CTF中常用PHP特性总结
Posted gxngxngxn
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CTF中常用PHP特性总结相关的知识,希望对你有一定的参考价值。
CTF中常用PHP特性总结
1.preg_match(正则匹配函数)相关
应该说在接触ctf的web题目过程中,我们不得不于这位朋友打交道,无论是在一些套娃娱乐题,还是代码审计的0day漏洞中,我们都要于这位朋友\'过过招\'。就我个人而言,在一开始打ctf题的时候最先接触的就是这个函数,也是一开始最让我头疼的,所以就想着把当前题目中遇到的相关的绕过解法总结一下,以便日后参考!
预备知识:
基本语法:
int preg_match ( string $pattern , string $subject [, array &$matches [, int $flags = 0 [, int $offset = 0 ]]] )
参数说明:
$pattern: 要搜索的模式,字符串形式。
$subject: 输入字符串。
$matches: 如果提供了参数matches,它将被填充为搜索结果。 $matches[0]将包含完整模式匹配到的文本, $matches[1] 将包含第一个捕获子组匹配到的文本,以此类推。
$flags:flags 可以被设置为以下标记值:
PREG_OFFSET_CAPTURE: 如果传递了这个标记,对于每一个出现的匹配返回时会附加字符串偏移量(相对于目标字符串的)。 注意:这会改变填充到matches参数的数组,使其每个元素成为一个由 第0个元素是匹配到的字符串,第1个元素是该匹配字符串 在目标字符串subject中的偏移量。
offset: 通常,搜索从目标字符串的开始位置开始。可选参数 offset 用于 指定从目标字符串的某个未知开始搜索(单位是字节)。
有时候我们会遇到它的参数奇奇怪怪的看不懂,这时候我们可以去百度一下参数的含义或者是推荐一下这个网站实践一下:
正则表达式在线测试工具:https://c.runoob.com/front-end/854/
那么有了这些基础知识后,就让我们正式探索preg_match的世界吧。
(1)数组绕过
if(preg_match("/[0-9]/", $num))
die("no no no!");
else(intval($num))
echo $flag;
看下上述代码,我们要想得到flag,就要赋值num为数字,但是正则匹配又过滤了数字,所以要怎么绕过呢?-----可以采用数组绕过!
原理:preg_match第二个参数subject要求是字符串,如果传入数组时会返回false,则不会进入if语句
所以可以构造payload:num[]=2
(2)%0a换行符绕过
先来看一个正则表达式:preg_match(’/^gxngxngxn$/’)**
//^和$字符用来匹配字符串的开始和结束,也就是说这个表达式要求我们必须是\'gxngxngxn\'这个字符串开始和结束。
那么遇到类似的情况,就可以采用%0a换行符绕过。
看上述代码,需要我们传参gxn=gxngxngxn,但是又不能赋值gxngxngxn给gxn,这很明显是个矛盾,这就需要我们用%0a去绕过正则匹配。payload:gxn=gxngxngxn%0a
(3)PCRE回溯次数限制
这个单独拿出来讲的话又可以另写一篇文章了,就简单的简述一下吧!
标志性的是它的贪婪匹配:
preg_match(\'/<\\?.*[(`;?>].*/is\')
所以当我们在题目中看到过滤了一大堆字符,几乎没法rce时,又有/.*这个标志时,可以优先考虑回溯绕过。
大概会回溯了一百万次,我们利用这个来构造payload进行rce。
具体的可以看p神(yyds!)的文章:https://www.leavesongs.com/PENETRATION/use-pcre-backtrack-limit-to-bypass-restrict.html
例题:[NISACTF 2022]middlerce
他们的exp大同小异,可以积累下来,到时候再遇到时只需要改下数据即可。
(4)总结
正则匹配的先总结到这里吧,以后有遇到新的会再补充的!
