web Sign in problem

php Code audit

post Pass in a parameter file,file The inverted string of and file When the same, the executable file contains

payload ：

?file=data://text/plain,<?php echo system("cat /f*")?>>?)"*f/ tac"(metsys ohce php?<,nialp/txet//:atad

Use ?> You can truncate the code

easyPHP

php Code audit

POST Mode in cmd and param Two parameters , Use escapeshellcmd() and escapeshellarg() The two functions are processed and merged into one cmd The order is handed over to shell_exec() Function execution

The parameter cmd Limited to three digits , Parameters param Unlimited length

escapeshellcmd() and escapeshellarg() I'm not familiar with functions , Check first ：

escapeshellcmd()

escapeshellarg()

Simply speaking ,

escapeshellcmd It's right &#;|*?~<>^()[]{}$\, \x0A and `\xFF Add an escape character before these characters '\'.

escapeshellarg The role of is use The space replaces the percent sign 、 Exclamatory mark （ Delay variable replacement ） And double quotes , And put double quotation marks around the string . Besides , Each continuous backslash (\) Will be escaped by an additional backslash .

reference k The master wp Study

← sed Basic course sed Environmental installation →

SED brief introduction

sed, English full name stream editor , It's a non interactive stream editor , Modify the text that flows through it through a variety of transformations .

sed You can add, delete, modify, replace and check the text （ Filter 、 Take row ）, Can handle multiple files and multiple lines at the same time .

sed And awk And called Linux/Unix The world's two ace word processors .

sed And awk equally , All are Line word processor .

awk The point is Split and recombine . and sed The focus is Replace .

Step one

Let's focus on what we need ,k Master uses sed The order replaced shell_exec Function is system function , And will $cmd=escapeshellcmd(substr($cmd,0,3))." ".escapeshellarg($param)." ".__FILE__; This line has been deleted

The parameter passed in is

cmd=sed&param=/esca/d;s/shell_exec/system;w 1.php

sed It's a three word command , Naturally no more than sustr String length limit , Next, the command parameters are described ：

/esca/d: The slash symbol is in sed Used to isolate different parameters （ Or command ）, /d The role of is delete, Delete immediately ,/esca yes /d The string you need to match , It contains esca The line of this string will be deleted .

; ：sed The semicolon is the separation between different commands .

s/shell_exec/system：s yes sed String replacement command in

Here you can learn the specific usage and effect ：sed String replacement command s - sed Basic course - Simple tutorial , Simple programming

s/shell_exec/system That is, will shell_exec Replace with system The order of .

w 1.php ：w namely write write in , Together, the modified file is written 1.php in

So it's time to payload The actual effect is sed '/esca/d;s/shell_exec/system;ww 1.php'

Step two

So now we know sed How to replace strings and write to files , We know that eventually there will be one 1.php Will be generated under the website directory , So add 1.php Get into

We can learn about our revised results , Next use post cmd Pass in the command line instructions used ：

cmd = ls / ： Understand the files in the current directory

cmd=cat /f* You can get flag

AWK brief introduction

Reference link ：AWK brief introduction - Awk Basic course - Simple tutorial , Simple programming

AWK Is a command line tool , It and others Unix/Linux Command line tools , such as curl and wget equally , No interface .

AWK It's a language , Right , A language , And it is an interpretive programming language . Use Awk Can complete countless tasks , Let's simply list a few

• Text processing

• Generate formatted text reports

• Run some simple arithmetic operations

• Perform some common string operations

AWK There are two ways to run a program ：

1. One is directly at the terminal （ shell ） Use in .

2. AWK Another way of using , It can be with Shell Script , Write it in a text file , Then run the text file . But this way is rare

AWK The most common way to use it is to input directly in the terminal AWK Script .

awk [options] file ...

Use directly on the command line , We need to talk about AWK Code using Single quotation marks ( '' ) Lead up .

such as

[www.twle.cn]$ awk '{print}' employee.txt

exp

because awk Can directly execute instructions .