主页 » Tags

命令执行

Web37

0x01 访问靶场,获得源码回显 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 <?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-09-04 00:12:34 # @Last Modified by: h1xa # @Last Modified time: 2020-09-04 05:18:55 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ //flag in flag.php error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag/i", $c)){ include($c); echo $flag; } }else{ highlight_file(__FILE__); } 0x02 审计代码,发现这题改变方法,使用include方法包含$c,同时因为过滤flag,无法直接使用php://filter/read=convert.base64-encode/resource=flag.php,使用data://text/plain;base64,XXXXX来构造payload ...

2025-03-10 · 1 分钟 · 321 字 · AuranLu

Web38

0x01 访问靶场,回显源码 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 <?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-09-04 00:12:34 # @Last Modified by: h1xa # @Last Modified time: 2020-09-04 05:23:36 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ //flag in flag.php error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag|php|file/i", $c)){ include($c); echo $flag; } }else{ highlight_file(__FILE__); } 0x02 ...

2025-03-10 · 1 分钟 · 113 字 · AuranLu

Web39

0x01 访问靶场,回显源码 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 <?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-09-04 00:12:34 # @Last Modified by: h1xa # @Last Modified time: 2020-09-04 06:13:21 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ //flag in flag.php error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag/i", $c)){ include($c.".php"); } }else{ highlight_file(__FILE__); } 0x02 由于此处在$c后拼接了.php,故直接使用data://text/plain,<php? system('tac f*');?>而非base64加密形式。从而闭合<?php?>其余均与前题相同 ...

2025-03-10 · 1 分钟 · 177 字 · AuranLu

Web40

[!Important] RCE无参构造 0x01 访问靶场,回显源码 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 <?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-09-04 00:12:34 # @Last Modified by: h1xa # @Last Modified time: 2020-09-04 06:03:36 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/[0-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i", $c)){ eval($c); } }else{ highlight_file(__FILE__); } 0x02 [!Note] ...

2025-03-10 · 2 分钟 · 687 字 · AuranLu

Web41

[!Important] RCE无字母数字构造_或 0x01 访问靶场,回显源码 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 <?php /* # -*- coding: utf-8 -*- # @Author: 羽 # @Date: 2020-09-05 20:31:22 # @Last Modified by: h1xa # @Last Modified time: 2020-09-05 22:40:07 # @email: 1341963450@qq.com # @link: https://ctf.show */ if(isset($_POST['c'])){ $c = $_POST['c']; if(!preg_match('/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/i', $c)){ eval("echo($c);"); } }else{ highlight_file(__FILE__); } ?> 0x02 [!Note] ...

2025-03-10 · 2 分钟 · 540 字 · AuranLu

Web42

[!Important] RCE重定向截断 0x01 访问靶场,回显源码 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 <?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-09-05 20:49:30 # @Last Modified by: h1xa # @Last Modified time: 2020-09-05 20:51:55 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ if(isset($_GET['c'])){ $c=$_GET['c']; system($c." >/dev/null 2>&1"); }else{ highlight_file(__FILE__); } 0x02 审计源码 ...

2025-03-10 · 1 分钟 · 436 字 · AuranLu

Web43

[!Important] RCE_preg_match绕过及RCE重定向截断 0x01 访问靶场,回显源码 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 <?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-09-05 20:49:30 # @Last Modified by: h1xa # @Last Modified time: 2020-09-05 21:32:51 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ if(isset($_GET['c'])){ $c=$_GET['c']; if(!preg_match("/\;|cat/i", $c)){ system($c." >/dev/null 2>&1"); } }else{ highlight_file(__FILE__); } 0x02 [!Note] ...

2025-03-10 · 1 分钟 · 179 字 · AuranLu

Web44

[!Important] preg_match过滤绕过及RCE重定向截断 0x01 访问靶场,回显源码 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 <?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-09-05 20:49:30 # @Last Modified by: h1xa # @Last Modified time: 2020-09-05 21:32:01 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ if(isset($_GET['c'])){ $c=$_GET['c']; if(!preg_match("/;|cat|flag/i", $c)){ system($c." >/dev/null 2>&1"); } }else{ highlight_file(__FILE__); } 0x02 [!Note] ...

2025-03-10 · 1 分钟 · 226 字 · AuranLu

Web45

[!Important] preg_match过滤绕过及RCE重定向截断 0x01 访问靶场,获得源码回显 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 <?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-09-05 20:49:30 # @Last Modified by: h1xa # @Last Modified time: 2020-09-05 21:35:34 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ if(isset($_GET['c'])){ $c=$_GET['c']; if(!preg_match("/\;|cat|flag| /i", $c)){ system($c." >/dev/null 2>&1"); } }else{ highlight_file(__FILE__); } 0x02 [!Note] ...

2025-03-10 · 1 分钟 · 199 字 · AuranLu

Web46

[!Important] preg_match过滤绕过及RCE重定向截断 0x01 访问靶场,回显源码 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 <?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2020-09-05 20:49:30 # @Last Modified by: h1xa # @Last Modified time: 2020-09-05 21:50:19 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ if(isset($_GET['c'])){ $c=$_GET['c']; if(!preg_match("/\;|cat|flag| |[0-9]|\\$|\*/i", $c)){ system($c." >/dev/null 2>&1"); } }else{ highlight_file(__FILE__); } 0x02 [!Note] ...

2025-03-10 · 1 分钟 · 162 字 · AuranLu