2.intval函数相关
又是一个诡计多端的函数呢!(bushi
预备知识:
定义:用于获取变量的整数值;通过使用指定的进制 base 转换(默认是十进制),返回变量 var 的 integer 数值。 intval() 不能用于 object,否则会产生 E_NOTICE 错误并返回 1。
基本语法:
int intval ( mixed $var [, int $base = 10 ] )
参数说明:
$var:要转换成 integer 的数量值。
$base:转化所使用的进制。
如果 base 是 0,通过检测 var 的格式来决定使用的进制:
如果字符串包括了 "0x" (或 "0X") 的前缀,使用 16 进制 (hex);否则,
如果字符串以 "0" 开始,使用 8 进制(octal);否则,
将使用 10 进制 (decimal)。
实例:
<?php
echo intval(42); // 42
echo intval(4.2); // 4
echo intval(\'42\'); // 42
echo intval(\'+42\'); // 42
echo intval(\'-42\'); // -42
echo intval(042); // 34
echo intval(\'042\'); // 42
echo intval(1e10); // 1410065408
echo intval(\'1e10\'); // 1
echo intval(0x1A); // 26
echo intval(42000000); // 42000000
echo intval(420000000000000000000); // 0
echo intval(\'420000000000000000000\'); // 2147483647
echo intval(42, 8); // 42
echo intval(\'42\', 8); // 34
echo intval(array()); // 0
echo intval(array(\'foo\', \'bar\')); // 1
?>
以上就是一些intval的基础知识。
(1)进制转换绕过
if($num==="4476")
die("no no no!");
if(intval($num,0)===4476)
echo $flag;
else
echo intval($num,0);
这种情况,就看他转换为八进制或者十六进制来绕过。
0b?? : 二进制
0??? : 八进制
0X?? : 十六进制
payload:num=0x117c || num=010574
再看看下面这种情况:
if($num==4476)
die("no no no!");
if(preg_match("/[a-z]/i", $num))
die("no no no!");
if(intval($num,0)==4476)
echo $flag;
这里就是正则匹配过滤了字母,所以不能用十六进制了,可以转换为八进制.
payload:num=010574
(2)科学计数法绕过
if($num==4476)
die("no no no!");
if(intval($num,0)==4476)
echo $flag;
还是拿这个举例,除了进制转换外,还可以使用科学计数法绕过。
intval()int函数如果 b a s e 为 0 则 base为0则 base为0则var中存在字母的话遇到字母就停止读取 但是e这个字母比较特殊,可以在PHP中表示科学计数法。
payload:num=4476e0
(3)小数点绕过
if($num==="114514")
die("no no no!");
if(preg_match("/[a-z]/i", $num)) //禁用字母
die("no no no!");
if(!strpos($num, "0")) //禁止0开头
die("no no no!");
if(intval($num,0)===114514)
echo $flag;
像上诉这个就不能使用进制转换了,那么可以使用传值小数,intval()会帮我们转换为整型,以此达到绕过的目的。
payload:num=114514.114514
总结
intval函数的考点相对比较简单,目前也就遇到了这些,以后如果碰到有趣的再补充
3.MD5绕过相关
(1)数组绕过
原理:MD5无法处理数组,如果传入数组则返回NULL,两个NULL是相等的。
看下面代码:
if ($_GET[\'a\'] != $_GET[\'b\'])
if (md5($_GET[\'a\']) === md5($_GET[\'b\']))
echo $flag;
else
print \'Wrong.\';
分析:需要我们以get的形式传入两个参数a和b,并且md5加密后要相等,那么这里我们可以采用传入两个数组的方式,让他们返回值为NULL,以此达到绕过的目的。
payload:a[]=1&b[]=1
(2)强制类型转换后绕过
原理:md5弱比较,使用了强制类型转换后不再接收数组
看下面代码:
$a=(string)$a;
$b=(string)$b;
if( ($a!==$b) && (md5($a)==md5($b)) )
echo $flag;
这里因为事先对两个参数都进行了强制类型转换,所以就不能传参数组达到绕过的目的了,因为是弱比较,所以可以采用科学计数法的方式绕过,即找到两个不同的值,让他们md5后的值都是以0e开头的。这个遇到了可以去网上一搜一大堆,这里就列举几个。
payload:a=QNKCDZO&b=240610708
(3)自身前后md5相等绕过
看下面这个代码:
$md5=$_GET[\'md5\']
$md5 == md5($md5)
分析:需要我们传参md5,使它的值与md5加密后相等,于是我们需要找一个0e开头,并且md5后还是以0e开头的值,这里直接例举几个,积累下来以后遇到直接用就行。
payload:md5=0e215962017
(4)md5强碰撞
强制类型转换和强相等会擦碰出怎样的火花呢?(妈妈生的!)
