VNCTF

Web givenphp 考点:LD_LOAD环镜变量劫持 <?php highlight_file(__FILE__); if(isset($_POST['upload'])){ handleFileUpload($_FILES['file']); } if(isset($_GET['challenge'])){ waf(); $value=$_GET['value']; $key=$_GET['key']; $func=create_function("","putenv('$key=$value');"); if($func==$_GET['guess']){ $func(); system("whoami"); } } function waf() { if(preg_match('/\'|"|%|\(|\)|;|bash/i',$_GET['key'])||preg_match('/\'|"|%|\(|\)|;|bash/i',$_GET['value'])){ die("evil input!!!"); } } function handleFileUpload($file) { $uploadDirectory = '/tmp/'; if ($file['error'] !== UPLOAD_ERR_OK) { echo '文件上传失败。'; return; } $fileExtension = pathinfo($file['name'], PATHINFO_EXTENSION); $newFileName = uniqid('uploaded_file_', true) . '.' . $fileExtension; $destination = $uploadDirectory . $newFileName; if (move_uploaded_file($file['tmp_name'], $destination)) { echo $destination; } else { echo '文件移动失败。'; } } 对直接注入环镜变量进行过滤 ...