文章目录
- [ZJCTF 2019]NiZhuanSiWei
- [BJDCTF2020]Easy MD5
- [SUCTF 2019]CheckIn
- [极客大挑战 2019]Upload
- [极客大挑战 2019]Http
- [HCTF 2018]admin
- [极客大挑战 2019]BabySQL
- [ACTF2020 新生赛]BackupFile
- [ACTF2020 新生赛]Upload
- [极客大挑战 2019]BuyFlag
[ZJCTF 2019]NiZhuanSiWei
根据提示
<?php
class Flag{ //flag.php
public $file;
public function __tostring(){
if(isset($this->file)){
echo file_get_contents($this->file);
echo "<br>";
return ("U R SO CLOSE !///COME ON PLZ");
}
}
}
?> 
[BJDCTF2020]Easy MD5
[SUCTF 2019]CheckIn
.user.ini的使用
[极客大挑战 2019]Upload
常规上传绕过
[极客大挑战 2019]Http
太简单了
[HCTF 2018]admin
这里我才用的是flask-session伪造
还有其它方式,给一个博主的链接BUUCTF | [HCTF 2018]admin
复习并且学到了很多
[极客大挑战 2019]BabySQL
双写绕过我有点忘了,尴尬了,看了下wp想起来了
[极客大挑战 2019]BabySQL
[ACTF2020 新生赛]BackupFile
简单的代码审计
<?php
include_once "flag.php";
if(isset($_GET['key'])) {
$key = $_GET['key'];
if(!is_numeric($key)) {
exit("Just num!");
}
$key = intval($key);
$str = "123ffwsfwefwf24r2f32ir23jrw923rskfjwtsw54w3";
if($key == $str) {
echo $flag;
}
}
else {
echo "Try to find out source file!";
} [ACTF2020 新生赛]Upload
常规操作就懒得做了
[极客大挑战 2019]BuyFlag