看下面代码:
$a=(string)$a;
$b=(string)$b;
if( ($a!==$b) && (md5($a)===md5($b)) )
echo $flag;
这边强制类型转换+强相等,那么前面的科学计数法绕过和数组绕过就通通失效了,这时候就需要进行md5强碰撞来找到两个值,这里直接就放出来两个值,积累下来就行。
payload:a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2
(5)补充
写到这突然想起与MD5类似的还有一个sha1这种,MD5考腻了就会换成sha1加密,但是解法还是差不多的,它们两个特性也差不多,无非就是数组绕过和sha1强碰撞,类似上诉md5记录的题型。
sha1强制类型转换:
payload:
aaroZmOk
aaK1STfY
aaO8zKZF
aa3OFF9m
这里也给出sha1强碰撞的payload,积累下来以备不时之需;
payload:a=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1&b=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1
(6)总结
md5的考点也就那几个,常见于套娃题中,比较好玩,有兴趣的可以去深入学习一下,目前就先记录这些,以后遇到新型的考点再记录下来,哈哈哈!
4.弱类型比较绕过
预备知识:
php中有两种比较的符号 == 与 ===
=== 在进行比较的时候,会先判断两种字符串的类型是否相等,再比较
== 在进行比较的时候,会先将字符串类型转化成相同,再比较
例如:
admin == 0 //true(在进行弱比较时,会先将admin这个字符串进行强制类型转换成数值,而字符串转换成数值后为0)
123admin == 123 //true
admin123 == 0 //true
(当有数字和字母混合组成的字符串进行弱比较,强制类型转换后若数字在前则转换为那个数值,若是字母在前,则为0)
0e12354458 == 0e8898485 //true(带有e的为科学技术法,两边比较时进行类型转换后数值都为0,故相等)
查阅php手册可以找到官方的结束:
当一个字符串欸当作一个数值来取值,其结果和类型如下:如果该字符串没有包含\'.\',\'e\',\'E\'并且其数值值在整形的范围之内
该字符串被当作int来取值,其他所有情况下都被作为float来取值,该字符串的开始部分决定了它的值,如果该字符串以合法的数值开始,则使用该数值,否则其值为0。
以下放出一张表格,是php的官方比较表格,可供参考:
好了,下面我们来看一些常见的弱比较问题吧!
(1)简单的弱比较
<?php
$a=$_GET[\'gxn\'];
if(!is_numeric($a))
if($a == 114514)
echo \'you are great\';
?>
看上述代码,一道最简单的弱比较问题,要求我们传入的参数不能为数字,但是后面又要我们等于数字,这时候就是发挥弱比较的特性的时候了。只需要传入payload:gxn=114514a
(2)总结
其实弱比较问题在我目前遇到的单独考察的不太多,一般都是与其他函数结合起来考察进行绕过。例如像md5(),intval()等等,这些前面都有讲到,这里也就不再赘述了,若是遇到了不熟悉的函数一起考察的话,我们一般都是先去百度这个函数的用法,然后依据用法进行绕过,其实这些都是简单的入门问题捏~!
