SewellDinG/LFIboomCTF
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

LFI boom CTFs Web

Browse Source
This commit is contained in:
k4l0ng
2016-10-30 22:31:44 +08:00
commit 737b91c9d6
13 changed files with 879 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
LFI与CTF那点私密事儿.md Normal file
View File

@@ -0,0 +1,84 @@
#LFILocal File Include漏洞
###漏洞简介
下面是纯bb了解过的跳过这部分
解释:能够打开并包含`本地`文件的漏洞;
这里区别一下RFI远程文件包含漏洞
意义:文件包含漏洞是"代码注入"的一种包含即执行可干的坏事可想而知看i春秋总结的危害有如下几种
1. PHP包含漏洞结合上传漏洞
2. PHP包含读文件
3. PHP包含写文件
4. PHP包含日志文件
5. PHP截断包含
6. PHP内置伪协议利用。
PHP中文件包含函数有以下四种
1. require
2. require_once
3. include
4. include_once
include和require区别主要是include在包含的过程中如果出现错误会抛出一个警告程序继续正常运行而require函数出现错误的时候会直接报错并退出程序的执行。而include\_once(),require_once()这两个函数,与前两个的不同之处在于
这两个函数只包含一次,适用于在脚本执行期间同一个文件有可能被包括超过一次的情况下,你想确保它只被包括一次以避免函数重定义,变量重新赋值等问题。
当使用这4个函数包含一个新的文件时该文件将作为PHP代码执行PHP的内核并不会在意被包含的文件是什么类型。即你可以上传一个含shell的txt或jpg文件包含它会被当作PHP代码执行图马
###这个玩意儿与CTF的渊源
1. php://伪协议 >> 访问各个输入/输出流;
- php://filter
- 解释php://filter是一种元封装器设计用于"数据流打开"时的"筛选过滤"应用,对本地磁盘文件进行读写。简单来讲就是可以在执行代码前将代码换个方式读取出来,只是`读取``不需要`开启allow_url_include
- 用法:?file=php://filter/convert.base64-encode/resource=xxx.php
- ?file=php://filter/read=convert.base64-encode/resource=xxx.php 一样
- 例子:
- [http://4.chinalover.sinaapp.com/web7/index.php](http://4.chinalover.sinaapp.com/web7/index.php)
- nctf{edulcni_elif_lacol_si_siht}
- 本地filter文件夹
- php://input
- 解释上面filter既然能读文件肯定还能写文件这就可以利用input将数据POST过去即php://input是用来接收post数据的
- 用法:?file=php://input 数据POST过去
- 注意:
- 需要allow\_url_include=OnPHP < 5.30
- 例子
- 碰到file\_get_contents()就要想到用php://input绕过具体函数意义下一项
- [http://ctf4.shiyanbar.com/web/9](http://ctf4.shiyanbar.com/web/9)
- 并且可以用data伪协议来绕过
- 由于这个题由于存在extract()函数存在变量覆盖漏洞直接?flag=1&shiyan=即可
- 本地input文件夹
- 2016华山杯有一道本地data文件夹可以利用data流
2. data://伪协议 >> 数据流封装器和php://相似都是利用了流的概念将原本的include的文件流重定向到了用户可控制的输入流中简单来说就是执行文件的包含方法包含了你的输入流通过你输入payload来实现目的
- data://text/plain
- 解释:
- 用法:?file=data://text/plain;base64,base64编码的payload
- 注意:
- `<?php phpinfo();`,这类执行代码最后没有?>闭合;
- 需要allow\_url_include=OnPHP < 5.30
- 例子
- 和php伪协议的input类似碰到file\_get_contents()来用
- 本地data文件夹
3. phar://伪协议 >> 数据流包装器,自 PHP 5.3.0 起开始有效正好契合上面两个伪协议的利用条件。说通俗点就是php解压缩包的一个函数解压的压缩包与后缀无关。
- phar://
- 用法:?file=phar://压缩包/内部文件
- 注意:
- PHP版本需大于等于 5.3
- 压缩包需要是zip协议压缩rar不行tar等格式待测
- 利用url的压缩包后缀可以是任意后缀
- 例子:
- 本地phar1文件SWPU2016限制上传类型
- 本地phar2文件限制上传类型上传重命名
###函数解释
1. file\_get_contents():这个函数就是把一个文件里面的东西 字符全部return出来。可以放一个变量里面也就是字符串变量了也可以字符串直接echo。相当于fopen,fread,fclose的组合。
2. include()就是require,reqiuire_once,include_require这一类include是针对文档的代码结构的。也就是说include进来成了这个文件的其中一部分源代码。
3. include把导入的字符串当成当前文件的代码结构而file_get_contents只是返回字符串。这是两个最大的不同。关于字符串执行的问题file_get_contents返回的字符串失去了被执行的能力哪怕字符串里面有<?php ?>一样能拿出来但不执行。而include导入的字符串如果被导入的文件有<?php那就成为php代码的一部分。如果没有<?php只是把它当做源文件<?php ?>外的一部分。
###参考博文:
1. [http://www.cnblogs.com/LittleHann/p/3665062.html](http://www.cnblogs.com/LittleHann/p/3665062.html)
2. [http://www.cnblogs.com/iamstudy/articles/include_file.html](http://www.cnblogs.com/iamstudy/articles/include_file.html)
3. [http://mp.weixin.qq.com/s?__biz=MzAwMTUyMjQ5OA==&mid=2650963079&idx=1&sn=cf0e9c60a68ea7e272e8ad77e6816ebe&scene=1&srcid=0824QF8DtX5jg5FSnZlQlLHR#rd](http://mp.weixin.qq.com/s?__biz=MzAwMTUyMjQ5OA==&mid=2650963079&idx=1&sn=cf0e9c60a68ea7e272e8ad77e6816ebe&scene=1&srcid=0824QF8DtX5jg5FSnZlQlLHR#rd)
4. [http://www.91ri.org/13363.html](http://www.91ri.org/13363.html)

