# L33T-HOSTER

## XBM

### .htaccess

explode会将$name.分割成数组 array_pop会把$parts数组最后一个元素取出，并将长度减一。所以如果直接上传.htaccess，得到的后缀将是htaccess，得到

​ XBM files differ markedly from most image files in that they take the form of C source files. This means that they can be compiled directly into an application without any preprocessing steps, but it also makes them far larger than their raw pixel data. The image data is encoded as a comma-separated list of byte values, each written in the C hexadecimal notation, ‘0x13’ for example, so that multiple ASCII characters are used to express a single byte of image information

XBM 文件竟然可以用#define来规定图片的 width & height，而#.htaccess文件中恰好是注释符，也不会引起解析错误，所以我们可以往这个方向去试一试。

### webshell

​ zend.multibyte boolean

Enables parsing of source files in multibyte encodings. Enabling zend.multibyte is required to use character encodings like SJIS, BIG5, etc that contain special characters in multibyte string data. ISO-8859-1 compatible encodings like UTF-8, EUC, etc do not require this option.

Enabling zend.multibyte requires the mbstring extension to be available.

​ zend.script_encoding string

This value will be used unless a declare(encoding=…) directive appears at the top of the script. When ISO-8859-1 incompatible encoding is used, both zend.multibyte and zend.script_encoding must be used.

Literal strings will be transliterated from zend.script_enconding to mbstring.internal_encoding, as ifmb_convert_encoding() would have been called.

exp.php 中的内容就是你想上传的 php 代码

## WBMP

### .htaccess

Field name Field type Size (in bytes) Purpose
Type uintvar variable Type of the image, and is 0 for monochrome bitmaps.
Fixed header byte 1 Reserved. Always 0.
Width uintvar variable Width of the image in pixels.
Height uintvar variable Height of the image in pixels.
Data byte array variable Data bytes arranged in rows – one bit per pixel. A black pixel is denoted by 0 and a white pixel is denoted by 1. Where the row length is not divisible by 8, the row is 0-padded to the byte boundary.

### webshell

​ auto_append_file string

Specifies the name of a file that is automatically parsed after the main file. The file is included as if it was called with the require function, so include_path is used.

The special value none disables auto-appending.

UTF-7 解码之后就是：

# Ezphp

• 每次都会unlink删除当前所有文件
• 有 on / html / type / flag / upload / file 关键字大小写过滤
• 文件自动包含fl3g.php，但是文件名有/[^a-z\.]/正则限制
• 最后还会有\n换行追加数据导致.htaccess解析错误的限制

Note: Don’t use php_value to set boolean values. php_flag (see below) should be used instead.

List of php.ini directives 当中我们可以找到支持更改的 php 配置选项，其中有几个我们值得去关注。

### One Way-error

error_log string

Name of the file where script errors should be logged. The file should be writable by the web server’s user. If the special value syslog is used, the errors are sent to the system logger instead. On Unix, this means syslog(3) and on Windows it means the event log. See also: syslog(). If this directive is not set, errors are sent to the SAPI error logger. For example, it is an error log in Apache or stderr in CLI. See also error_log().

error_log可以把error_reporting设置的错误等级写入到设置的文件当中，这个看起来我们可以利用该函数来就进行报错写入文件，但是对于一开始就删除当前文件夹下所有文件的操作，即使我们可以写入自定义内容，也会被删除。所以我们可能还需要找另外一条路径使得该文件可以保存下来。

include_path string

Specifies a list of directories where the require, include, fopen(), file(), readfile() and file_get_contents() functions look for files. The format is like the system’s PATH environment variable: a list of directories separated with a colon in Unix or semicolon in Windows.

PHP considers each entry in the include path separately when looking for files to include. It will check the first path, and if it doesn’t find it, check the next path, until it either locates the included file or returns with a warning or an error. You may modify or set your include path at runtime using set_include_path().

• 使用error_log指定一个非当前文件路径的可写路径，例如/tmp/fl3g.php
• 利用include_path指定包含的环境路径为/tmp
• 这样include包含的时候，就是包含到了/tmp/fl3g.php

Exp:

### Another Way-Pcre

ROIS 这里使用了一种比较复杂的方法，首先同样上传.htaccess把 pcre 回溯限制改成 0，然后使用 base64 写文件绕过stristr的判断，使用auto_append_file包含.htaccess，在.htaccess当中写注释 webshell 即可。

base64 解码的内容是

Exp:

Exp:

# Reference

Insomnihack Teaser 2019 / l33t-hoster

XNUCA2019 ez系列web题解

X-NUCA 2019 线上赛 Writeup By ROIS