当前位置:网站首页>Primary code audit [no dolls (modification)] assessment
Primary code audit [no dolls (modification)] assessment
2022-07-05 13:42:00 【Snow is not cold 1】
Code audit
First, let's open the topic link :http://1.15.152.9:1111/sre-winter/, Then you can see this page directly :
Analyze the code :
First say file_get_contents:
This function is the preferred method to read the entire file into a string . At the same time $filename Parameters are not just local file paths , It can also be a network path URL
So we look down
if(isset($resolve)&&(file_get_contents($resolve,'r')==="try hard to become a redrocker"))
Here we need to pass in a file with the content try hard to become a redrocker
To get to the next step , It said file_get_contents() Medium $filename It can also be a URL, So we can use data://
Fake protocol to bypass
Besides, data://
Fake protocol :
effect : since PHP>=5.2.0
rise , have access to data://
Data flow wrapper , To transfer data in the corresponding format . Can usually be used to perform PHP
Code . Generally, we need to use base64
Code transmission
So use pseudo Protocol :
?resolve=data://text/plain;base64,dHJ5IGhhcmQgdG8gYmVjb21lIGEgcmVkcm9ja2Vy
//dHJ5IGhhcmQgdG8gYmVjb21lIGEgcmVkcm9ja2Vy Decoded as --->try hard to become a redrocker
Then we noticed unserialize()
, This is a deserialization function , Then, if we pass a serialized object, that is, a string of strings, to $fxl
, Then we will get an instance object ,wow! Fantastic! !!
So the structure :
obtain :
O:3:"SRE":1:{
s:8:"document";s:12:"printenv.php";}
therefore :
?resolve=data://text/plain;base64,dHJ5IGhhcmQgdG8gYmVjb21lIGEgcmVkcm9ja2Vy&fxl=O:3:"SRE":1:{s:8:"document";s:12:"printenv.php";}
stay url
After adding the above sentence, we get :
Right click on the source , notice :
Then let's analyze the source code , See what happens
First of all to see 4 individual if Then there is a eval
That means we need to meet these four conditions at the same time ;
First of all if(isset($_GET['st']))
Sentenced to empty , If it is not empty, execute the following statement ;
And then there was if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['st']))
Filtered here data、filter、php
Wait for the fake agreement , Prevent using pseudo protocol to read files ,
Next is if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['st']))
Here, it means that you can only pass functions without parameters ;
And finally if (!preg_match('/es|info|bin|hex|log|dec|oct|na|os|pi/i', $_GET['st']))
Many keywords are matched here , So many functions can't be used .
that ,
The first use of scandir() Function to get the files in the current directory and use print_r() Output function .localeconv() Function returns an array containing local numbers and currency information .
?st=print_r(scandir(current(localeconv())));
obtain
Found the file redrock.php
, This should be flag.
So what should we do next ?
Look up the information and think hard for a long time , Suddenly thought of :
We can use readfile
Plus a random function array_rand(array_flip())
To read :
?st=readfile(array_rand(array_flip(scandir(current(localeconv())))));
array_flip(): Swap the keys and values of the array .
array_rand(): Take one or more cells out of an array at random , Constantly refreshing the access will continue to return randomly , In this topic scandir()
The returned array is only 5 Elements , Refresh a few times and you can brush it out .
Just refresh a few more times , harmless :
At last we get
And then I got it flag
flag{Congratulation!The task completed}
边栏推荐
- Win10——轻量级小工具
- 一网打尽异步神器CompletableFuture
- Network security HSRP protocol
- Laravel框架运行报错:No application encryption key has been specified
- How to apply the updated fluent 3.0 to applet development
- With 4 years of working experience, you can't tell five ways of communication between multithreads. Dare you believe it?
- A detailed explanation of ASCII code, Unicode and UTF-8
- NFT value and white paper acquisition
- Zhubo Huangyu: it's really bad not to understand these gold frying skills
- Redis6 data type and operation summary
猜你喜欢
Jenkins installation
What happened to the communication industry in the first half of this year?
[server data recovery] a case of RAID5 data recovery stored in a brand of server
Huawei push service content, read notes
Flutter 3.0更新后如何应用到小程序开发中
zabbix 监控
Can and can FD
jasypt配置文件加密|快速入门|实战
What about data leakage? " Watson k'7 moves to eliminate security threats
C object storage
随机推荐
Talk about seven ways to realize asynchronous programming
leetcode 10. Regular Expression Matching 正则表达式匹配 (困难)
Go string operation
Solve the problem of "unable to open source file" xx.h "in the custom header file on vs from the source
山东大学暑期实训一20220620
Don't know these four caching modes, dare you say you understand caching?
Rocky basic command 3
Catch all asynchronous artifact completable future
With 4 years of working experience, you can't tell five ways of communication between multithreads. Dare you believe it?
The real king of caching, Google guava is just a brother
通讯录(链表实现)
【Hot100】33. Search rotation sort array
Internal JSON-RPC error. {"code":-32000, "message": "execution reverted"} solve the error
web3.eth. Filter related
Multi person cooperation project to see how many lines of code each person has written
49. Grouping of alphabetic ectopic words: give you a string array, please combine the alphabetic ectopic words together. You can return a list of results in any order. An alphabetic ectopic word is a
French scholars: the explicability of counter attack under optimal transmission theory
Win10 - lightweight gadget
Zhubo Huangyu: it's really bad not to understand these gold frying skills
PostgreSQL Usage Summary (PIT)