10
data/index.php Normal file
View File

@@ -0,0 +1,10 @@
<?php
$user=$_GET['user'];
#echo $user;
if(isset($user)&&(file_get_contents($user,'r')==='the user is admin')){
echo "flag{xxxxxxxxxxxxx}";
}
else{
echo "you are not admin ! ";
}
?>

16
filter/index.php Normal file
View File

@@ -0,0 +1,16 @@
<html>
<title>asdf</title>
<?php
error_reporting(0);
if(!$_GET[file]){echo '<a href="./index.php?file=show.php">click me? no</a>';}
$file=$_GET['file'];
if(strstr($file,"../")||stristr($file, "tp")||stristr($file,"input")||stristr($file,"data")){
echo "Oh no!";
exit();
}
include($file);
//flag:nctf{edulcni_elif_lacol_si_siht}
?>
</html>

1
filter/show.php Normal file
View File

@@ -0,0 +1 @@
test5

38
input/index.html Normal file
View File

@@ -0,0 +1,38 @@
<html>
<head>
<meta charset="utf-8">
<title>404</title>
</head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
<script language="javascript">
<!--
if (window.Event)
document.captureEvents(Event.MOUSEUP);
function nocontextmenu(){
event.cancelBubble = true
event.returnValue = false;
return false;
}
function norightclick(e){
if (window.Event){
if (e.which == 2 || e.which == 3){
alert('禁止查看源代码!');
return false;}
}
else
if (event.button == 2 || event.button == 3){
event.cancelBubble = true
event.returnValue = false;
return false;
}
}
document.oncontextmenu = nocontextmenu; // for IE5+
document.onmousedown = norightclick; // for all others
//-->
</script>
<!-- 粗心的程序员,写完代码也不删。-->
</body>
</html>

14
input/index.php Normal file
View File

@@ -0,0 +1,14 @@
<html>
<title>asdf</title>
<?php
$flag='php://input';
extract($_GET);
if(isset($shiyan)){
$content=trim(file_get_contents($flag));
if($shiyan==$content){
echo'flag{php://input}'; }
else{
echo'Oh.no';}
}
?>
</html>

14
input/index.php.bak Normal file
View File

@@ -0,0 +1,14 @@
<html>
<title>asdf</title>
<?php
$flag='xxx';
extract($_GET);
if(isset($shiyan)){
$content=trim(file_get_contents($flag));
if($shiyan==$content){
echo'ctf{xxx}'; }
else{
echo'Oh.no';}
}
?>
</html>

18
phar1/include.php Normal file
View File

@@ -0,0 +1,18 @@
<html>
Tips: the parameter is file! :)
<!-- upload.php -->
</html>
<?php
@$file = $_GET["file"];
if(isset($file))
{
if (preg_match('/http|data|ftp|input|%00/i', $file) || strstr($file,"..") !== FALSE || strlen($file)>=70)
{
echo "<p> error! </p>";
}
else
{
include($file.'.php');
}
}
?>

