+		- 例子：
+			- [http://4.chinalover.sinaapp.com/web7/index.php](http://4.chinalover.sinaapp.com/web7/index.php)
+			- nctf{edulcni_elif_lacol_si_siht}
+			- 本地：filter文件夹
+	- php://input 
+		- 解释：上面filter既然能读文件，肯定还能写文件，这就可以利用input将数据POST过去，即php://input是用来接收post数据的；
+		- 用法：?file=php://input  数据POST过去
+		- 注意：
+			- 需要allow\_url_include=On（PHP < 5.30）；
+		- 例子：
+			- 碰到file\_get_contents()就要想到用php://input绕过，具体函数意义下一项；
+			- [http://ctf4.shiyanbar.com/web/9](http://ctf4.shiyanbar.com/web/9)
+			- 并且可以用data伪协议来绕过；
+			- 由于这个题由于存在extract()函数，存在变量覆盖漏洞；直接?flag=1&shiyan=即可
+			- 本地：input文件夹
+			- 2016华山杯有一道，本地data文件夹，可以利用data流；
+2. data://伪协议 >> 数据流封装器，和php://相似都是利用了流的概念，将原本的include的文件流重定向到了用户可控制的输入流中，简单来说就是执行文件的包含方法包含了你的输入流，通过你输入payload来实现目的；
+	- data://text/plain 
+		- 解释：
+		- 用法：?file=data://text/plain;base64,base64编码的payload
+		- 注意：
+			- `<?php phpinfo();`,这类执行代码最后没有?>闭合；
+			- 需要allow\_url_include=On（PHP < 5.30）；
+		- 例子： 
+			- 和php伪协议的input类似，碰到file\_get_contents()来用；
+			- 本地：data文件夹
+3. phar://伪协议 >> 数据流包装器，自 PHP 5.3.0 起开始有效，正好契合上面两个伪协议的利用条件。说通俗点就是php解压缩包的一个函数，解压的压缩包与后缀无关。
+	- phar://
+		- 用法：?file=phar://压缩包/内部文件
+		- 注意：
+			- PHP版本需大于等于 5.3；
+			- 压缩包需要是zip协议压缩，rar不行，tar等格式待测；
+			- 利用url的压缩包后缀可以是任意后缀；
+		- 例子：
+			- 本地：phar1文件（SWPU2016，限制上传类型）
+			- 本地：phar2文件（限制上传类型，上传重命名）
+
+###函数解释
+
+1. file\_get_contents()：这个函数就是把一个文件里面的东西 （字符）全部return出来。可以放一个变量里面，也就是字符串变量了，也可以字符串直接echo。相当于fopen,fread,fclose的组合。
+2. include()：（就是require,reqiuire_once,include_require这一类）include是针对文档的代码结构的。也就是说，include进来，成了这个文件的其中一部分源代码。
+3. include把导入的字符串当成当前文件的代码结构，而file_get_contents只是返回字符串。这是两个最大的不同。关于字符串执行的问题，file_get_contents返回的字符串失去了被执行的能力，哪怕字符串里面有<?php ?>，一样能拿出来但不执行。而include导入的字符串，如果被导入的文件有<?php，那就成为php代码的一部分。如果没有<?php，只是把它当做源文件<?php ?>外的一部分。
+
+###参考博文：
+1. [http://www.cnblogs.com/LittleHann/p/3665062.html](http://www.cnblogs.com/LittleHann/p/3665062.html)
+2. [http://www.cnblogs.com/iamstudy/articles/include_file.html](http://www.cnblogs.com/iamstudy/articles/include_file.html)
+3. [http://mp.weixin.qq.com/s?__biz=MzAwMTUyMjQ5OA==&mid=2650963079&idx=1&sn=cf0e9c60a68ea7e272e8ad77e6816ebe&scene=1&srcid=0824QF8DtX5jg5FSnZlQlLHR#rd](http://mp.weixin.qq.com/s?__biz=MzAwMTUyMjQ5OA==&mid=2650963079&idx=1&sn=cf0e9c60a68ea7e272e8ad77e6816ebe&scene=1&srcid=0824QF8DtX5jg5FSnZlQlLHR#rd)
+4. [http://www.91ri.org/13363.html](http://www.91ri.org/13363.html)
\ No newline at end of file
diff --git a/data/index.php b/data/index.php
new file mode 100644
index 0000000..f30aee5
--- /dev/null
+++ b/data/index.php
@@ -0,0 +1,10 @@
+<?php
+$user=$_GET['user'];
+#echo $user;
+if(isset($user)&&(file_get_contents($user,'r')==='the user is admin')){
+    echo "flag{xxxxxxxxxxxxx}";
+}
+else{
+    echo "you are not admin ! ";
+}
+?>
diff --git a/filter/index.php b/filter/index.php
new file mode 100644
index 0000000..e8bb8fd
--- /dev/null
+++ b/filter/index.php
@@ -0,0 +1,16 @@
+<html>
+    <title>asdf</title>
+    
+<?php
+	error_reporting(0);
+	if(!$_GET[file]){echo '<a href="./index.php?file=show.php">click me? no</a>';}
+	$file=$_GET['file'];
+	if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
+		echo "Oh no!";
+		exit();
+	}
+	include($file); 
