|
|
楼主 |
发表于 2021-8-19 14:29:40
|
显示全部楼层
本帖最后由 Martini 于 2021-8-19 15:12 编辑
No one knows regex better than me
<?php
error_reporting(0);
$zero=$_REQUEST['zero'];
$first=$_REQUEST['first'];
$second=$zero.$first;
if(preg_match_all("/Yeedo|wants|a|girl|friend|or|a|flag/i",$second)){
$key=$second;
if(preg_match("/\.\.|flag/",$key)){
die("Noooood hacker!");
}else{
$third=$first;
if(preg_match("/\\|\056\160\150\x70/i",$third)){
$end=substr($third,5);
highlight_file(base64_decode($zero).$end);//maybe flag in flag.php
}
}
}
else{
highlight_file(__FILE__);
}[/code]$zero,$first通过request传入一个参数,$second=zero.first
$second里必须匹配到/Yeedo|wants|a|girl|friend|or|a|flag/i这里面的字符
$key=$second
在$key里不能匹配到/.|.|flag/
$third=first
在$third里要匹配有/\|\056\160\150\x70/i
$end从third里第五位字符开始截取。
构造payload:
seconde里要存在"/Yeedo|wants|a|girl|friend|or|a|flag/i",而second=zero.first,所以zero=flag
key=second=zero.first,并且不能存在"/\.\.|flag/",也就是说zero不能=flag,highlight_file(base64_decode($zero).$end),会进行base64_decode,将’flag’进行base64加密得到ZmxhZw==
third=first,并且要匹配"/\\|\056\160\150\x70/i",转换成10进制,再转成ascii码后即为|.php
$end=substr($third,5);需要在|.php前面加上4个字符绕过substr,(aaaa oror girl ),所以完整的payload为:
- ?zero=ZmxhZw==&first=aaaa|.php
|
|