606
phar1/index.html Normal file
View File

@@ -0,0 +1,606 @@
<HTML>
<HEAD>
<meta charset="utf-8" />
<TITLE>Pentest</TITLE>
<BGSOUND balance=0 src="http://www.cnhonkerarmy.com/indeximages/chinahonker0.mid" volume=0 loop=20>
<STYLE type=text/css>
body{
scrollbar-shadow-color:#FFFFFF;
scrollbar-highlight-color:#FFFFFF;
scrollbar-3dlight-color: #000000;
scrollbar-darkshadow-color:#000000;
scrollbar-arrow-color:#FFFFFF;
scrollbar-base-color: #000000;
scrollbar-track-color: #000000;
overflow-y:auto; }
<!--
body{
CURSOR: url('http://www.ay001.com/admin/2.cur');
background-color: #000000;
}/*未选中前鼠标样式*/
a:hover{CURSOR: url('http://www.ay001.com/admin/1.cur')}/*已选中后鼠标样式*/
a:link {
color: #00FF00;
text-decoration: none;
}
a:visited {
text-decoration: none;
color: #00FF00;s
}
a:hover {
text-decoration: underline;
color: #FF0000;
}
a:active {
text-decoration: none;
color: #FF0000;
}
.STYLE1 {color: #00FF00}
-->
</STYLE>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312"><BODY>
<SCRIPT>
<!--
var from = 1;
var to = 4;
var delay = 55;
var glowColor = "lime";
var i = to;
var j = 0;
textPulseDown();
var msg = "haha........................................ " ;
var interval=70
var spacelen=120;
var space10=" ";
var seq=0;
function Scroll()
{
len = msg.length;
window.status = msg.substring(0, seq+1);
seq++;
if(seq>=len ){
seq = 0;
window.status = '';
window.setTimeout("Scroll();", interval );
}
else
window.setTimeout("Scroll();", interval );
}
Scroll();
function trap_page_mouse_key_events () {
var browser = navigator.appName.substring ( 0, 9 );
document.onmousedown = disable_right_click;
if ( browser == "Microsoft" )
document.onkeydown = check_mousekey;
else
document.captureEvents( Event.MOUSEDOWN );
}
window.onload=trap_page_mouse_key_events;
function textPulseUp()
{
if (!document.all)
return
if (i < to)
{
theText.style.filter = "Glow(Color=" + glowColor + ", Strength=" + i + ")";
i++;
theTimeout = setTimeout('textPulseUp()',delay);
return 0;
}
if (i = to)
{
theTimeout = setTimeout('textPulseDown()',delay);
return 0;
}
}
function textPulseDown()
{
if (!document.all)
return
if (i > from)
{theText.style.filter = "Glow(Color=" + glowColor + ", Strength=" + i + ")";
i--;theTimeout = setTimeout('textPulseDown()',delay);return 0;}if (i = from){theTimeout = setTimeout('textPulseUp()',delay);return 0;}}//-->
</SCRIPT>
<br>
<FORM name=textform>
<CENTER>
<input name=LajiCurText type="hidden">
<textarea style="FONT-SIZE: 13px; BORDER-LEFT-COLOR: #00ff00; BORDER-BOTTOM-COLOR: #00ff00;
COLOR: #00ff00; BORDER-TOP-COLOR: #00ff00; SCROLLBAR-BASE-COLOR: #000000; BACKGROUND-COLOR:
#000000; BORDER-RIGHT-COLOR: #00ff00" name=textfield rows=27 readonly wrap=virtual
cols=99></textarea>
</CENTER>
<SCRIPT language=javascript>
var pos=0;
var LajiCurI=0;
function LajiCur()
{
if(LajiCurI==0)
document.textform.LajiCurText.value="_";
else if(LajiCurI==1)
document.textform.LajiCurText.value=" ";
else if(LajiCurI==2)
document.textform.LajiCurText.value="_";
else if(LajiCurI>2)
{document.textform.LajiCurText.value=" ";LajiCurI=0;}
LajiCurI++;
}
setInterval("LajiCur()",delay);
function ShowText(strText)
{
document.textform.textfield.value=strText.substring(0,pos++)
+document.textform.LajiCurText.value;
setTimeout("ShowText(strText)",50);
if(pos==strText.length)
{
return;
}
}var strText = "\n\n\n\n 致可爱的ctfer们:\n\n——————————————————————————————————————————————————\n\n-> 欢迎来到swpu_ctf.\n\n-> 这是一道渗透测试的题目...\n-> Tips1:include.php \n\n-> 希望各位师傅轻点搞,慢点搞 ...\n-> 如果有问题请及时反馈...\n-> 好了,废话不多说了 ...\n-> 最后再次欢迎各位大牛的到来! ...\n\n—————————————————————————————————————————————————— \n";
ShowText(strText);
</SCRIPT>
<SCRIPT language=JavaScript1.2>
if (document.all)
document.body.style.cssText="border:20 ridge red"
</SCRIPT>
