<?php header('Content-Type: text/html; charset=utf...

Let's break down what's happening in this PHP script and understand the possible vulnerabilities or intended interactions.

Explanation of the Script:

1. Input Handling:

• The script accepts a request parameter called Number.
• If Number contains any digit (\d), the script immediately exits with a message "不行不行,不能这样".

2. Integer Validation:

• If intval($inputNumber) evaluates to true (meaning $inputNumber when cast to an integer is non-zero), it continues.

Important Note:

• intval() in PHP converts strings to integers by taking the numeric prefix (e.g., '123abc' becomes 123, and 'abc' becomes 0).
• Thus, to pass the second condition (intval($inputNumber) is true), your input must not contain digits (to pass the first check) but still somehow convert to a non-zero integer. This seems tricky, as intval will generally yield 0 for strings without digits.

3. Command Execution:

• If the above checks are passed, the script looks for a POST parameter cmd.
• It then checks if the value of cmd matches a very strict regular expression forbidding a long list of typical command injection attempts and dangerous commands.
• If the check passes (meaning it does NOT match any forbidden patterns), it will execute system($cmd).

Analysis of Potential Exploitation:

To exploit this script and run a command, you need to:

• Pass the numeric check without digits. This is challenging because typically, a string without digits casts to integer 0. However, certain special strings can behave peculiarly in PHP:
  • Hexadecimal representation: e.g., 0xFF is allowed in PHP and equals 255, but contains digits.
  • Octal numbers: also digits-based.
  • Scientific notation: e.g., 1e1 has digits.
• Realistically, without digits, PHP's intval() will always return 0, making it impossible to proceed past that check as-is.
• Unless PHP version specific quirks or configuration lead to unintended behaviors, this is quite secure against a straightforward bypass of the first check.

Potential Bypass / Edge Cases:

• This script is essentially a puzzle or capture-the-flag (CTF)-style challenge. Often, such scripts rely on peculiar PHP behaviors:
  • Possibly Unicode digit-like characters (０１２３) or locale-specific numerals might pass the regex \d check yet be treated by PHP as digits, depending on locale configuration or PHP version.
  • Or there could be PHP version quirks or a misconfigured encoding.

Command Injection Filter:

• The second part clearly intends to forbid commands frequently used to retrieve files (cat, grep, less, etc.), execute scripts (bash, sh, etc.), or manipulate files (cp, mv, tee, etc.).
• Because the filter is quite extensive, exploitation would require using uncommon commands not matching the regex pattern.

Example of potentially allowed command:

• Simple commands like whoami, pwd, or uname -a might not match the forbidden pattern and thus would execute, provided you could bypass the numeric check initially.

Conclusion:

• The main barrier to exploitation is the numeric checks (preg_match('/\d/', $inputNumber) and intval($inputNumber)), which at face value are secure.
• The secondary filter explicitly protects against many obvious attacks.

If you're attempting to exploit or solve this, you need a specially crafted PHP numeric input that behaves non-intuitively (perhaps using encoding or special PHP features) to pass the numeric checks, then run allowed commands for further exploration.