UUCTF websignez_rce -- 闭合ezsql -- 输入反向ezrce -- 6字符RCE方法一方法二 ez_unser -- 引用绕过wakeupez_upload--a
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-5FX2uPVO-1667461598331)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102084455218-16673498960451.png)]](https://file.lsjlt.com/upload/f/202309/05/1qap141d33v.png)
源码,禁用的东西挺多的 仔细发现 ? <> `没有禁用,闭合标签反引号执行命令
https://blog.csdn.net/bossDDYY/article/details/## 放弃把,小伙子,你真的不会RCE,何必在此纠结呢????????????Https://blog.csdn.net/bossDDYY/article/details/ifhttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/issethttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/$_GEThttps://blog.csdn.net/bossDDYY/article/details/[https://blog.csdn.net/bossDDYY/article/details/'code'https://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/{ https://blog.csdn.net/bossDDYY/article/details/$codehttps://blog.csdn.net/bossDDYY/article/details/=https://blog.csdn.net/bossDDYY/article/details/$_GEThttps://blog.csdn.net/bossDDYY/article/details/[https://blog.csdn.net/bossDDYY/article/details/'code'https://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/; https://blog.csdn.net/bossDDYY/article/details/if https://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/!https://blog.csdn.net/bossDDYY/article/details/preg_matchhttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/'/sys|pas|read|file|ls|cat|tac|head|tail|more|less|PHP|base|echo|cp|\$|\*|\+|\^|scan|\.|local|current|chr|crypt|show_source|high|readgzfile|dirname|time|next|all|hex2bin|im|shell/i'https://blog.csdn.net/bossDDYY/article/details/,https://blog.csdn.net/bossDDYY/article/details/$codehttps://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/{ https://blog.csdn.net/bossDDYY/article/details/echo https://blog.csdn.net/bossDDYY/article/details/'看看你输入的参数!!!不叫样子!!'https://blog.csdn.net/bossDDYY/article/details/;https://blog.csdn.net/bossDDYY/article/details/echo https://blog.csdn.net/bossDDYY/article/details/'
'https://blog.csdn.net/bossDDYY/article/details/; https://blog.csdn.net/bossDDYY/article/details/evalhttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/$codehttps://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/; https://blog.csdn.net/bossDDYY/article/details/} https://blog.csdn.net/bossDDYY/article/details/elsehttps://blog.csdn.net/bossDDYY/article/details/{ https://blog.csdn.net/bossDDYY/article/details/diehttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/"你想干什么?????????"https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/; https://blog.csdn.net/bossDDYY/article/details/}https://blog.csdn.net/bossDDYY/article/details/}https://blog.csdn.net/bossDDYY/article/details/elsehttps://blog.csdn.net/bossDDYY/article/details/{ https://blog.csdn.net/bossDDYY/article/details/echo https://blog.csdn.net/bossDDYY/article/details/"居然都不输入参数,可恶!!!!!!!!!"https://blog.csdn.net/bossDDYY/article/details/; https://blog.csdn.net/bossDDYY/article/details/show_sourcehttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/__FILE__https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/;https://blog.csdn.net/bossDDYY/article/details/}[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-wkx4nqjg-1667461598333)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102084645846.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-L8KGVTDW-1667461598333)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102084658608.png)]
nl输出
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-CwkveGZq-1667461598334)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102084742202.png)]](https://file.lsjlt.com/upload/f/202309/05/agwepnumlnd.png)
直接给出了查询语句
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-htrif8Qh-1667461598334)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102084840911.png)]](https://file.lsjlt.com/upload/f/202309/05/edd4djvhd01.png)
发现输入 11’)–+ 显示的是 ±-)'11 完全反过来了
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-FHUyt2Vd-1667461598335)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102084917425.png)]](https://file.lsjlt.com/upload/f/202309/05/kjvhjdbjhmb.png)
首先使用万能密码试试
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-zrIwbJ3M-1667461598335)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102090900004.png)]](https://file.lsjlt.com/upload/f/202309/05/3c4mcwycrem.png)
发现即使输入时正确的账号密码也不会回显flag
找列数 2列
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-uUStUQml-1667461598335)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102091511118.png)]](https://file.lsjlt.com/upload/f/202309/05/yagq24ibz0s.png)