</FORM>
<div align="center">
<p www_helpor_net="dropWord" style="position: relative !important; left: 10000 !important" align="center"><font size="3" color="#ee00FF"> </font><font size="15" face="Arial" color="#FF0000"><b>pentest</b></font></p>
<SCRIPT language="JavaScript">
<!--
dynamicanimAttr = "www_helpor_net"
animateElements = new Array()
currentElement = 0
speed = 0
stepsZoom = 8
stepsWord = 8
stepsFly = 12
stepsSpiral = 16
steps = stepsZoom
step = 0
outString = ""
function helpor_net()
{
var ms = navigator.appVersion.indexOf("MSIE")
ie4 = (ms>0) && (parseInt(navigator.appVersion.substring(ms+5, ms+6)) >= 4)
if(!ie4)
{
if((navigator.appName == "Netscape") &&
(parseInt(navigator.appVersion.substring(0, 1)) >= 4))
{
for (index=document.layers.length-1; index >= 0; index--)
{
layer=document.layers[index]
if (layer.left==10000)
layer.left=0
}
}
return
}
for (index=document.all.length-1; index >= document.body.sourceIndex; index--)
{
el = document.all[index]
animation = el.getAttribute(dynamicanimAttr, false)
if(null != animation)
{
if(animation == "dropWord" || animation == "flyTopRightWord" || animation == "flyBottomRightWord")
{
ih = el.innerHTML
outString = ""
i1 = 0
iend = ih.length
while(true)
{
i2 = startWord(ih, i1)
if(i2 == -1)
i2 = iend
outWord(ih, i1, i2, false, "")
if(i2 == iend)
break
i1 = i2
i2 = endWord(ih, i1)
if(i2 == -1)
i2 = iend
outWord(ih, i1, i2, true, animation)
if(i2 == iend)
break
i1 = i2
}
document.all[index].innerHTML = outString
document.all[index].style.posLeft = 0
document.all[index].setAttribute(dynamicanimAttr, null)
}
if(animation == "zoomIn" || animation == "zoomOut")
{
ih = el.innerHTML
outString = "<SPAN " + dynamicanimAttr + "=\"" + animation + "\" style=\"position: relative; left: 10000;\">"
outString += ih
outString += "</SPAN>"
document.all[index].innerHTML = outString
document.all[index].style.posLeft = 0
document.all[index].setAttribute(dynamicanimAttr, null)
}
}
}
i = 0
for (index=document.body.sourceIndex; index < document.all.length; index++)
{
el = document.all[index]
animation = el.getAttribute(dynamicanimAttr, false)
if (null != animation)
{
if(animation == "flyLeft")
{
el.style.posLeft = 10000-offsetLeft(el)-el.offsetWidth
el.style.posTop = 0
}
else if(animation == "flyRight")
{
el.style.posLeft = 10000-offsetLeft(el)+document.body.offsetWidth
el.style.posTop = 0
}
else if(animation == "flyTop" || animation == "dropWord")
{
el.style.posLeft = 0
el.style.posTop = document.body.scrollTop-offsetTop(el)-el.offsetHeight
}
else if(animation == "flyBottom")
{
el.style.posLeft = 0
el.style.posTop = document.body.scrollTop-offsetTop(el)+document.body.offsetHeight
}
else if(animation == "flyTopLeft")
{
el.style.posLeft = 10000-offsetLeft(el)-el.offsetWidth
el.style.posTop = document.body.scrollTop-offsetTop(el)-el.offsetHeight
}
else if(animation == "flyTopRight" || animation == "flyTopRightWord")
{
el.style.posLeft = 10000-offsetLeft(el)+document.body.offsetWidth
el.style.posTop = document.body.scrollTop-offsetTop(el)-el.offsetHeight
}
else if(animation == "flyBottomLeft")
{
el.style.posLeft = 10000-offsetLeft(el)-el.offsetWidth
el.style.posTop = document.body.scrollTop-offsetTop(el)+document.body.offsetHeight
}
else if(animation == "flyBottomRight" || animation == "flyBottomRightWord")
{
el.style.posLeft = 10000-offsetLeft(el)+document.body.offsetWidth
el.style.posTop = document.body.scrollTop-offsetTop(el)+document.body.offsetHeight
}
else if(animation == "spiral")
{
el.style.posLeft = 10000-offsetLeft(el)-el.offsetWidth
el.style.posTop = document.body.scrollTop-offsetTop(el)-el.offsetHeight
}
else if(animation == "zoomIn")
{
el.style.posLeft = 10000
el.style.posTop = 0
}
else if(animation == "zoomOut")
{
el.style.posLeft = 10000