+//flag:nctf{edulcni_elif_lacol_si_siht}
+
+?>
+</html>
\ No newline at end of file
diff --git a/filter/show.php b/filter/show.php
new file mode 100644
index 0000000..4f1bd33
--- /dev/null
+++ b/filter/show.php
@@ -0,0 +1 @@
+test5
\ No newline at end of file
diff --git a/input/index.html b/input/index.html
new file mode 100644
index 0000000..58ca197
--- /dev/null
+++ b/input/index.html
@@ -0,0 +1,38 @@
+<html>
+<head>
+<meta charset="utf-8">
+<title>404</title>
+</head>
+<body bgcolor="white">
+<center><h1>404 Not Found</h1></center>
+<hr><center>nginx</center>
+<script language="javascript">
+
+<!--
+if (window.Event)
+document.captureEvents(Event.MOUSEUP);
+function nocontextmenu(){
+event.cancelBubble = true
+event.returnValue = false;
+return false;
+}
+function norightclick(e){
+if (window.Event){
+if (e.which == 2 || e.which == 3){
+alert('禁止查看源代码!');
+return false;}
+}
+else
+if (event.button == 2 || event.button == 3){
+event.cancelBubble = true
+event.returnValue = false;
+return false;
+}
+}
+document.oncontextmenu = nocontextmenu; // for IE5+
+document.onmousedown = norightclick; // for all others
+//-->
+</script>
+<!-- 粗心的程序员，写完代码也不删。-->
+</body>
+</html>
\ No newline at end of file
diff --git a/input/index.php b/input/index.php
new file mode 100644
index 0000000..56785ef
--- /dev/null
+++ b/input/index.php
@@ -0,0 +1,14 @@
+<html>
+    <title>asdf</title>
+<?php
+$flag='php://input';     
+extract($_GET);     
+if(isset($shiyan)){        
+    $content=trim(file_get_contents($flag));
+    if($shiyan==$content){ 
+       echo'flag{php://input}';     }
+     else{       
+       echo'Oh.no';}   
+     }
+?>
+</html>
diff --git a/input/index.php.bak b/input/index.php.bak
new file mode 100644
index 0000000..f01ba9f
--- /dev/null
+++ b/input/index.php.bak
@@ -0,0 +1,14 @@
+<html>
+    <title>asdf</title>
+<?php
+$flag='xxx';     
+extract($_GET);     
+if(isset($shiyan)){        
+    $content=trim(file_get_contents($flag));
+    if($shiyan==$content){ 
+       echo'ctf{xxx}';     }
+     else{       
+       echo'Oh.no';}   
+     }
+?>
+</html>
\ No newline at end of file
diff --git a/phar1/include.php b/phar1/include.php
new file mode 100644
index 0000000..3f59978
--- /dev/null
+++ b/phar1/include.php
@@ -0,0 +1,18 @@
+<html>
+Tips: the parameter is file! :) 
+<!-- upload.php -->
+</html>
+<?php
+    @$file = $_GET["file"];
+    if(isset($file))
+    {
+        if (preg_match('/http|data|ftp|input|%00/i', $file) || strstr($file,"..") !== FALSE || strlen($file)>=70)
+        {
+            echo "<p> error! </p>";
+        }
+        else
+        {
+            include($file.'.php');
+        }
+    }
+?>
diff --git a/phar1/index.html b/phar1/index.html
new file mode 100644
index 0000000..c01bb19
--- /dev/null
+++ b/phar1/index.html
@@ -0,0 +1,606 @@
+<HTML> 
+<HEAD> 
+<meta charset="utf-8" />
+<TITLE>Pentest</TITLE> 
+<BGSOUND balance=0 src="http://www.cnhonkerarmy.com/indeximages/chinahonker0.mid" volume=0 loop=20> 
+<STYLE type=text/css> 
+body{ 
+scrollbar-shadow-color:#FFFFFF; 
+scrollbar-highlight-color:#FFFFFF; 
+scrollbar-3dlight-color: #000000; 
+scrollbar-darkshadow-color:#000000; 