5.php字符串解析特性
预备知识:
PHP需要将所有参数转换为有效的变量名,因此在解析查询字符串时,它会做两件事:
1)删除空白符
2)将某些字符([,+,.)等等转换为下划线(包括空格)
我们可以看张典中典老图:
可以看到在字符串中间的某些特殊符号是被解析成了下划线了,而这也是以后我们会遇到的常见考点之一,下面让我们一起来康康吧:
(1)康康题目
可以看到需要我们传入变量名为a_b_c_d的数据,但是在php解析中会将某些下划线解析成空格导致判定失败,于是我们可以采用其他字符代替的方法来进行绕过,如上图所示,我们传入payload:a+b[c_d=gxngxngxn,达到绕过的目的。
(2)总结
对于这些字符串解析特性造成的漏洞,我一般都在一些比较简单的娱乐题中遇到过,考来考去也就这一些,总结下来够用了。
6.结束--------以一道例题[[MRCTF2020]套娃]收尾吧!
在BUU上捏~~~~~~~~~
第一层:
点开靶机,进入首页面,话不多说,直接看页面原代码,发现密码(bushi:
//1st
$query = $_SERVER[\'QUERY_STRING\']; //获取查询语句,简要来说是获取我们get传参的内容。
if( substr_count($query, \'_\') !== 0 || substr_count($query, \'%5f\') != 0 )
die(\'Y0u are So cutE!\');
//过滤了以url编码形式绕过下划线捏。
if($_GET[\'b_u_p_t\'] !== \'23333\' && preg_match(\'/^23333$/\', $_GET[\'b_u_p_t\']))
echo "you are going to the next ~";
//传参b_u_p_t值不为23333但又必须首尾是23333.
这里运用了我们之前讲到的两种绕过(php字符串解析特性和正则匹配绕过),于是我们可以用’+‘来代替下划线,用%0a来绕过这种形式的正则匹配。
payload:?b+u+p+t=23333%0a
传入后,得到提示下一层在secrettw.php,于是进入下一层:
还是老样子,典中典之查看页面源代码,发现了一串justfuck加密的字符:
[][(![]
+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][[]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[!+[]+!+[]]]+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])+(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]])()())[!+[]+!+[]+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+[+!+[]])+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+([+[]]+![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]])
这种加密简单啊,直接F12打开控制台,将这串字符粘贴上去,然后执行,弹窗叫我们post形式传参Merak,那还能怎么办,依着他呗!
传参后,直接爆出了源码:
<?php error_reporting(0);
include \'takeip.php\';
ini_set(\'open_basedir\',\'.\');
include \'flag.php\';
if(isset($_POST[\'Merak\']))
highlight_file(__FILE__);
die();
function change($v)
$v = base64_decode($v);
$re = \'\';
for($i=0;$i<strlen($v);$i++)
$re .= chr ( ord ($v[$i]) + $i*2 );
return $re;
//定义了一个change函数,看起来是个小小的加密函数,到时候需要我们根据这个代码来解密
echo \'Local access only!\'."<br/>";
$ip = getIp();
//这边需要伪造ip为127.0.0.0
if($ip!=\'127.0.0.1\')
echo "Sorry,you don\'t have permission! Your ip is :".$ip;
if($ip === \'127.0.0.1\' && file_get_contents($_GET[\'2333\']) === \'todat is a happy day\' )
echo "Your REQUEST is:".change($_GET[\'file\']);
echo file_get_contents(change($_GET[\'file\'])); //关键代码,看到危险函数file_get_contents,可以由此读取flag.php
?>
进行简单的代码审计,就是需要我们经过两个简单的绕过(伪造ip和file_get_contents伪协议漏洞),然后进行反向加密flag.php就可以了,那么话不多说,直接开干。
伪造ip:直接利用xff来伪造,在请求头加上:X-Forwarded-For:127.0.0.1
file_get_contents伪协议漏洞:利用php://input协议进行绕过,首先GET传参:?2333=php://input,然后post传参:todat is a happy day
反写脚本:
<?php
$re = "flag.php";
function decrypt($re)
$v = "";
for($i=0;$i<strlen($re);$i++)
$v.=chr(ord($re[$i])-$i*2);
$v=base64_encode($v);
echo $v;
decrypt($re);
?>
运行得到:ZmpdYSZmXGI=,再通过GET传参?file=ZmpdYSZmXGI=
最终payload:
GET:2333=php://input&file=ZmpdYSZmXGI=
POST:todat is a happy day
再记得修改请求头来伪造ip,即可得到flag。
总结:
打完收工,终于可以:原神启动(原来你也玩原神!)