el.style.posTop = 0
}
else
{
el.style.posLeft = 10000-offsetLeft(el)-el.offsetWidth
el.style.posTop = 0
}
el.initLeft = el.style.posLeft
el.initTop = el.style.posTop
animateElements[i++] = el
}
}
window.setTimeout("animate();", speed)
}
function offsetLeft(el)
{
x = el.offsetLeft
for (e = el.offsetParent; e; e = e.offsetParent)
x += e.offsetLeft;
return x
}
function offsetTop(el)
{
y = el.offsetTop
for (e = el.offsetParent; e; e = e.offsetParent)
y += e.offsetTop;
return y
}
function startWord(ih, i)
{
for(tag = false; i < ih.length; i++)
{
c = ih.charAt(i)
if(c == '<')
tag = true
if(!tag)
return i
if(c == '>')
tag = false
}
return -1
}
function endWord(ih, i)
{
nonSpace = false
space = false
while(i < ih.length)
{
c = ih.charAt(i)
if(c != ' ')
nonSpace = true
if(nonSpace && c == ' ')
space = true
if(c == '<')
return i
if(space && c != ' ')
return i
i++
}
return -1
}
function outWord(ih, i1, i2, dyn, anim)
{
if(dyn)
outString += "<SPAN " + dynamicanimAttr + "=\"" + anim + "\" style=\"position: relative; left: 10000;\">"
outString += ih.substring(i1, i2)
if(dyn)
outString += "</SPAN>"
}
function animate()
{
el = animateElements[currentElement]
animation = el.getAttribute(dynamicanimAttr, false)
step++
if(animation == "spiral")
{
steps = stepsSpiral
v = step/steps
rf = 1.0 - v
t = v * 2.0*Math.PI
rx = Math.max(Math.abs(el.initLeft), 200)
ry = Math.max(Math.abs(el.initTop), 200)
el.style.posLeft = Math.ceil(-rf*Math.cos(t)*rx)
el.style.posTop = Math.ceil(-rf*Math.sin(t)*ry)
}
else if(animation == "zoomIn")
{
steps = stepsZoom
el.style.fontSize = Math.ceil(50+50*step/steps) + "%"
el.style.posLeft = 0
}
else if(animation == "zoomOut")
{
steps = stepsZoom
el.style.fontSize = Math.ceil(100+200*(steps-step)/steps) + "%"
el.style.posLeft = 0
}
else
{
steps = stepsFly
if(animation == "dropWord" || animation == "flyTopRightWord" || animation == "flyBottomRightWord")
steps = stepsWord
dl = el.initLeft / steps
dt = el.initTop / steps
el.style.posLeft = el.style.posLeft - dl
el.style.posTop = el.style.posTop - dt
}
if (step >= steps)
{
el.style.posLeft = 0
el.style.posTop = 0
currentElement++
step = 0
}
if(currentElement < animateElements.length)
window.setTimeout("animate();", speed)
}
helpor_net()
//-->
</SCRIPT>
<p><span class="STYLE1">-------------------------------------------------------------------------------------------------------------------</span></p>
<p> </p>
<p class="STYLE1"> </p>
<center><body background="http://www.freebx.cn/tp/hk.gif">
<p>
<SCRIPT language=JavaScript>
<!--
if (document.all){
Cols=10;
Cl=48;//Space's are included so real length is 24!
Cs=120;
Ts=18;//数字大小
Tc='#008800';
Tc1='#00ff00';
MnS=20;
MxS=35;//数字变换速度
I=Cs;
Sp=new Array();S=new Array();Y=new Array();
C=new Array();M=new Array();B=new Array();
RC=new Array();E=new Array();Tcc=new Array(0,1,2,3,4,5,6,7,8,9);
document.write("<div id='Container' style='position:absolute;top:0;left:-"+Cs+"'>");
document.write("<div style='position:relative'>");
for(i=0; i < Cols; i++){
S=I+=Cs;
document.write("<div id='A' style='position:absolute;top:0;font-family:Arial;font-size:"
+Ts+"px;left:"+S+";width:"+Ts+"px;height:0px;color:"+Tc+";visibility:hidden'></div>");
}
document.write("</div></div>");
for(j=0; j < Cols; j++){
RC[j]=1+Math.round(Math.random()*Cl);
Y[j]=0;
Sp[j]=Math.round(MnS+Math.random()*MxS);
for(i=0; i < RC[j]; i++){
B='';
C=Math.round(Math.random()*1)+' ';
M[j]=B[0]+=C;
}
}
function Cycle(){
Container.style.top=window.document.body.scrollTop;
for (i=0; i < Cols; i++){
var r = Math.floor(Math.random()*Tcc.length);
E = '<font color='+Tc1+'>'+Tcc[r]+'</font>';
Y+=Sp;
if (Y > window.document.body.clientHeight){
for(i2=0; i2 < Cols; i2++){
RC[i2]=1+Math.round(Math.random()*Cl);