+scrollbar-arrow-color:#FFFFFF; 
+scrollbar-base-color: #000000; 
+scrollbar-track-color: #000000; 
+overflow-y:auto; } 
+<!-- 
+
+body{ 
+CURSOR: url('http://www.ay001.com/admin/2.cur'); 
+background-color: #000000; 
+}/*未选中前鼠标样式*/ 
+a:hover{CURSOR: url('http://www.ay001.com/admin/1.cur')}/*已选中后鼠标样式*/ 
+a:link { 
+color: #00FF00; 
+text-decoration: none; 
+} 
+a:visited { 
+text-decoration: none; 
+color: #00FF00;s 
+} 
+a:hover { 
+text-decoration: underline; 
+color: #FF0000; 
+} 
+a:active { 
+text-decoration: none; 
+color: #FF0000; 
+} 
+.STYLE1 {color: #00FF00} 
+--> 
+</STYLE> 
+<meta http-equiv="Content-Type" content="text/html; charset=gb2312"><BODY>
+<SCRIPT> 
+<!-- 
+var from = 1; 
+var to = 4; 
+var delay = 55; 
+var glowColor = "lime"; 
+var i = to; 
+var j = 0; 
+textPulseDown(); 
+var msg = "haha........................................ " ; 
+var interval=70 
+var spacelen=120; 
+var space10=" "; 
+var seq=0; 
+function Scroll() 
+{ 
+len = msg.length; 
+window.status = msg.substring(0, seq+1); 
+seq++; 
+if(seq>=len ){ 
+seq = 0; 
+window.status = ''; 
+window.setTimeout("Scroll();", interval ); 
+} 
+else 
+window.setTimeout("Scroll();", interval ); 
+} 
+Scroll(); 
+
+function trap_page_mouse_key_events () { 
+var browser = navigator.appName.substring ( 0, 9 ); 
+document.onmousedown = disable_right_click; 
+if ( browser == "Microsoft" ) 
+document.onkeydown = check_mousekey; 
+else 
+document.captureEvents( Event.MOUSEDOWN ); 
+} 
+window.onload=trap_page_mouse_key_events; 
+function textPulseUp() 
+{ 
+if (!document.all) 
+return 
+if (i < to) 
+{ 
+theText.style.filter = "Glow(Color=" + glowColor + ", Strength=" + i + ")"; 
+i++; 
+theTimeout = setTimeout('textPulseUp()',delay); 
+return 0; 
+} 
+if (i = to) 
+{ 
+theTimeout = setTimeout('textPulseDown()',delay); 
+return 0; 
+} 
+} 
+function textPulseDown() 
+{ 
+if (!document.all) 
+return 
+if (i > from) 
+{theText.style.filter = "Glow(Color=" + glowColor + ", Strength=" + i + ")"; 
+i--;theTimeout = setTimeout('textPulseDown()',delay);return 0;}if (i = from){theTimeout = setTimeout('textPulseUp()',delay);return 0;}}//--> 
+</SCRIPT> 
+<br> 
+<FORM name=textform> 
+<CENTER> 
+<input name=LajiCurText type="hidden"> 
+<textarea style="FONT-SIZE: 13px; BORDER-LEFT-COLOR: #00ff00; BORDER-BOTTOM-COLOR: #00ff00; 
+COLOR: #00ff00; BORDER-TOP-COLOR: #00ff00; SCROLLBAR-BASE-COLOR: #000000; BACKGROUND-COLOR: 
+#000000; BORDER-RIGHT-COLOR: #00ff00" name=textfield rows=27 readonly wrap=virtual 
+cols=99></textarea> 
+</CENTER> 
+<SCRIPT language=javascript> 
+var pos=0; 
+var LajiCurI=0; 
+function LajiCur() 
+{ 
+if(LajiCurI==0) 
+document.textform.LajiCurText.value="_"; 
+else if(LajiCurI==1) 
+document.textform.LajiCurText.value=" "; 
+else if(LajiCurI==2) 
+document.textform.LajiCurText.value="_"; 
+else if(LajiCurI>2) 
+{document.textform.LajiCurText.value=" ";LajiCurI=0;} 
+LajiCurI++; 
+} 
+setInterval("LajiCur()",delay); 
+
+function ShowText(strText) 
+{ 
+document.textform.textfield.value=strText.substring(0,pos++) 
+
++document.textform.LajiCurText.value; 
+setTimeout("ShowText(strText)",50); 
+if(pos==strText.length) 
