websign

无法右键禁用js后看源码

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-5FX2uPVO-1667461598331)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102084455218-16673498960451.png)]

ez_rce – 闭合

源码，禁用的东西挺多的仔细发现 ? <> `没有禁用，闭合标签反引号执行命令

https://blog.csdn.net/bossDDYY/article/details/## 放弃把，小伙子，你真的不会RCE,何必在此纠结呢？？？？？？？？？？？？https://blog.csdn.net/bossDDYY/article/details/ifhttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/issethttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/$_GEThttps://blog.csdn.net/bossDDYY/article/details/[https://blog.csdn.net/bossDDYY/article/details/'code'https://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/{    https://blog.csdn.net/bossDDYY/article/details/$codehttps://blog.csdn.net/bossDDYY/article/details/=https://blog.csdn.net/bossDDYY/article/details/$_GEThttps://blog.csdn.net/bossDDYY/article/details/[https://blog.csdn.net/bossDDYY/article/details/'code'https://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/;    https://blog.csdn.net/bossDDYY/article/details/if https://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/!https://blog.csdn.net/bossDDYY/article/details/preg_matchhttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/'/sys|pas|read|file|ls|cat|tac|head|tail|more|less|php|base|echo|cp|\$|\*|\+|\^|scan|\.|local|current|chr|crypt|show_source|high|readgzfile|dirname|time|next|all|hex2bin|im|shell/i'https://blog.csdn.net/bossDDYY/article/details/,https://blog.csdn.net/bossDDYY/article/details/$codehttps://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/{        https://blog.csdn.net/bossDDYY/article/details/echo https://blog.csdn.net/bossDDYY/article/details/'看看你输入的参数！！！不叫样子！！'https://blog.csdn.net/bossDDYY/article/details/;https://blog.csdn.net/bossDDYY/article/details/echo https://blog.csdn.net/bossDDYY/article/details/'
'https://blog.csdn.net/bossDDYY/article/details/;        https://blog.csdn.net/bossDDYY/article/details/evalhttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/$codehttps://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/;    https://blog.csdn.net/bossDDYY/article/details/}    https://blog.csdn.net/bossDDYY/article/details/elsehttps://blog.csdn.net/bossDDYY/article/details/{        https://blog.csdn.net/bossDDYY/article/details/diehttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/"你想干什么？？？？？？？？？"https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/;    https://blog.csdn.net/bossDDYY/article/details/}https://blog.csdn.net/bossDDYY/article/details/}https://blog.csdn.net/bossDDYY/article/details/elsehttps://blog.csdn.net/bossDDYY/article/details/{    https://blog.csdn.net/bossDDYY/article/details/echo https://blog.csdn.net/bossDDYY/article/details/"居然都不输入参数，可恶!!!!!!!!!"https://blog.csdn.net/bossDDYY/article/details/;    https://blog.csdn.net/bossDDYY/article/details/show_sourcehttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/__FILE__https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/;https://blog.csdn.net/bossDDYY/article/details/}

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-wkx4nqjg-1667461598333)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102084645846.png)]

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-L8KGVTDW-1667461598333)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102084658608.png)]

nl输出

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-CwkveGZq-1667461598334)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102084742202.png)]

ezsql – 输入反向

直接给出了查询语句

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-htrif8Qh-1667461598334)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102084840911.png)]

发现输入 11’)–+ 显示的是 ±-)'11 完全反过来了

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-FHUyt2Vd-1667461598335)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102084917425.png)]

首先使用万能密码试试

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-zrIwbJ3M-1667461598335)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102090900004.png)]

发现即使输入时正确的账号密码也不会回显flag

找列数 2列

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-uUStUQml-1667461598335)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102091511118.png)]

这里过滤了or 双写绕过，查找表名和数据库名

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-yN8Rq0Af-1667461598336)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102092019725.png)]

查列名UUCTF

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-8A37l0yb-1667461598336)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102092217212.png)]

查内容

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-30Rgtizv-1667461598337)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102092253981.png)]

ezrce – 6字符RCE

hint：这是一个命令执行接口

我知道咯这是六字符起初我输入>nl 回显命令执行失败我以为没有运行所以没写

所以说不可以完全信回显

我们要先找到写文件写的目录 echo 一下，文件写在./tmp/

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-lz1FE0aK-1667461598338)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102092539025.png)]

方法一

>nl* const u_char tonyenc_header[] = {        0x66, 0x88, 0xff, 0x4f,        0x68, 0x86, 0x00, 0x56,        0x11, 0x16, 0x16, 0x18,};const u_char tonyenc_key[] = {        0x9f, 0x49, 0x52, 0x00,        0x58, 0x9f, 0xff, 0x21,        0x3e, 0xfe, 0xea, 0xfa,        0xa6, 0x33, 0xf3, 0xc6,};

在IDA中找到对应的加密头和key

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-VUcHMf2X-1667461598351)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221103153927985.png)]