for(i3=0; i3 < RC[i2]; i3++){
B[i3]='';
C[i3]=Math.round(Math.random()*1)+' ';
C[Math.floor(Math.random()*i2)]=' '+' ';
M=B[0]+=C[i3];
Y=-Ts*M.length/1.5;
A.style.visibility='visible';
}
Sp=Math.round(MnS+Math.random()*MxS);
}
}
A.style.top=Y;
A.innerHTML=M+' '+E+' ';
}
setTimeout('Cycle()',45)
}
Cycle();
}
// -->
</SCRIPT>
</p>
</Body>
<Html>
<style>
<!--#leftright, #topdown{position:absolute;
left:0;top:0;width:1px;height:1px;layer-background-color:blue;
background-color:red;z-index:100;font-size:1px;}-->
</style>
<style>
<!--#leftright, #topdown{position:absolute;left:0;
top:0;width:1px;height:1px;layer-background-color:blue;
background-color:red;z-index:100;font-size:1px;}-->
</style>
<div id="leftright" style="width:expression(document.body.clientWidth-2)"></div><div
id="topdown" style="height:expression(document.body.clientHeight-2)"></div><script
language="JavaScript1.2">
<!--
if (document.all&&!window.print){
leftright.style.width=document.body.clientWidth-2
topdown.style.height=document.body.clientHeight-2
}
else if (document.layers){
document.leftright.clip.width=window.innerWidth
document.leftright.clip.height=1
document.topdown.clip.width=1
document.topdown.clip.height=window.innerHeight
}
function followmouse1(){
//move cross engine for IE 4+
leftright.style.pixelTop=document.body.scrollTop+event.clientY+1
topdown.style.pixelTop=document.body.scrollTop
if (event.clientX<document.body.clientWidth-2)
topdown.style.pixelLeft=document.body.scrollLeft+event.clientX+1
else
topdown.style.pixelLeft=document.body.clientWidth-2
}
function followmouse2(e){
//move cross engine for NS 4+
document.leftright.top=e.y+1
document.topdown.top=pageYOffset
document.topdown.left=e.x+1
}
if (document.all)
document.onmousemove=followmouse1
else if (document.layers){
window.captureEvents(Event.MOUSEMOVE)
window.onmousemove=followmouse2
}
function regenerate(){
window.location.reload()
}
function regenerate2(){
setTimeout("window.onresize=regenerate",400)
}
if ((document.all&&!window.print)||document.layers)
//if the user is using IE 4 or NS 4, both NOT IE 5+
window.onload=regenerate2
//-->
</script>
<BGSOUND
</div>
<style>
<!--
.helpor_net{position:absolute;
left:0;
top:0;
layer-background-color:#FF0000;
background-color:#CC0000;
border:0.1px solid green
}
-->
</style>
<div id="i1" class="helpor_net"></div><div id="i2" class="helpor_net"></div><div id="i3"
class="helpor_net"></div><div id="i4" class="helpor_net"></div><div id="i5" class="helpor_net"></div><div
id="i6" class="helpor_net"></div><div id="i7" class="helpor_net"></div><div id="i8" class="helpor_net"></div>
<SCRIPT language=javascript>
<!--
var speed=30
var temp=new Array()
var temp2=new Array()
if (document.layers){
for (i=1;i<=8;i++){
temp[i]=eval("document.i"+i+".clip")
temp2[i]=eval("document.i"+i)
temp[i].width=window.innerWidth/8-0.3
temp[i].height=window.innerHeight
temp2[i].left=(i-1)*temp[i].width
}
}
else if (document.all){
var clipbottom=document.body.offsetHeight,cliptop=0
for (i=1;i<=8;i++){
temp[i]=eval("document.all.i"+i+".style")
temp[i].width=document.body.clientWidth/8
temp[i].height=document.body.offsetHeight
temp[i].left=(i-1)*parseInt(temp[i].width)
}
}
function openit(){
window.scrollTo(0,0)
if (document.layers){
for (i=1;i<=8;i=i+2)
temp[i].bottom-=speed
for (i=2;i<=8;i=i+2)
temp[i].top+=speed
if (temp[2].top>window.innerHeight)
clearInterval(stopit)
}
else if (document.all){
clipbottom-=speed
for (i=1;i<=8;i=i+2){
temp[i].clip="rect(0 auto+"+clipbottom+" 0)"
}
cliptop+=speed
for (i=2;i<=8;i=i+2){
temp[i].clip="rect("+cliptop+" auto auto)"
}
if (clipbottom<=0)
clearInterval(stopit)
}
}
function www_helpor_net(){
stopit=setInterval("openit()",100)
}
www_helpor_net()
-->
</SCRIPT>
</HTML>