+{ 
+return; 
+} 
+}var strText = "\n\n\n\n 致可爱的ctfer们:\n\n——————————————————————————————————————————————————\n\n-> 欢迎来到swpu_ctf.\n\n-> 这是一道渗透测试的题目...\n-> Tips1:include.php \n\n-> 希望各位师傅轻点搞，慢点搞 ...\n-> 如果有问题请及时反馈...\n-> 好了,废话不多说了 ...\n-> 最后再次欢迎各位大牛的到来! ...\n\n—————————————————————————————————————————————————— \n"; 
+ShowText(strText); 
+</SCRIPT> 
+<SCRIPT language=JavaScript1.2> 
+if (document.all) 
+document.body.style.cssText="border:20 ridge red" 
+</SCRIPT> 
+</FORM> 
+<div align="center"> 
+<p www_helpor_net="dropWord" style="position: relative !important; left: 10000 !important" align="center"><font size="3" color="#ee00FF">  </font><font size="15" face="Arial" color="#FF0000"><b>pentest</b></font></p> 
+<SCRIPT language="JavaScript"> 
+<!-- 
+dynamicanimAttr = "www_helpor_net" 
+animateElements = new Array() 
+currentElement = 0 
+speed = 0 
+stepsZoom = 8 
+stepsWord = 8 
+stepsFly = 12 
+stepsSpiral = 16 
+steps = stepsZoom 
+step = 0 
+outString = "" 
+function helpor_net() 
+{ 
+var ms = navigator.appVersion.indexOf("MSIE") 
+ie4 = (ms>0) && (parseInt(navigator.appVersion.substring(ms+5, ms+6)) >= 4) 
+if(!ie4) 
+{ 
+if((navigator.appName == "Netscape") && 
+(parseInt(navigator.appVersion.substring(0, 1)) >= 4)) 
+{ 
+for (index=document.layers.length-1; index >= 0; index--) 
+{ 
+layer=document.layers[index] 
+if (layer.left==10000) 
+layer.left=0 
+} 
+} 
+return 
+} 
+for (index=document.all.length-1; index >= document.body.sourceIndex; index--) 
+{ 
+el = document.all[index] 
+animation = el.getAttribute(dynamicanimAttr, false) 
+if(null != animation) 
+{ 
+if(animation == "dropWord" || animation == "flyTopRightWord" || animation == "flyBottomRightWord") 
+{ 
+ih = el.innerHTML 
+outString = "" 
+i1 = 0 
+iend = ih.length 
+while(true) 
+{ 
+i2 = startWord(ih, i1) 
+if(i2 == -1) 
+i2 = iend 
+outWord(ih, i1, i2, false, "") 
+if(i2 == iend) 
+break 
+i1 = i2 
+i2 = endWord(ih, i1) 
+if(i2 == -1) 
+i2 = iend 
+outWord(ih, i1, i2, true, animation) 
+if(i2 == iend) 
+break 
+i1 = i2 
+} 
+document.all[index].innerHTML = outString 
+document.all[index].style.posLeft = 0 
+document.all[index].setAttribute(dynamicanimAttr, null) 
+} 
+if(animation == "zoomIn" || animation == "zoomOut") 
+{ 
+ih = el.innerHTML 
+outString = "<SPAN " + dynamicanimAttr + "=\"" + animation + "\" style=\"position: relative; left: 10000;\">" 
+outString += ih 
+outString += "</SPAN>" 
+document.all[index].innerHTML = outString 
+document.all[index].style.posLeft = 0 
+document.all[index].setAttribute(dynamicanimAttr, null) 
+} 
+} 
+} 
+i = 0 
+for (index=document.body.sourceIndex; index < document.all.length; index++) 
+{ 
+el = document.all[index] 
+animation = el.getAttribute(dynamicanimAttr, false) 
+if (null != animation) 
+{ 
+if(animation == "flyLeft") 
+{ 
+el.style.posLeft = 10000-offsetLeft(el)-el.offsetWidth 
+el.style.posTop = 0 
+} 
+else if(animation == "flyRight") 
+{ 
+el.style.posLeft = 10000-offsetLeft(el)+document.body.offsetWidth 
+el.style.posTop = 0 
+} 
+else if(animation == "flyTop" || animation == "dropWord") 
+{ 
+el.style.posLeft = 0 
+el.style.posTop = document.body.scrollTop-offsetTop(el)-el.offsetHeight 