这里过滤了or 双写绕过,查找表名和数据库名
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-yN8Rq0Af-1667461598336)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102092019725.png)]](https://file.lsjlt.com/upload/f/202309/05/pjxbsks54ir.png)
查列名UUCTF
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-8A37l0yb-1667461598336)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102092217212.png)]](https://file.lsjlt.com/upload/f/202309/05/vx0vqz5us3q.png)
查内容
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-30Rgtizv-1667461598337)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102092253981.png)]](https://file.lsjlt.com/upload/f/202309/05/gd4qc00zeid.png)
hint:这是一个命令执行接口
我知道咯这是六字符 起初我输入>nl 回显命令执行失败 我以为没有运行 所以没写
所以说不可以完全信回显
我们要先找到写文件写的目录 echo 一下,文件写在./tmp/
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-lz1FE0aK-1667461598338)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221102092539025.png)]](https://file.lsjlt.com/upload/f/202309/05/yyodr4mc1xy.png)
>nl* const u_char tonyenc_header[] = { 0x66, 0x88, 0xff, 0x4f, 0x68, 0x86, 0x00, 0x56, 0x11, 0x16, 0x16, 0x18,};const u_char tonyenc_key[] = { 0x9f, 0x49, 0x52, 0x00, 0x58, 0x9f, 0xff, 0x21, 0x3e, 0xfe, 0xea, 0xfa, 0xa6, 0x33, 0xf3, 0xc6,};在IDA中找到对应的加密头和key
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-VUcHMf2X-1667461598351)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221103153927985.png)]](https://file.lsjlt.com/upload/f/202309/05/qmtskpgs0pm.png)
根据GitHub源码写解密py脚本
https://blog.csdn.net/bossDDYY/article/details/import base64headerhttps://blog.csdn.net/bossDDYY/article/details/=https://blog.csdn.net/bossDDYY/article/details/[ https://blog.csdn.net/bossDDYY/article/details/0x66https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x88https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0xffhttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x4fhttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x68https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x86https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x00https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x56https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x11https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x61https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x16https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x18https://blog.csdn.net/bossDDYY/article/details/,https://blog.csdn.net/bossDDYY/article/details/]keyhttps://blog.csdn.net/bossDDYY/article/details/=https://blog.csdn.net/bossDDYY/article/details/[ https://blog.csdn.net/bossDDYY/article/details/0x9fhttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x58https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x54https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x00https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x58https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x9fhttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0xffhttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x23https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x8ehttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0xfehttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0xeahttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0xfahttps://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0xa6https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0x35https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0xf3https://blog.csdn.net/bossDDYY/article/details/, https://blog.csdn.net/bossDDYY/article/details/0xc6https://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/def https://blog.csdn.net/bossDDYY/article/details/decodehttps://blog.csdn.net/bossDDYY/article/details/(datahttps://blog.csdn.net/bossDDYY/article/details/,https://blog.csdn.net/bossDDYY/article/details/lenhttps://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/: p https://blog.csdn.net/bossDDYY/article/details/=https://blog.csdn.net/bossDDYY/article/details/0 https://blog.csdn.net/bossDDYY/article/details/for i https://blog.csdn.net/bossDDYY/article/details/in https://blog.csdn.net/bossDDYY/article/details/rangehttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/0https://blog.csdn.net/bossDDYY/article/details/,https://blog.csdn.net/bossDDYY/article/details/lenhttps://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/: https://blog.csdn.net/bossDDYY/article/details/if https://blog.csdn.net/bossDDYY/article/details/(i