ctfshow 卷王杯 easy unserialize <?php include("./HappyYear.php"); class one { public $object; public function MeMeMe() { array_walk($this, function($fn, $prev){ if ($fn[0] === "Happy_func" && $prev === "year_parm") { global $talk; echo "$talk".""; global $flag; ...
easy_ssti 题目:页面提示有个app.py包,我们下载来看一下 from flask import Flask from flask import render_template_string,render_template app = Flask(__name__) @app.route('/hello/') def hello(name=None): return render_template('hello.html',name=name) @app.route('/hello/<name>') def...
后面发现又是经典的扫描目录得到源码!随后利用或运算的特性让用户名是admin就好。 攻防世界 warmup 学到了php的include的一个特性:https://blog.csdn.net/qq_42016346/article/details/104199710 very_easy_sql 这个题目有点奇怪的,开局看注释转到use.php判断SSRF没什么问题,但是好像没人提到是如何发现注入点在cookie...
1. ctfshow 击剑杯 esaypop(反序列化构造pop链) 题目地址:https://ctf.show/challenges 题目源码: highlight_file (FILE); 点击查看代码 highlight_file (__FILE__); error_reporting(0); class action_1{ public $tmp; public $fun = 'system'; public function __call($wo,$jia){ call_user_func(...
这题类似Code-Breaking Puzzles挑战赛中easy - functionCode Breaking 挑战赛 Writeup (seebug.org) 考点:create_function函数注入 /i不区分大小写 /s匹配任何不可见字符,包括空格、制表符、换页符等等,等价于[\f\n\r\t\v] /D如果使用$限制结尾字符,则不允许结尾有换行 ...
easy_php(复现) 题解:https://www.yuque.com/boogipop/tdotcs/hobe2yqmb3kgy1l8,Boogipop师傅tql 代码语言:javascript 复制 <?php error_reporting(0); highlight_file(__FILE__); class ctfshow{ public function __wakeup(){ die("not allowed!"); } public function __destruct(){ system($this-...
easyPHP <?php# -*- coding: utf-8 -*-# @Author: h1xa# @Date: 2022-03-19 12:10:55# @Last Modified by: h1xa# @Last Modified time: 2022-03-19 13:27:18# @email: h1xa@ctfer.com# @link: https://ctfer.comerror_reporting(0);highlight_file(__FILE__);$cmd = $_POST['cmd'...
include"config.php"; //这句话没啥用跳过 if(isset($_GET['view_source'])) { show_source(__FILE__); die; } // functioncheckCookie($s) { //以:为分隔符将$s分为两部分 $arr=explode(':',$s); //从下面等得出$s的格式为{"secret":"大写字母或者数字"} ...
easy_include 代码语言:javascript 复制 <?phpfunctionwaf($path){$path=str_replace(".","",$path);returnpreg_match("/^[a-z]+/",$path);}if(waf($_POST[1])){include"file://".$_POST[1];} 文件包含,.替换成空,同时路径首字母必须是字母 ...
easy_include 代码语言:javascript 复制 <?php function waf($path){ $path = str_replace(".","",$path); return preg_match("/^[a-z]+/",$path); } if(waf($_POST[1])){ include "file://".$_POST[1]; } 文件包含,.替换成空,同时路径首字母必须是字母 ...