+} 
+else if(animation == "flyBottom") 
+{ 
+el.style.posLeft = 0 
+el.style.posTop = document.body.scrollTop-offsetTop(el)+document.body.offsetHeight 
+} 
+else if(animation == "flyTopLeft") 
+{ 
+el.style.posLeft = 10000-offsetLeft(el)-el.offsetWidth 
+el.style.posTop = document.body.scrollTop-offsetTop(el)-el.offsetHeight 
+} 
+else if(animation == "flyTopRight" || animation == "flyTopRightWord") 
+{ 
+el.style.posLeft = 10000-offsetLeft(el)+document.body.offsetWidth 
+el.style.posTop = document.body.scrollTop-offsetTop(el)-el.offsetHeight 
+} 
+else if(animation == "flyBottomLeft") 
+{ 
+el.style.posLeft = 10000-offsetLeft(el)-el.offsetWidth 
+el.style.posTop = document.body.scrollTop-offsetTop(el)+document.body.offsetHeight 
+} 
+else if(animation == "flyBottomRight" || animation == "flyBottomRightWord") 
+{ 
+el.style.posLeft = 10000-offsetLeft(el)+document.body.offsetWidth 
+el.style.posTop = document.body.scrollTop-offsetTop(el)+document.body.offsetHeight 
+} 
+else if(animation == "spiral") 
+{ 
+el.style.posLeft = 10000-offsetLeft(el)-el.offsetWidth 
+el.style.posTop = document.body.scrollTop-offsetTop(el)-el.offsetHeight 
+} 
+else if(animation == "zoomIn") 
+{ 
+el.style.posLeft = 10000 
+el.style.posTop = 0 
+} 
+else if(animation == "zoomOut") 
+{ 
+el.style.posLeft = 10000 
+el.style.posTop = 0 
+} 
+else 
+{ 
+el.style.posLeft = 10000-offsetLeft(el)-el.offsetWidth 
+el.style.posTop = 0 
+} 
+el.initLeft = el.style.posLeft 
+el.initTop = el.style.posTop 
+animateElements[i++] = el 
+} 
+} 
+window.setTimeout("animate();", speed) 
+} 
+function offsetLeft(el) 
+{ 
+x = el.offsetLeft 
+for (e = el.offsetParent; e; e = e.offsetParent) 
+x += e.offsetLeft; 
+return x 
+} 
+function offsetTop(el) 
+{ 
+y = el.offsetTop 
+for (e = el.offsetParent; e; e = e.offsetParent) 
+y += e.offsetTop; 
+return y 
+} 
+function startWord(ih, i) 
+{ 
+for(tag = false; i < ih.length; i++) 
+{ 
+c = ih.charAt(i) 
+if(c == '<') 
+tag = true 
+if(!tag) 
+return i 
+if(c == '>') 
+tag = false 
+} 
+return -1 
+} 
+function endWord(ih, i) 
+{ 
+nonSpace = false 
+space = false 
+while(i < ih.length) 
+{ 
+c = ih.charAt(i) 
+if(c != ' ') 
+nonSpace = true 
+if(nonSpace && c == ' ') 
+space = true 
+if(c == '<') 
+return i 
+if(space && c != ' ') 
+return i 
+i++ 
+} 
+return -1 
+} 
+function outWord(ih, i1, i2, dyn, anim) 
+{ 
+if(dyn) 
+outString += "<SPAN " + dynamicanimAttr + "=\"" + anim + "\" style=\"position: relative; left: 10000;\">" 
+outString += ih.substring(i1, i2) 
+if(dyn) 
+outString += "</SPAN>" 
+} 
+function animate() 
+{ 
+el = animateElements[currentElement] 
+animation = el.getAttribute(dynamicanimAttr, false) 
+step++ 
+if(animation == "spiral") 
+{ 
+steps = stepsSpiral 
+v = step/steps 
+rf = 1.0 - v 
+t = v * 2.0*Math.PI 
+rx = Math.max(Math.abs(el.initLeft), 200) 
+ry = Math.max(Math.abs(el.initTop), 200) 
+el.style.posLeft = Math.ceil(-rf*Math.cos(t)*rx) 
+el.style.posTop = Math.ceil(-rf*Math.sin(t)*ry) 
+} 
+else if(animation == "zoomIn") 
+{ 
+steps = stepsZoom 
+el.style.fontSize = Math.ceil(50+50*step/steps) + "%" 
+el.style.posLeft = 0 
+} 
+else if(animation == "zoomOut") 