https://blog.csdn.net/bossDDYY/article/details/& https://blog.csdn.net/bossDDYY/article/details/1https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/: p https://blog.csdn.net/bossDDYY/article/details/+= keyhttps://blog.csdn.net/bossDDYY/article/details/[phttps://blog.csdn.net/bossDDYY/article/details/] https://blog.csdn.net/bossDDYY/article/details/+ ihttps://blog.csdn.net/bossDDYY/article/details/; p https://blog.csdn.net/bossDDYY/article/details/%= https://blog.csdn.net/bossDDYY/article/details/16https://blog.csdn.net/bossDDYY/article/details/; t https://blog.csdn.net/bossDDYY/article/details/= keyhttps://blog.csdn.net/bossDDYY/article/details/[phttps://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/; datahttps://blog.csdn.net/bossDDYY/article/details/[ihttps://blog.csdn.net/bossDDYY/article/details/] https://blog.csdn.net/bossDDYY/article/details/= https://blog.csdn.net/bossDDYY/article/details/~datahttps://blog.csdn.net/bossDDYY/article/details/[ihttps://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/^thttps://blog.csdn.net/bossDDYY/article/details/; https://blog.csdn.net/bossDDYY/article/details/if datahttps://blog.csdn.net/bossDDYY/article/details/[ihttps://blog.csdn.net/bossDDYY/article/details/] https://blog.csdn.net/bossDDYY/article/details/< https://blog.csdn.net/bossDDYY/article/details/0https://blog.csdn.net/bossDDYY/article/details/: datahttps://blog.csdn.net/bossDDYY/article/details/[ihttps://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/=datahttps://blog.csdn.net/bossDDYY/article/details/[ihttps://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/+https://blog.csdn.net/bossDDYY/article/details/256 decode https://blog.csdn.net/bossDDYY/article/details/= https://blog.csdn.net/bossDDYY/article/details/""https://blog.csdn.net/bossDDYY/article/details/.joinhttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/[https://blog.csdn.net/bossDDYY/article/details/chrhttps://blog.csdn.net/bossDDYY/article/details/(chttps://blog.csdn.net/bossDDYY/article/details/) https://blog.csdn.net/bossDDYY/article/details/for c https://blog.csdn.net/bossDDYY/article/details/in datahttps://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/) https://blog.csdn.net/bossDDYY/article/details/return decodeencodefilehttps://blog.csdn.net/bossDDYY/article/details/=https://blog.csdn.net/bossDDYY/article/details/openhttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/'backdoor.php'https://blog.csdn.net/bossDDYY/article/details/,https://blog.csdn.net/bossDDYY/article/details/"rb"https://blog.csdn.net/bossDDYY/article/details/)base64_encodestrhttps://blog.csdn.net/bossDDYY/article/details/=base64https://blog.csdn.net/bossDDYY/article/details/.b64encodehttps://blog.csdn.net/bossDDYY/article/details/(encodefilehttps://blog.csdn.net/bossDDYY/article/details/.readhttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/)converthttps://blog.csdn.net/bossDDYY/article/details/=https://blog.csdn.net/bossDDYY/article/details/[c https://blog.csdn.net/bossDDYY/article/details/for c https://blog.csdn.net/bossDDYY/article/details/in base64https://blog.csdn.net/bossDDYY/article/details/.b64decodehttps://blog.csdn.net/bossDDYY/article/details/(base64_encodestrhttps://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/del converthttps://blog.csdn.net/bossDDYY/article/details/[https://blog.csdn.net/bossDDYY/article/details/0https://blog.csdn.net/bossDDYY/article/details/:https://blog.csdn.net/bossDDYY/article/details/lenhttps://blog.csdn.net/bossDDYY/article/details/(headerhttps://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/]https://blog.csdn.net/bossDDYY/article/details/printhttps://blog.csdn.net/bossDDYY/article/details/(https://blog.csdn.net/bossDDYY/article/details/strhttps://blog.csdn.net/bossDDYY/article/details/(decodehttps://blog.csdn.net/bossDDYY/article/details/(converthttps://blog.csdn.net/bossDDYY/article/details/,https://blog.csdn.net/bossDDYY/article/details/lenhttps://blog.csdn.net/bossDDYY/article/details/(converthttps://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/)https://blog.csdn.net/bossDDYY/article/details/)解密得到backdoor.php文件内容为
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-gEwEUhZ0-1667461598351)(F:/%E7%AC%94%E8%AE%B0%E5%9B%BE%E7%89%87/image-20221103154452619.png)]
来源地址:https://blog.csdn.net/bossDDYY/article/details/127671924
--结束END--
本文标题: 2022UUCTF-web
本文链接: https://lsjlt.com/news/395047.html(转载时请注明来源链接)
有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
回答
回答
回答
回答
回答
回答
回答
回答
回答
回答
官方手机版
微信公众号
商务合作
0