PHP特性总结与例题
前言
打CTF经常会遇到代码审计的题目,一般接触到的都是php型的,做的笔记到处都是,这里就准备把它们全总结到一起。
一、数组
0x01 数组的md5
这个大家应该都知道,md5算法对数组加密结果是NULL。比如下面这段代码:
首先判断username和password是否一致,一致的话提示'Your password can not be your username.'。
这里就用到了php的一个特性
php对数组进行md5加密返回的结果都是null
<?php
echo md5($_GET['username']);
?>运行一下
爆出警告需要一个字符类型的参数,而不是数组
然后我们测试一下上面那个题,输入username和password都为数组,但是赋值不同
由于两个的赋值不同,所以通过第一个判断,又由于都是数组,php对其进行md5加密后都返回为NULL,所以通过了第二个判断,输出flag。
0x02 strcmp()函数
先看这个代码
这里使用strcmp去比较password和flag,如果==0,就给出flag。
strcmp比较时,如果相等才会返回0,如果不相等返回要么大于0,要么小于0,这里记住一句话:
strcmp函数只会处理字符串参数,如果给个数组,就会返回NULL,而判断使用的是==,
NULL==0,这个等式的逻辑值是true。
利用这个漏洞,我们来做这个题
二、数字的比较
0x01 十六进制与数字
还是先看题吧
代码的意思就是: 不让输入1到9的数字,但是后面却让比较一串数字,这里想到的就是用进制转换,然后再比较。
那么将3735929054这串数字转换成十六进制是deadc0de,然后两个进行比较,比较结果当然是相等的,这样就能成功绕过,得到flag
0x02 数字运算(一)
大致意思就是:POST传入password的值,必须大于12位,必须是非空非TAB,然后password要有大小写数字,字符,匹配次数要大于6,最后要$password==42.
这里直接给出现成的payload:
password=42.00e+00000000000
或者
password=420.000000000e-10x03 数字运算(二)
代码中先将变量放到is_numberic函数中判断,如果是数字或数字字符串则返回true,否则返回false。然后一个判断,如果temp大于1336则显示flag。这里用到了PHP弱类型的一个特性,
当一个整形和一个其他类型行比较的时候,会先把其他类型intval再比。
那么输入一个1337a这样的字符串,在is_numeric中返回true,然后在比较时被转换成数字1337,这样就绕过判断输出flag。
0x04 MD5的巧合(一)
输入password,要求其MD5值为0
有一些特定的字符被MD5加密后结果是0e开头的
而URL中0e被当作了科学计数法,0*10的多少次方都是0
这样的字符串其实有很多,这里给出几个:
240610708
QNKCDZO
0x05 MD5的巧合(二)
其中md5运算函数有一个true参数,它的作用是将md5后的hex转换成字符串,这里如果字符串有单引号之类的字符就可以注入了。
比如字符串:ffifdyop
md5后,276f722736c95d99e921722cf9ed621c将其转成字符串的话就是
可以看到起字符串类似于 'or'6………..这样的字符串,其中'or'6是个永真的条件,如果把它放到查询中就可以where语句的判断,比如我们在url输入password=ffifdyop可以看到dump出的数据
以上是关于CTF中常用PHP特性总结的主要内容,如果未能解决你的问题,请参考以下文章