+{ 
+steps = stepsZoom 
+el.style.fontSize = Math.ceil(100+200*(steps-step)/steps) + "%" 
+el.style.posLeft = 0 
+} 
+else 
+{ 
+steps = stepsFly 
+if(animation == "dropWord" || animation == "flyTopRightWord" || animation == "flyBottomRightWord") 
+steps = stepsWord 
+dl = el.initLeft / steps 
+dt = el.initTop / steps 
+el.style.posLeft = el.style.posLeft - dl 
+el.style.posTop = el.style.posTop - dt 
+} 
+if (step >= steps) 
+{ 
+el.style.posLeft = 0 
+el.style.posTop = 0 
+currentElement++ 
+step = 0 
+} 
+if(currentElement < animateElements.length) 
+window.setTimeout("animate();", speed) 
+} 
+helpor_net() 
+//--> 
+</SCRIPT> 
+<p><span class="STYLE1">-------------------------------------------------------------------------------------------------------------------</span></p> 
+<p> </p>  
+<p class="STYLE1"> </p> 
+<center><body background="http://www.freebx.cn/tp/hk.gif"> 
+<p> 
+<SCRIPT language=JavaScript> 
+<!-- 
+if (document.all){ 
+Cols=10; 
+Cl=48;//Space's are included so real length is 24! 
+Cs=120; 
+Ts=18;//数字大小 
+Tc='#008800'; 
+Tc1='#00ff00'; 
+MnS=20; 
+MxS=35;//数字变换速度 
+I=Cs; 
+Sp=new Array();S=new Array();Y=new Array(); 
+C=new Array();M=new Array();B=new Array(); 
+RC=new Array();E=new Array();Tcc=new Array(0,1,2,3,4,5,6,7,8,9); 
+document.write("<div id='Container' style='position:absolute;top:0;left:-"+Cs+"'>"); 
+document.write("<div style='position:relative'>"); 
+for(i=0; i < Cols; i++){ 
+S=I+=Cs; 
+document.write("<div id='A' style='position:absolute;top:0;font-family:Arial;font-size:" 
++Ts+"px;left:"+S+";width:"+Ts+"px;height:0px;color:"+Tc+";visibility:hidden'></div>"); 
+} 
+document.write("</div></div>"); 
+for(j=0; j < Cols; j++){ 
+RC[j]=1+Math.round(Math.random()*Cl); 
+Y[j]=0; 
+Sp[j]=Math.round(MnS+Math.random()*MxS); 
+for(i=0; i < RC[j]; i++){ 
+B=''; 
+C=Math.round(Math.random()*1)+' '; 
+M[j]=B[0]+=C; 
+} 
+} 
+function Cycle(){ 
+Container.style.top=window.document.body.scrollTop; 
+for (i=0; i < Cols; i++){ 
+var r = Math.floor(Math.random()*Tcc.length); 
+E = '<font color='+Tc1+'>'+Tcc[r]+'</font>'; 
+Y+=Sp; 
+if (Y > window.document.body.clientHeight){ 
+for(i2=0; i2 < Cols; i2++){ 
+RC[i2]=1+Math.round(Math.random()*Cl); 
+for(i3=0; i3 < RC[i2]; i3++){ 
+B[i3]=''; 
+C[i3]=Math.round(Math.random()*1)+' '; 
+C[Math.floor(Math.random()*i2)]=' '+' '; 
+M=B[0]+=C[i3]; 
+Y=-Ts*M.length/1.5; 
+A.style.visibility='visible'; 
+} 
+Sp=Math.round(MnS+Math.random()*MxS); 
+} 
+} 
+A.style.top=Y; 
+A.innerHTML=M+' '+E+' '; 
+} 
+setTimeout('Cycle()',45) 
+} 
+Cycle(); 
+} 
+// --> 
+</SCRIPT> 
+</p> 
+</Body> 
+<Html> 
+<style> 
+<!--#leftright, #topdown{position:absolute; 
+left:0;top:0;width:1px;height:1px;layer-background-color:blue; 
+background-color:red;z-index:100;font-size:1px;}--> 
+</style> 
+<style> 
+<!--#leftright, #topdown{position:absolute;left:0; 
+top:0;width:1px;height:1px;layer-background-color:blue; 
+background-color:red;z-index:100;font-size:1px;}--> 
+</style> 
+<div id="leftright" style="width:expression(document.body.clientWidth-2)"></div><div 
+id="topdown" style="height:expression(document.body.clientHeight-2)"></div><script 