25
phar1/upload.php Normal file
View File

@@ -0,0 +1,25 @@
<form action="" enctype="multipart/form-data" method="post"
name="upload">file:<input type="file" name="file" /><br>
<input type="submit" value="upload" /></form>
<?php
if(!empty($_FILES["file"]))
{
echo $_FILE["file"];
$allowedExts = array("gif", "jpeg", "jpg", "png");
@$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
if (((@$_FILES["file"]["type"] == "image/gif") || (@$_FILES["file"]["type"] == "image/jpeg")
|| (@$_FILES["file"]["type"] == "image/jpg") || (@$_FILES["file"]["type"] == "image/pjpeg")
|| (@$_FILES["file"]["type"] == "image/x-png") || (@$_FILES["file"]["type"] == "image/png"))
&& (@$_FILES["file"]["size"] < 102400) && in_array($extension, $allowedExts))
{
move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $_FILES["file"]["name"]);
echo "file upload successful!Save in: " . "upload/" . $_FILES["file"]["name"];
}
else
{
echo "upload failed!";
}
}
?>

BIN
phar1/upload/1.jpg Normal file
View File

Binary file not shown.

1
phar2/flag.txt Normal file
View File

@@ -0,0 +1 @@
flag{xxxxxxx}

52
phar2/index.php Normal file
View File

@@ -0,0 +1,52 @@
<?php
if(isset($_POST['submit'])){
$upload_name = $_FILES['file']['name'];
$tempfile = $_FILES['file']['tmp_name'];
$upload_ext = trim(get_extension($upload_name));
$savefile = RandomString() . '.txt';
if ($upload_ext == 'txt') {
if(move_uploaded_file($tempfile,$savefile)) {
die('Success upload. FileName: '.$savefile);
}
else {
die('Upload failed..');
}
}
else {
die('You are not a txt file..');
}
}
function get_extension($file){
return strtolower(substr($file, strrpos($file, '.')+1));
}
function RandomString()
{
$characters = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
$randstring = "";
for ($i = 0; $i < 16; $i++) {
$randstring .= $characters[rand(0, strlen($characters)-1)];
}
return $randstring;
}
// make a lfi vulnerability
$file = $_REQUEST['file'];
if ($file != '') {
$inc = sprintf("%s.php", $file); // only php file can be included
include($inc);
}
?>
<html>
<body>
<form method="post" action="#" enctype="multipart/form-data">
<input type="file" name="file" value=""/>
<input type="submit" name="submit" value="upload"/>
</form>
</body>
</html>