根据github源码写解密py脚本

https://blog.csdn.net/bossDDYY/article/details/import base64headerhttps://blog.csdn.net/bossDDYY/article/details/=https://blog.csdn.net/bossDDYY/article/details/[    https://blog.csdn.net/bossDDYY/article/details/0x66https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x88https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0xffhttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x4fhttps://blog.csdn.net/bossDDYY/article/details/,    https://blog.csdn.net/bossDDYY/article/details/0x68https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x86https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x00https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x56https://blog.csdn.net/bossDDYY/article/details/,    https://blog.csdn.net/bossDDYY/article/details/0x11https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x61https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x16https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x18https://blog.csdn.net/bossDDYY/article/details/,https://blog.csdn.net/bossDDYY/article/details/]keyhttps://blog.csdn.net/bossDDYY/article/details/=https://blog.csdn.net/bossDDYY/article/details/[    https://blog.csdn.net/bossDDYY/article/details/0x9fhttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x58https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x54https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x00https://blog.csdn.net/bossDDYY/article/details/,    https://blog.csdn.net/bossDDYY/article/details/0x58https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x9fhttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0xffhttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x23https://blog.csdn.net/bossDDYY/article/details/,    https://blog.csdn.net/bossDDYY/article/details/0x8ehttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0xfehttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0xeahttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0xfahttps://blog.csdn.net/bossDDYY/article/details/,    https://blog.csdn.net/bossDDYY/article/details/0xa6https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x35https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0xf3https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0xc6https://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/def https://blog.csdn.net/bossDDYY/article/details/decodehttps://blog.csdn.net/bossDDYY/article/details/(datahttps://blog.csdn.net/bossDDYY/article/details/,https://blog.csdn.net/bossDDYY/article/details/lenhttps://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/:    p https://blog.csdn.net/bossDDYY/article/details/=https://blog.csdn.net/bossDDYY/article/details/0    https://blog.csdn.net/bossDDYY/article/details/for i https://blog.csdn.net/bossDDYY/article/details/in https://blog.csdn.net/bossDDYY/article/details/rangehttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/0https://blog.csdn.net/bossDDYY/article/details/,https://blog.csdn.net/bossDDYY/article/details/lenhttps://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/:        https://blog.csdn.net/bossDDYY/article/details/if https://blog.csdn.net/bossDDYY/article/details/(i https://blog.csdn.net/bossDDYY/article/details/& https://blog.csdn.net/bossDDYY/article/details/1https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/:            p https://blog.csdn.net/bossDDYY/article/details/+= keyhttps://blog.csdn.net/bossDDYY/article/details/[phttps://blog.csdn.net/bossDDYY/article/details/] https://blog.csdn.net/bossDDYY/article/details/+ ihttps://blog.csdn.net/bossDDYY/article/details/;            p https://blog.csdn.net/bossDDYY/article/details/%= https://blog.csdn.net/bossDDYY/article/details/16https://blog.csdn.net/bossDDYY/article/details/;            t https://blog.csdn.net/bossDDYY/article/details/= keyhttps://blog.csdn.net/bossDDYY/article/details/[phttps://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/;            datahttps://blog.csdn.net/bossDDYY/article/details/[ihttps://blog.csdn.net/bossDDYY/article/details/] https://blog.csdn.net/bossDDYY/article/details/= https://blog.csdn.net/bossDDYY/article/details/~datahttps://blog.csdn.net/bossDDYY/article/details/[ihttps://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/^thttps://blog.csdn.net/bossDDYY/article/details/;            https://blog.csdn.net/bossDDYY/article/details/if datahttps://blog.csdn.net/bossDDYY/article/details/[ihttps://blog.csdn.net/bossDDYY/article/details/] https://blog.csdn.net/bossDDYY/article/details/< https://blog.csdn.net/bossDDYY/article/details/0https://blog.csdn.net/bossDDYY/article/details/:                datahttps://blog.csdn.net/bossDDYY/article/details/[ihttps://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/=datahttps://blog.csdn.net/bossDDYY/article/details/[ihttps://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/+https://blog.csdn.net/bossDDYY/article/details/256                decode https://blog.csdn.net/bossDDYY/article/details/= https://blog.csdn.net/bossDDYY/article/details/""https://blog.csdn.net/bossDDYY/article/details/.joinhttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/[https://blog.csdn.net/bossDDYY/article/details/chrhttps://blog.csdn.net/bossDDYY/article/details/(chttps://blog.csdn.net/bossDDYY/article/details/) https://blog.csdn.net/bossDDYY/article/details/for c https://blog.csdn.net/bossDDYY/article/details/in datahttps://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/)                https://blog.csdn.net/bossDDYY/article/details/return decodeencodefilehttps://blog.csdn.net/bossDDYY/article/details/=https://blog.csdn.net/bossDDYY/article/details/openhttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/'backdoor.php'https://blog.csdn.net/bossDDYY/article/details/,https://blog.csdn.net/bossDDYY/article/details/"rb"https://blog.csdn.net/bossDDYY/article/details/)base64_encodestrhttps://blog.csdn.net/bossDDYY/article/details/=base64https://blog.csdn.net/bossDDYY/article/details/.b64encodehttps://blog.csdn.net/bossDDYY/article/details/(encodefilehttps://blog.csdn.net/bossDDYY/article/details/.readhttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/)converthttps://blog.csdn.net/bossDDYY/article/details/=https://blog.csdn.net/bossDDYY/article/details/[c https://blog.csdn.net/bossDDYY/article/details/for c https://blog.csdn.net/bossDDYY/article/details/in base64https://blog.csdn.net/bossDDYY/article/details/.b64decodehttps://blog.csdn.net/bossDDYY/article/details/(base64_encodestrhttps://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/del converthttps://blog.csdn.net/bossDDYY/article/details/[https://blog.csdn.net/bossDDYY/article/details/0https://blog.csdn.net/bossDDYY/article/details/:https://blog.csdn.net/bossDDYY/article/details/lenhttps://blog.csdn.net/bossDDYY/article/details/(headerhttps://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/printhttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/strhttps://blog.csdn.net/bossDDYY/article/details/(decodehttps://blog.csdn.net/bossDDYY/article/details/(converthttps://blog.csdn.net/bossDDYY/article/details/,https://blog.csdn.net/bossDDYY/article/details/lenhttps://blog.csdn.net/bossDDYY/article/details/(converthttps://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/)