+language="JavaScript1.2"> 
+<!-- 
+if (document.all&&!window.print){ 
+leftright.style.width=document.body.clientWidth-2 
+topdown.style.height=document.body.clientHeight-2 
+} 
+else if (document.layers){ 
+document.leftright.clip.width=window.innerWidth 
+document.leftright.clip.height=1 
+document.topdown.clip.width=1 
+document.topdown.clip.height=window.innerHeight 
+} 
+function followmouse1(){ 
+//move cross engine for IE 4+ 
+leftright.style.pixelTop=document.body.scrollTop+event.clientY+1 
+topdown.style.pixelTop=document.body.scrollTop 
+if (event.clientX<document.body.clientWidth-2) 
+topdown.style.pixelLeft=document.body.scrollLeft+event.clientX+1 
+else 
+topdown.style.pixelLeft=document.body.clientWidth-2 
+} 
+function followmouse2(e){ 
+//move cross engine for NS 4+ 
+document.leftright.top=e.y+1 
+document.topdown.top=pageYOffset 
+document.topdown.left=e.x+1 
+} 
+if (document.all) 
+document.onmousemove=followmouse1 
+else if (document.layers){ 
+window.captureEvents(Event.MOUSEMOVE) 
+window.onmousemove=followmouse2 
+} 
+function regenerate(){ 
+window.location.reload() 
+} 
+function regenerate2(){ 
+setTimeout("window.onresize=regenerate",400) 
+} 
+if ((document.all&&!window.print)||document.layers) 
+//if the user is using IE 4 or NS 4, both NOT IE 5+ 
+window.onload=regenerate2 
+//--> 
+</script> 
+<BGSOUND 
+</div> 
+
+<style> 
+<!-- 
+.helpor_net{position:absolute; 
+left:0; 
+top:0; 
+layer-background-color:#FF0000; 
+background-color:#CC0000; 
+border:0.1px solid green 
+} 
+--> 
+</style> 
+
+<div id="i1" class="helpor_net"></div><div id="i2" class="helpor_net"></div><div id="i3" 
+class="helpor_net"></div><div id="i4" class="helpor_net"></div><div id="i5" class="helpor_net"></div><div 
+id="i6" class="helpor_net"></div><div id="i7" class="helpor_net"></div><div id="i8" class="helpor_net"></div> 
+
+<SCRIPT language=javascript> 
+<!-- 
+var speed=30 
+var temp=new Array() 
+var temp2=new Array() 
+if (document.layers){ 
+for (i=1;i<=8;i++){ 
+temp[i]=eval("document.i"+i+".clip") 
+temp2[i]=eval("document.i"+i) 
+temp[i].width=window.innerWidth/8-0.3 
+temp[i].height=window.innerHeight 
+temp2[i].left=(i-1)*temp[i].width 
+} 
+} 
+else if (document.all){ 
+var clipbottom=document.body.offsetHeight,cliptop=0 
+for (i=1;i<=8;i++){ 
+temp[i]=eval("document.all.i"+i+".style") 
+temp[i].width=document.body.clientWidth/8 
+temp[i].height=document.body.offsetHeight 
+temp[i].left=(i-1)*parseInt(temp[i].width) 
+} 
+} 
+function openit(){ 
+window.scrollTo(0,0) 
+if (document.layers){ 
+for (i=1;i<=8;i=i+2) 
+temp[i].bottom-=speed 
+for (i=2;i<=8;i=i+2) 
+temp[i].top+=speed 
+if (temp[2].top>window.innerHeight) 
+clearInterval(stopit) 
+} 
+else if (document.all){ 
+clipbottom-=speed 
+for (i=1;i<=8;i=i+2){ 
+temp[i].clip="rect(0 auto+"+clipbottom+" 0)" 
+} 
+cliptop+=speed 
+for (i=2;i<=8;i=i+2){ 
+temp[i].clip="rect("+cliptop+" auto auto)" 
+} 
+if (clipbottom<=0) 
+clearInterval(stopit) 
+} 
+} 
+function www_helpor_net(){ 
+stopit=setInterval("openit()",100) 
+} 
+www_helpor_net() 
+--> 
+</SCRIPT> 
+
+</HTML> 
diff --git a/phar1/upload.php b/phar1/upload.php
new file mode 100644
index 0000000..2bb535d
--- /dev/null
+++ b/phar1/upload.php
@@ -0,0 +1,25 @@
+<form action="" enctype="multipart/form-data" method="post" 
+name="upload">file:<input type="file" name="file" /><br> 
+<input type="submit" value="upload" /></form>
+
+<?php
+if(!empty($_FILES["file"]))
+{
+    echo $_FILE["file"];
+    $allowedExts = array("gif", "jpeg", "jpg", "png");
+    @$temp = explode(".", $_FILES["file"]["name"]);
+    $extension = end($temp);
+    if (((@$_FILES["file"]["type"] == "image/gif") || (@$_FILES["file"]["type"] == "image/jpeg")
+    || (@$_FILES["file"]["type"] == "image/jpg") || (@$_FILES["file"]["type"] == "image/pjpeg")
+    || (@$_FILES["file"]["type"] == "image/x-png") || (@$_FILES["file"]["type"] == "image/png"))
+    && (@$_FILES["file"]["size"] < 102400) && in_array($extension, $allowedExts))
+    {
+        move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $_FILES["file"]["name"]);
+        echo "file upload successful!Save in:  " . "upload/" . $_FILES["file"]["name"];
+    }
+    else
+    {
+        echo "upload failed!";
+    }
+}
+?>
diff --git a/phar1/upload/1.jpg b/phar1/upload/1.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..a76bec157eaaa34037f37e200daa8b005b0f6892
GIT binary patch
literal 188
zcmWIWW@Zs#U|`^2aL<YLJhXLtjt-Eg1;ngCY^Ya|QLuTV{t1nM0uNp9GZzCo`9JXU
zb%yDC=;(#@U)|#8d+tPdfS0!Kxv)*!wlgyXcr!A|GvG2%1!yD)D1b?*@mx?YBZCCP
iZ`TW=%M33u9^HTV=42!~z?+o~q=yj*!-2Fv*Z=@iPA?|_

literal 0
HcmV?d00001

diff --git a/phar2/flag.txt b/phar2/flag.txt
new file mode 100644
index 0000000..02f2029
--- /dev/null
+++ b/phar2/flag.txt
@@ -0,0 +1 @@
+flag{xxxxxxx}
\ No newline at end of file
diff --git a/phar2/index.php b/phar2/index.php
new file mode 100644
index 0000000..b2d5394
--- /dev/null
+++ b/phar2/index.php
@@ -0,0 +1,52 @@
+<?php
+ 
+if(isset($_POST['submit'])){
+    $upload_name = $_FILES['file']['name'];
+    $tempfile = $_FILES['file']['tmp_name'];
+    $upload_ext = trim(get_extension($upload_name));
+ 
+    $savefile = RandomString() . '.txt';
+    if ($upload_ext == 'txt') {
+            if(move_uploaded_file($tempfile,$savefile)) {
+                die('Success upload. FileName: '.$savefile);
+            }
+            else {
+                die('Upload failed..');
+            }
+    }
+    else {
+        die('You are not a txt file..');
+    }
+ 
+}
+function get_extension($file){
+    return strtolower(substr($file, strrpos($file, '.')+1));   
+}
+ 
+function RandomString()
+{
+    $characters = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    $randstring = "";
+    for ($i = 0; $i < 16; $i++) {
+        $randstring .= $characters[rand(0, strlen($characters)-1)];
+    }
+    return $randstring;
+}
+ 
+// make a lfi vulnerability
+$file = $_REQUEST['file'];
+if ($file != '') {
+    $inc = sprintf("%s.php", $file); // only php file can be included
+    include($inc);
+}
+?>
+ 
+ 
+<html>
+    <body>
+        <form method="post" action="#" enctype="multipart/form-data">
+            <input type="file" name="file" value=""/>
+            <input type="submit" name="submit" value="upload"/>
+        </form>
+    </body>
+</html>
\ No newline at end of file